Where does an organization get the most “bang for its buck” out of its privacy program in the org chart? GRC (Governance Risk Compliance)? Legal? IT Security?
If you answered IT Security, consider the fact that “[t]he natural evolution, which we’ve been seeing evolve over the past few years, is to get away from dedicated security teams almost altogether.” Apologies for the macabre metaphor, but you don’t want to see your privacy program as a part of that post-mortem.
Alternatively, GRC as a discrete office in the business structure is on the uptick, and is both a logical and commonsense place for a privacy program. In my view, Ben Tomhave (Research Director on the Security & Risk Management Strategies team at Gartner — twitter.com/falconsview) is spot on in his analysis of IT Security, Legal, and where GRC should live:
GRC programs (and, here we’re talking about GRC as a discipline not as a tool or platform) cannot and should not remain buried in IT organizations. Instead, they need to be elevated into the business structure, oftentimes reporting in with other risk managers, such as under a General Counsel (Legal team), CFO, or business analysis team … this is all widely held and accepted today. Many organizations have already moved to this end state where security-related operations have been dissolved back into IT departments/teams, with oversight functions elevated into GRC programs that pull together risk management, policy, audit, and various related testing and data analysis duties.
… on the other hand … many organizations have not.
The fact is, many organizations’ critical GRC functions are still being managed by IT Security — including the privacy program. When non-IT Security professionals are vying for work in this context they often do well to give a respectful nod to the above trends while advancing the notion that a one-size-fits-all GRC solution doesn’t exist (as it would obviously be folly to argue “This GRC function doesn’t belong under IT Security” to the IT Security manager with the budget money).
It’s prudent to stipulate that some organizations must place certain GRC functions — like mapping data privacy risks — in IT Security. Not to put too fine of a point on it, but regardless of where an organization’s GRC discipline lives, it must work cross-functionally with every part of the organization in order to effectively map data privacy risks.
“Gone are the days when IT professionals are solely responsible for IT decisions. Increased regulations, innovations in technology and the integration of IT in all aspects of the organization have placed IT projects under bigger scrutiny.” – protiviti
Although many dedicated information privacy compliance functions jive better with org charts outside of IT, that’s not to say they’re not value-added anywhere in an organization. By understanding the regulatory landscape and liaising across an organization to map libraries of data to their correlating risks, privacy programs deliver value by assuring compliance with a host of regulations including state-specific data breach notification laws, PCI DSS, FCRA, and HIPAA.
Add a Comment