The record-setting privacy breach fines that we are seeing these days resulted from different points of failure – unauthorized data access by a third party, delay in applying a security patch, insufficient data security due diligence performed during a merger and acquisition, and many others. An operating model that is poorly designed or a misstep in executing some aspects of it can also lead to these failures. Oftentimes, companies that are penalized by regulators respond to the crisis by introducing structural changes to the way they manage privacy.  

Looking beyond the rush towards complying with the California Consumer Privacy Act (CCPA) by January 1, 2020, organizations have started revisiting their current operating models to validate that they are sustainable and can respond to more stringent or unique requirements anticipated from new privacy regulations within the U.S. and other regions.  

This four-part series can help privacy officers assess their current privacy program and be aware of options to realign the privacy functions and responsibilities within their organizations. The series also aims to help privacy officers answer the underlying question – does your current privacy operating model deliver value? 

The value that can be derived from a privacy operating model varies depending on who you ask. From the perspective of the individuals who entrust their personal data, the value is measured by how an organization is using the data for its intended purpose and keeping the data safe. On the other hand, what is valuable to organizations is how the use of the data can enhance their products and services while at the same time being respectful of individual rights.  

This blog post will explore the important elements that make a privacy operating model effective in delivering value. Part 2 discusses how organizations are responding to the evolving privacy regulatory landscape – complying to what is required versus broader and strategic program transformation.  

Part 3 covers shifting privacy responsibilities from the second line of defense to the first. We will also explore various role scenarios that can be assumed by Compliance, Legal, Chief Information Security Officer, Chief Customer Officer, Chief Data Officer, and others in providing overall privacy program oversight. We will conclude the series with a discussion on how organizations can tactically designate key privacy functions and responsibilities across the first and second lines of defense.  

So, what are the key characteristics of a privacy operating model that delivers value? There are three important elements: 

1. Confirming the desired objective of the privacy operating model – compliance versus broader transformation 

The operating model should drive the privacy value that the company has envisioned. Depending on the maturity of the privacy program and relevant circumstances, the company can decide to be laser-focused on just meeting the minimum regulatory requirements or operate at a much higher level to gain customer trust as the centerpiece of its privacy program. 

The company’s view of the value of privacy should be reflected in how the privacy operating model is structured. Organizations that undertook the General Data Protection Regulation (GDPR) compliance journey and those that are getting ready to comply with the CCPA have the choice to either maintain a privacy program to meet regulatory mandates or seek opportunity for broader change. The change can be realized through organizational synergies across functions that intersect with the privacy agenda. Ultimately, such change allows for more visible market leadership in winning consumer trust. 

2. Engaging the business in managing key privacy functions and risks  

Engaging the business areas that are client and employee facing is key. They manage the customer journey, constantly interact with individuals, and directly collect and use personal data. They are the true first line of defense! Without them, the organization would be in a fragile and defensive mode.  

Recognizing this, organizations are shifting some privacy responsibilities from their second line of defense to their first. This is supported by an Accenture study that noted that 60% of respondents agree that responsibilities performed by the second line are shifting to the first line.1 Some organizations would even go to the extent of shifting their entire privacy compliance oversight to the first line of defense. 

3. Clearly defining the responsibilities within the first and second lines of defense  

Roles and responsibilities within the first and second lines of defense should be clearly defined and removed of any overlaps. Individuals should be designated to own key privacy functions across the essential privacy program components, including: 

  • Individual rights management 
  • Privacy notice and choice management  
  • Data use, retention and disposal  
  • Privacy risk management and compliance  
  • Third party privacy risk management 
  • Data breach management
  • Data lifecycle and security 

Key support functions, including IT, Legal, Procurement, and Information Security, should be tapped into the privacy program operations. As an example, the IT department should support data discovery when responding to the individual requests, and Procurement should diligently screen vendors before any personal data is shared with them. 

In the next blog we will discuss how organizations are responding to the evolving privacy regulatory landscape, including the reasoning behind their chosen program maturity journey.  


  1. “2019 Compliance Risk Study,” Accenture, March 2019. Access at:

Submit a Comment

Your email address will not be published.