Governance - Trust & Safety Professional Association

Assuring Privacy Compliance

How do platforms ensure privacy compliance? What are the common processes and systems in place to do so? Platforms at all scales may develop particular strategies, functions, and roles to assure privacy compliance in all functions. At a small to medium-sized organization, privacy compliance is primarily regulated by legal counsel with potential infrastructure built across various portions of the organization to ensure scalability. As a large company, key functions (e.g., departments and divisions) and roles (including those mentioned above) are a meaningful part of the company’s function.

Privacy work at an organization can evolve in countless ways—it depends on the needs of the organization at the time. However, a common pathway might look like:

Hiring outside legal counsel to draft the founding Privacy Policy document.
Creating operations functions that facilitate reporting of privacy-related reports and requests. This function can be situated within teams across legal operations, trust and safety, customer success, and other operational teams.
Establishing an internal legal function through the hiring of a Chief Legal Officer and/or General Counsel. This counsel may begin to be involved in Product-focused work related to data use and retention, and may also be focused on developing a Legal Operations function.
Hiring dedicated Privacy Counsel to the Legal team. At this stage, meaningful involvement in data use and retention issues will become a regular part of an organization’s function, and they will likely be meaningfully involved in engineering, product, and policy work in this area. They may begin to maintain and update the Privacy Policy on a more regular basis at this stage, and provide meaningful input on content, product, and public policy work as well.
Privacy-focused Policy teams often form soon after to guide product and engineering teams on a more regular cadence. These teams provide deep insight at the intersection of legal, policy, and broader considerations of what users may expect surrounding their privacy, and function as an advocate team reflecting public feedback surrounding privacy issues.
As the three core teams (Operations, Legal, Policy) expand under dedicated Legal executive leadership and organizational complexity scales. This will lead to complex processes that eventually need dedicated management.
Privacy Program Managers may then drive the auditing, evaluation, and approvals process across multiple stakeholders related to privacy matters. This can develop to the point where every single product and feature launch and update includes a privacy review and approval.

Challenges in Privacy Compliance

There are several common challenges privacy professionals face when carrying out privacy compliance work.

Initial and Ongoing Investment

Creating and operating a privacy compliance review process is costly for several reasons. The primary reason for this is a combination of the need to hire internal privacy-focused staff to carry out the legal review and operational tasks related to assessing privacy compliance issues in the products a company creates and the user data that may be maintained. Because of this, dedicated privacy staff may not be possible until the organization has developed sufficiently to support this work.

Impact on Innovation and Development

Implementing privacy review processes may impact product release schedules and place strictures on what a product or feature seeks to accomplish. Such reviews are essential to mitigate risks related to legal compliance and judicious management of user data. However, implementing these review processes requires special care and sensitivity toward organizational goals.

Competing Legislative Priorities and Specificity

Privacy-related legislation and regulations around the world vary tremendously in scope, specificity, and application to specific industrial context. Privacy teams face tremendous complexity in assessing which regulations to prioritize, planning a compliance strategy that takes into account multiple regulations across the globe, and sometimes even supporting a response strategy against regulations that are too ambiguous or far overreaching.Privacy teams also must consider the importance of protecting users against repressive governments who may request PII that could lead to repression, human rights violations, or the diminishment of free speech. In this respect, political opponents, activists, journalists, and minorities are especially vulnerable.

Differences in Law Enforcement Practices

There are tremendous variations in how law enforcement expects organizations to comply with privacy regulations. For example, GDPR stipulates that an organization must have a neutral Data Privacy Officer who especially focuses on GDPR compliance issues. There are open questions about how to situate regulation-specific staff, and whether such staff should exist for other specific regulations or provide general support for regulations across the globe.

Fostering a Culture of Privacy

Commitments to privacy often go back to an organization’s mission and overall values. A collective commitment among employees to privacy issues can help facilitate important consideration of privacy-related questions. A commitment to privacy can also inform overall product strategy, organizational structure, and inclusion of privacy-specific functions within core workflows across the organization.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.