Winning Hearts and Minds: Strategies for Privacy Officers to Influence Stakeholders in Meeting Data Protection Obligations

Caught between the conflicting interests of stakeholders and the imperative to ensure privacy and data protection compliance, Privacy Officers often find themselves in a challenging position. The requirements to safeguard data subjects’ rights are often perceived as obstacles, making it tough to influence stakeholders effectively. This article explores strategies for Privacy Officers to convince stakeholders and drive compliance with privacy obligations.

The role of a Privacy Officer.

A Privacy Officer, also known as a Chief Privacy Officer, Corporate Privacy Officer, Data Protection Manager, or Data Protection Lead, is responsible for managing privacy solutions and data protection matters within an organization. Unlike a Data Protection Officer (DPO), who must be independent and have advisory functions defined in the General Data Protection Regulations (GDPR), a Privacy Officer can directly participate in the organization's decision-making process regarding data processing activities and represent the organization's data processing interests. They take on a more hands-on operational role, collaborating with teams such as Product, Marketing, and Human Resources in day-to-day operations.

First, draw the line.

Before engaging with a stakeholder regarding a specific data processing activity, a Privacy Officer must know the amount of risk an organization is willing to accept. This task is not solely determined by legal requirements and enforcement trackers; it involves considering reputational and financial risks, as well as analyzing consumer behaviour. Assessing overall risks requires multiplying the likelihood and severity, a task often performed by a risk management team in larger companies. Armed with this information, the Privacy Officer gains a clear understanding of the organization's risk appetite, enabling them to engage and negotiate with stakeholders in a well-informed manner effectively.

Second, understand the goals, not just the systems.

In the next step, a Privacy Officer must comprehensively understand not only the overall system of a processing activity but also its specific purposes, aligning with the principles of necessity and proportionality. These purposes can range from enhancing click-to-open and conversion rates to launching new products. The processing, therefore, should be necessary for the intended purposes and carried out proportionately.

Additionally, being aware of the stakeholders' individual goals is crucial. For instance, the marketing team may be driven by transaction numbers, while the human resources team aims to boost employee productivity. This step allows the Privacy Officer to understand the real reason if their advice faces reluctance or rejection.

Third, place yourself as a person that helps them.

Equipped with the information gathered from previous steps, the next phase for a Privacy Officer involves providing their opinion on a data processing activity. In this part, the Privacy Officer should not position themselves as someone who simply says no and forces stakeholders to adopt a different approach. Instead, the Privacy Officer should first acknowledge the importance of their objectives and assure them that they will help them achieve the goals.

Furthermore, when a Privacy Officer needs stakeholders to implement additional measures, it is important to first emphasize that the measures are the solution to achieving their goals and address any concerns about the difficulty of the proposed solutions. For example, if a stakeholder finds the prospect of conducting a DPIA daunting, the Privacy Officer can simplify the process by providing a list of straightforward questions. This approach assists stakeholders in understanding that the required measures are not overly complex.

Convincing that the processing activity can contradict their goal is more persuasive than merely stating the legal obligations. For example, citing a consumer survey conducted by IAPP, which revealed that 66% of respondents would feel uncomfortable if their data was shared with third parties without consent, can highlight how implementing a robust consent mechanism enhances the consumer experience. 63% of respondents indicated discomfort when asked for more data than necessary, indicating the importance of processing minimal data. In those examples, the Privacy Officer and the stakeholders work together to achieve the same goal: providing better service to consumers.

The same approach applies to a processing activity surpassing the acceptable line with no mitigating measures available and must be avoided. To illustrate, an unlawful employee monitoring practice would fail to enhance productivity if it makes employees feel violated. Similarly, retaining consumers' personal data longer than necessary would offer no benefits if those consumers have ceased using the services for an extended period of time.

In summary, a Privacy Officer is a mediator.

Engaging with individuals incentivized to pursue different and potentially conflicting goals can make it challenging to rely solely on legal obligations when communicating as a Privacy Officer. Therefore, the Privacy Officer must align their interests with the stakeholders they are persuading. This strategic approach involves understanding their objectives and affirming the Privacy Officer's intention to assist them in achieving their goals while still adhering to the organization's risk appetite. Ultimately, a Privacy Officer must act as an effective mediator, ensuring that they maintain a positive relationship and avoid becoming someone people cannot stand.