PrivacyOps Framework

PrivacyOps
Framework
The world has changed.
In the Data Driven age – Privacy needs to work
throughout the full data lifecycle in Marketing,
Sales, Customer Service, HR, Finance and
other organizational boundaries to drive
growth. We call this Privacy Operations.
Written by Ivan Tsarynny • CEO & Founder of Feroot Privacy
Published October 2018 • www.Feroot.com/PrivacyOps

Table of Contents
Executive Summary................................................................. Page 4
What is PrivacyOps?................................................................ Page 6
• About The PrivacyOps Framework
• Privacy Today
• What’s Next?
• The holistic Approach and Three Key Benefits
Steps to embedding privacy into day-to-day operations........ Page 12
• Stakeholder Alignment
• Data Inventorization
• Privacy Impact Assessment
• Data Subject Rights Framework:
• Vendor Management
• Ownership of the Tech-Stack
• Who Owns and Leads PrivacyOps?
• Product and Service Changes
• Liabilities Under the GDPR Regime
Getting Started With PrivacyOps……………………………………..…. Page 29
• Symptoms and Signs That You Need PrivacyOps
• PrivacyOps Business Drivers
• Customer Loyalty
Conclusion…………………………………………………………………………... Page 36
PrivacyOps
Framework

Executive
Summary
Privacy and Access: operations are an increasingly important functional
area in organizations and businesses that process personal data
governed by privacy laws, such as GDPR, HIPAA, PIPEDA, and DPA.
PrivacyOps is a new organizational model that automates and unifies
privacy and access operations across functional areas, such as
marketing, sales, service, finance, and HR. PrivacyOps utilizes the Privacy
by Design framework in order to align an organization’s resources and
processes, and to deliver privacy compliance while freeing up resources
to focus on their key business objectives and increasing customer trust.
When applied effectively, PrivacyOps can lead to dramatically improved
critical business metrics, including conversion rates, referrals, customer
retention, and revenues.
PrivacyOps
Framework
For information purposes only and should not construed
as a legal, or other advice for any particular issue

Disclaimer
Note: this framework is not intended to construe legal
advice or offer comprehensive guidance.
The information presented in this framework is for
information purposes only and should not construed as
a legal, or other advice for any particular issue, topic,
or subject, including compliance with relevant
regulations or laws. You must consult a professional
and licensed advisor with expert knowledge with your
particular situation for any such advice
PrivacyOps
Framework

PrivacyOps
Framework
Privacy Operations, or PrivacyOps, is a new functional group and
an emerging department that manages the full range of privacy
operations across marketing, sales, analytics, services, HR and
back-office operations. Privacy Operations unifies data governance
and operation silos across all functional areas: privacy and access
governance, on premise operations and third-party processing.
PrivacyOps has one primary objective: transform an organization’s
privacy perspective away from risk avoidance and towards
opportunity-seeking and competitive differentiation.
What is
PrivacyOps?

What does
PrivacyOps Success
Look Like?
• Individuals can intuitively and easily exercise their rights via an up-to-date user-
centric experience, and be assured that their rights are respected.
• Privacy and Access controls are part of technology solutions.
• Fulfilling privacy and access obligations is a routine and automated activity.
• Privacy and Access controls systems detect, predict, and report non-compliant
events.
• Privacy and Access natively operates across all departmental and intra-
organizational boundaries without data and information silos.
• Organizations are always prepared to demonstrate proof of privacy and access
compliance.
PrivacyOps leaders provide key stakeholders (customers, employees, and partners) the
means—through an automated, user-centric, and always up-to-date experience—to
intuitively, easily and respectfully exercise their privacy and data access rights.
Privacy and Access controls systems detect, predict, and report non-compliant events;
they operate across all departmental and intra-organizational boundaries; and they are
always prepared to demonstrate proof of privacy and access compliance.
Benefits of PrivacyOps:
PrivacyOps
Framework

About
PrivacyOps
Framework
PrivacyOps
Framework
Feroot interviewed data privacy, governance, access rights, cybersecurity, IT
operations, enterprise planning, marketing, sales, and customer success
experts across a wide variety of industries.
We used this data to create the definitive Privacy Operations framework –
PrivacyOps.
PrivacyOps is a new department that manages the full cycle of data
operations across customer, employee, and back-office lifecycles.

Privacy Today
Today’s privacy operating model was conceived during the era of fax machines and was
continually updated with new requirements from the onset of transformation into the
digital economy.
The data-driven economy is forcing companies to rapidly innovate the way that they
operate and do business. New technologies have never seen faster needs for
adaptation. Customer expectations have never changed as rapidly as they are now.
Buying and selling processes, customer service, and supply lines have never been as
data-driven as they are today.
Customer data comes with responsibility. There are numerous regulations governing
privacy in the world, including GDPR, PIPEDA, DPA, HIPAA, PIPA, CCPA. While
compliance with these laws is clearly one of the drivers of Privacy Management
Programs, it is only the baseline for our approach to privacy.
Protecting the privacy of the personal information entrusted by customers to
organizations is mainly driven as a risk avoidance process in order to prevent
enforcement, penalties, and lawsuits. However by leveraging customer-first
commitments, you can build trust with your stakeholders so that they can know how to
use data in a way that generates value, promotes respect and protection.
PrivacyOps
Framework

What’s
Next?
Although most large companies have spent hundreds of thousands, if not millions, of
dollars preparing for GDPR and other privacy regulations, many organizations are still
struggling with the day-to-day complexities of consent management & privacy
compliance operations. For instance, updating your privacy policies are just the first
step. There's still a lot to do to manage subject right obligations and subject access
requests. Our study found that most organizations are not yet ready to manage their
processes effectively or efficiently and, as such, they leave themselves at risk of non-
compliance.
Ongoing management of privacy obligations is complicated. Many stakeholder touch
points must be routinely coordinated in order to process requests effectively and to be
documented for compliance and legal purposes.
Spreadsheets and traditional point-to-point privacy software can’t scale and perform
ongoing management of the new data relationship model in which data flows from the
subjects (people) to data controllers (service providers), and data processors (third-
party vendors).
We found that most organizations aren’t prepared, nor do they have any embedded
controls for managing data privacy across their third-party vendors, for on-premise
applications, and for AI systems.
PrivacyOps
Framework

PrivacyOps has one job: drive growth
through a responsible use of data by
embedding privacy controls into products
and services.
PrivacyOps’ holistic approach has four key benefits:
1 - Harmonization and Alignment
PrivacyOps aligns departments and their stakeholders. This ensures privacy initiatives
have a measurable business impact. When an organization is aligned, it generates
more revenue at a reduced cost, and brings new data-driven products to the market.
2 – Customer-focused Product and Service Changes
GDPR and other privacy regulations require changes to policies, operations, and
products, not just for compliance reasons but also to foster user trust. The
PrivacyOps framework enables organizations to operationalize privacy effectively,
achieve proper consent management, maintain accurate data inventorization, and
augment user transparency, and privacy controls.
3 - Removing Overhead Helps Focus Operations on the Key Objectives
PrivacyOps assumes operational and technical privacy overheads that allow
marketing, sales, customer service, HR, and other departments to focus on their core
goals, objectives, and KPIs.
4 - Planning and Operations
PrivacyOps helps to identify and remove roadblocks. It works with the concept of
accountability, careful planning, and the implementation of privacy operational
controls across the full data lifecycle flow and across departmental, organizational,
franchise and other enterprise boundaries.
These benefits transform privacy from a risk avoidance function into a business that
increases, revenue and market share.
PrivacyOps
Framework

Steps to embedding
privacy into day-to-
day operations
PrivacyOps
Framework
Step 1 – Align Your Team around Documented Privacy Goals
No stakeholder alignment = no results.
Why is alignment so important? In many organizations, business, operations, legal,
and IT tend to work in isolation. This is especially true of transformation, privacy,
and IT-based projects, wherein the business quickly defines requirements, then
throws them “over the wall” to operations or cross-functional teams. These teams
implement the requirement, only to be find out unanticipated roadblocks. This is
one of the most common examples of lack of alignment. For successful programs,
the path to ROI is secured with a real partnership across all of the stakeholders from
business to legal, privacy, marketing, sales, HR, and IT departments working
together towards a common goal. This goal and vision should be discussed, agreed
and clearly documented.

Action: One vision
The first step is to engage and include all the relevant stakeholders and have full participation and
alignment across all stakeholder groups.
This vision should be articulated within commonly accepted business terms that are already part of
your established culture and business practice. The vision should include clear business goals,
objectives, and outcomes that the program will achieve. The document should also have a clear set of
measurements for the project metrics to ensure expected outcomes are achieved. Project KPI’s should
have a direct link to executive stakeholder KPI’s and KPI’s of departments involved in the project. The
draft should be agreed to by stakeholders to secure their feedback, and to ensure ongoing buy-in, you
should update the document to incorporate their feedback.
3 steps to getting your stakeholders aligned
1. Identify your stakeholders.
• First, make a list of the stakeholders for your project. Be specific - find out precise names and titles.
• We categorize using these seven types:
• The Sponsor: This is the person with real skin in the game, they will either get the recognition or
take the fall.
• Financial decision-makers: These are the people who decide whether your project gets funded.
• Strategic decision-makers: These are the people who have a problem that your project is expected
to solve.
• Mobilizers and Champions: These are the people you can count on for moving things forward to
evangelize the importance of the project.
• Blockers: these people don’t have official power, but they can intentionally or unintentionally stop
the project in its tracks.
• Influencers: These people have valuable opinions and insight to consider.
• Doers or Implementers: These are the people who execute parts of or the entire project. They
have very specific knowledge, action items, and are accountable for deliverables.
2. Get them involved.
Alignment is about getting stakeholders to participate, support, and execute the project. They should
feel invested and committed. Proper communication is critical to ensure all stakeholders are involved
in an engaged and supportive way. Everyone needs to be aware of your project objectives and
updated on project progress. Some stakeholders will be more involved than others, but don’t
underestimate the value and importance of stakeholders with less participation.
3. Objections are needs or concerns in disguise.
Nurture communication and understanding between stakeholders to avoid surprise roadblocks later.
Keep in mind that needs are likely changing as the project progresses. The more you know about
stakeholders’ concerns, the better you can address them. Regularly pause, re-assess, and align.
PrivacyOps
Framework

What Do We Have?
• Assessment
• Data Processing
• Data Inventory
• Data Mapping
Step 2 – Data Mapping & Documenting your Data Processing
Activities
Data mapping, or document your data processing activities, is the first critical
element in an organization’s privacy compliance process. It is also required
under Article 30 of the GDPR.
Organizations (data controllers) face questions from data subjects (people)
and have obligations to disclose third-party and third-country locations
where their personal data is being processed and how and why it is being
used. A successful data mapping exercise will help an organization answer
these questions with confidence and will provide customers with the
information that they expect concerning their personal data and its usage.
Proper, up-to-date data mapping also greatly reduces risks associated with
unauthorized personal information handling.
PrivacyOps
Framework

Action: Initiate data process mapping exercise and keep your data map
updated and accurate at all times.
• How to map your organization’s enterprise data and know what questions
to ask?
• What type of data is collected? Is it sensitive and identifiable personal
information?
• Why is the data collected?
• Who is collecting data?
• Is data shared with third parties?
• Where (what country) is data being stored and processed in?
• When, why, and how is the data being used? Is the data used for the
purpose for which it was collected?
• How long is data retained?
• What is the lawful purpose of data use? Under consent or other lawful
purposes?
Notes about the Legal Basis for processing data under the GDPR (Article 30)
• The present guidelines clarified that if you rely on consent for a
processing activity, you cannot depend on an alternative legal ground as a
fallback or backup. For further clarity, you can’t ask the data subject for
consent “to do X with their data” and then perform that processing
activity and disregard their choice if they said no. However, there are
possible cases in which you might be able to rely on more than one legal
ground. In these cases, you should always get advice from your legal
counsel.
• In cases where you are relying on multiple legal grounds, you might be
triggering additional obligations and rights such as, content of your
privacy transparency notices, data portability, data erasure, and more.
PrivacyOps
Framework

Additional Data Mapping Benefits:
Although data mapping often requires significant effort from organizations,
there are other additional important benefits. Data mapping helps
organizations maintain detailed data processing records for compliance and
legal purposes and ensures audit readiness at any time. In addition, data
mapping provides evidence that an organization is adhering to data protection
guidelines.
Other benefits of data mapping include:
• Improved IT systems by streamlining data flows.
• IT operational efficiencies.
• Mitigating risks of data breaches and reducing breach impact.
• Responding quickly to subject requests and consequently reducing the
cost of compliance.
Summary:
Data mapping is the essential first step in an organization’s privacy compliance
program and assists in supporting customer and employee loyalty. On top of
this, there are additional benefits of GDPR compliance, such as operational
efficiencies, reduced incident impact, increased customer loyalty and
competitive differentiation.
PrivacyOps
Framework

Privacy
Impact
Assessment
Step 3 - Privacy Impact Assessments
What is a Privacy Impact Assessment (PIA)?
Simply put, a PIA identifies and helps reduce privacy risks of any
undertaking or process within an organization. PIAs are a key part of
the GDPR path to “privacy by design.”
With a PIA you can:
• Readily predict potential problems
• Begin the process to implement privacy by design. “Proactive, not
reactive; preventative not remedial”
• Improve your ability to adhere to GDPR requirements
• Ensure that your organization is aware of and prepared to handle
privacy and data protection obligations
PrivacyOps
Framework

Data Subject Rights
Framework:
• Privacy Notices
• Disclosures
• Consent
• Control
Step 4 – What do Consent and Information Notices,
Disclosures, and Controls mean in the context of GDPR?
For example, GDPR states that consent can be withdrawn at any
time; can’t be assumed from inaction, and forced consent will be
“invalid.” Consent must be freely given, specific, informed and
unambiguous. Again, you should always get advice from your legal
counsel.
Recommended action: Collect consent and maintain proof of
collected consent unless you are relying on processing data being
done under other lawful proposes.
PrivacyOps
Framework

The GDPR Subject Access Request (“SAR”) Key Summary:
• Data controllers are responsible for responding to all SARs.
• Required SAR response time is 30 days or less, although complex
requests can be extended with regulatory approval.
• The identity of Data Subject must be verified to prevent privacy
breaches.
• Not all SARs should be fulfilled when other lawful reasons for data
processing exist
• Consent can be withdrawn at any time as easily as it was given.
• Organizations cannot charge fees to comply with SARs under the
GDPR unless the request is “manifestly unfounded or excessive.”
• Any response to a SAR should allow the individual to easily identify
what information has been collected and stored and what processing
has been carried out.
• An SAR may be made electronically, e.g., via email, and responses
may also be provided in the same manner.
What impact do SARs have on data controllers?
GDPR-regulated organizations should consider: 1) implementing SAR
policies and embedding SARs into customer and employee-facing services,
systems, and mobile apps (both internal and external facing) in order to
ensure that your organization can fully administer SARs across third-party
vendors (processors); 2) developing a response process to streamline SAR
fulfillment; 3) train employees on new GDPR requirements and SAR
processes; 4) implement a self-serve approach for SAR fulfillment.
PrivacyOps
Framework

How can third-party vendors (processors) support data controllers in
responding to SARs?
In many cases, the initial contact from subject comes directly to the
controller or the data processor. However, the data processor is not
responsible for responding to the SAR by default.
Action: Initiate SAR fulfilment and record keeping processes.
Data controllers and data processors need to prepare to handle SARs in a
coordinated and prepared manner.
At the start of the data collection, data processors should provide clear
information notices that will inform the subject of their rights under
GDPR.
• Organizations should be able to provide confirmation as to purpose,
location, extent, duration of data processing, and confirmation of the
data retention period.
• The data processor should manage personal data in a way to ensure
that information can be identified quickly and easily.
• The data controller and processor should establish an approach to
respond to any SAR easily and preferably in an automated fashion.
• Training of all staff on how a SAR process is done. FAQ section on the
processor’s website relating to SARs. A self-serve portal for SARs.
• Agreement between the data controller and processors. This includes
contractual provisions with the data controller on how SARs are to be
handled, and immediate communication from data controller to
processors to inform them of the SAR, to fulfill the request and keep
auditable records of all steps.
PrivacyOps
Framework

Step 5 – GDPR Requires Changes to how your Products and
Services functions
• Key requirements
• Legally valid for processing data
• Identify each third party and their usage of personal data
• Retain records
• Ability for users to revoke consent
Obtaining Consent
Give customers the choice and the ability to obtains consent and
revoke consent as easily as they gave it
Managing Consent
Respect your customer’s choice and manage data restrictions
downstream to third parties
PrivacyOps
Framework
Product and Service
Changes
• Consent
• Transparency
• Privacy Controls
• Data Portability
• Communication

Collecting Data
Tell users the intent of data collection and what data you will collect
Processing Data
Process Data in a way that is consistent with user privacy expectations
Plain language notices
Clear retention and deletion policies
User controls for retention and deletion
Limit data processing based on the intended purpose
Third country and third party
sub-processor disclosure
Breach notification readiness
Audit readiness
PrivacyOps
Framework

Vendor
Management
Step 6 – Third-Party Sub-Processor Vendor Management
Data controllers are required to ensure that their vendors
(processors) properly handle all personal data shared with them. As
with data mapping, modern systems and processes create data
processing chains where data travels from one application to
another and changes hands across SaaS and cloud service providers.
Almost every data controller should review how it handles data and
its relationship with its providers, and how data processors manage
their own vendors/processors, and how GDPR subject rights will be
enforced across the entire data processing chain.
PrivacyOps
Framework

Recommended Action:
• Complete and maintain an accurate Data Processing Map.
• Review agreements with all vendors to cover all GDPR applicable
articles.
• Compile and maintain an inventory of vendors.
• Implement a programmatic approach to managing vendor data-chain.
• Implement technologies to support vendor audits and SAR fulfillment
compliance.
• Include vendor escalation processes and embed remediation plans.
Summary: taking control and implementing programmatic approaches to
vendor management for data controller and data processor are key. A
comprehensive approach to managing vendors and the data processing
chain can reduce processing and regulatory enforcement risks.
PrivacyOps
Framework

Liabilities under
GDPR regime
Step 7 – Subject Access Rights violations, Data Breaches, and
Liabilities
GDPR Article 33 requires that data controllers notify the supervisory authority in
case of a personal data breach without undue delay and, where feasible, no
later than 72 hours after having become aware of the breach. The processor
shall notify the controller without undue delay after becoming aware of a
personal data breach.
GDPR Article 34 requires data controllers to notify the data subjects of a
personal data breach when the data breach is likely to result in a high risk to the
rights and freedoms of natural persons. The controller shall communicate the
personal data breach to the data subject without undue delay unless the
controller has implemented and applied appropriate technical and
organizational protection measures to the personal data affected by the
personal data that render the personal data unintelligible, because of
encryption.
PrivacyOps
Framework
• Violations
• Breaches
• Negligence

GDPR Article 82 provides the Right to compensation and liability to any person
who has suffered material or non-material damage as a result of an
infringement of GDPR provisions from the controller or processor. In addition,
it states that any controller involved in processing shall be liable for the
damage caused by processing that infringes GDPR; and the processor shall be
liable for the damage caused by processing only where it has not complied
with obligations of this regulation specifically directed to processors; or where
it has acted outside or contrary to lawful instructions of the controller.
Additionally, controllers or processors shall be exempt from liability under
paragraph 2, if it proves that it is not in any way responsible for the event
giving rise to the damage.
Under GDPR Article 82 specifies that infringements of the following provisions
Articles 8, 11, 25 to 39, 41, 42 and 43 shall be subject to administrative fines
up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total
worldwide annual turnover of the preceding financial year, whichever is
higher.
GDPR Article 83 specifies that infringements of the following Articles 5, 6, 7
and 9, and the data subjects’ rights pursuant to Articles 12 to 22, and 44 to 49,
will lead to suspension of data flows by the supervisory authority pursuant to
Article 58(2). At the same time, failure to provide access in violation of Article
58(1) shall be subject to administrative fines up to 20 000 000 EUR, or in the
case of an undertaking, up to 4% of the total worldwide annual turnover of
the preceding financial year, whichever is higher.
In addition, data subjects may initiate private claims directly against data
processors for breach.
PrivacyOps
Framework

Under GDPR, the data controller is ultimately accountable and, in cases
when the data controller does not exercise sufficient control over the data
processor, the data controller still must be able monitor the data processor;
otherwise, it could still find itself subject to fines.
Best practice tips:
1. Controllers and processors should perform appropriate due diligence
on their providers and partners.
2. Controllers should continue to monitor their processors’ compliance
post-appointment, on a regular and/or real-time basis.
3. Enter into DPA agreements
Summary
Data controllers and processors need to collaborate in order to ensure data
subject rights and other GDPR obligations are respected and fulfilled. It’s
essential to start by ensuring that privacy is at the core of all services,
processes, and procedures.
PrivacyOps
Framework

PrivacyOps can start in two ways: distributed capabilities throughout your team, or
specialized roles in a department. The right way to start depends upon your business
model and company size.
PrivacyOps starts out as a shared function with multiple departments and people
performing aspects of privacy compliance. For example:
• Privacy oversees governance, operations, and assessments.
• CTOs performing PIAs, data-mapping, application and tools management.
• DPOs overseeing applications and security.
• Marketing managing third-party marketing tools and data-flows.
Privacy operations maturity path helps these responsibilities become dedicated roles
and can be brought under the PrivacyOps umbrella. Consolidation usually happens
when data map management becomes sufficiently complex, typically around 50
internal and third-party applications.
If your organization has more than 20 applications, you are likely facing siloed privacy
management in your operations already. Bringing PrivacyOps roles together
consolidates accountability. Reporting is also highly recommended at this time.
PrivacyOps
Framework
Getting Started
with PrivacyOps

Symptoms and Signs you need PrivacyOps
Here are some common signs that you don’t have a properly functioning
PrivacyOps system. If the examples below resonate or sounds familiar, it
likely means that you’ve waited too long to implement PrivacyOps. The
benefits of PrivacyOps could very well have a significant positive impact on
your organization.
Many non-EU businesses, including US and Canadian companies,
incorrectly assume European laws don’t apply to them.
Here we highlight five common GDPR myths:
1. “GDPR is for European companies”
An organization doesn’t even have to accept payment from an EU-based
customer to be subject to GDPR. The GDPR applies to any business that
targets its activities to an EU market. Even if your U.S.-based business
doesn’t target an EU market, GDPR may apply if your company monitors
EU-base individuals or is processing their data as a sub-processor.
2. “We don’t use any personal data, so GDPR doesn’t apply.”
GDPR defines “personal data” to include an identifier that could help
identify a natural person. For example, it could include a person’s IP
address and cookie. Storing data in a CRM can also trigger GDPR
compliance. GDPR also provides enhanced protections to “special
categories of personal data”, such as data relating to health, racial or
ethnic origin, political opinions, religious or philosophical beliefs, and
trade-union memberships, among others.
PrivacyOps
Framework

3. “We have a privacy policy,” and “we are good, since we determined we
are compliant”.
When you do business with a customer over the Internet, you often collect
information that can potentially be useful outside of the transaction. If you
use any of that information in a way which can be linked back to the
customer and without the customer's knowledge or consent, you are
violating their privacy rights. It is up to you to properly destroy a
customer’s information or to ensure it’s secure.
4. “We only collect minimal information on our clients for services and
products ”
If you collect, use or disclose any personal information about individuals,
(such as email, address, names etc) you need to understand your privacy
obligations.
5. “We have too many tools!”
PrivacyOps consolidates the procurement, implementation, and
management of privacy management processes and tools under one
owner. This gives you full visibility across the organization, saves costs, and
increases adoption of privacy.
PrivacyOps
Framework

The Chief Privacy Officer (CPO) and the Chief Risk Officer (CRO) have an
emerging operational role in an organization. Traditionally, privacy has been
tasked with governance and policy-setting responsibilities. But, in the age of
GDPR, the increasing mandate around day-to-day privacy operations, and the
operationalization of privacy-related tasks, make CPOs natural owners of data
processing governance across Marketing, Sales, Customer Support, HR and
other departments of business.
In the case that your organization doesn’t have a CPO, PrivacyOps can live
under a Chief Data Officer, CIO IT Operations, application owners, Risk
Management, the CTO, and in some case, even under the marketing
department. The ultimate organizational responsibility is driven by the needs of
your business, talent and the skill-set of your teams.
Did You Know?
CPO’s, CDO’s and DPO’s are a growing job profile? According to LinkedIn, there
are roughly 1,400 CPOs, 3,828 Chief Data Officers, and 6,000+ DPO’s, while
there are 9,500+ CROs (risk officers) and over 34,000 CIOs.
PrivacyOps
Framework
Who owns and
leads PrivacyOps?

Ownership of
the Tech-Stack
Today, there are more than 25,000 SaaS tools available on the market. For
instance, when we investigated typical global organizations, we found that they
are using between 100 and 2,500 third-party, SaaS-based software tools in their
tech-stack.
The multi-party tech stack has become impossible to manage. Multiple tools
exchange data, and complex integrations can increase the risk of data leakage
and breaches. The wild west of self-service tools scatters customer data across
jurisdictions and providers, leaving data controllers potentially liable to
hundreds of millions of euros in penalties.
The challenge is complex because in modern organizations no group fully owns
the tech stack’s privacy. IT used to own the tech stack when all hardware,
software, and data was on the premises, but today it's common for sales,
marketing, HR, finance, and customer service to manage their own technology
budgets and procure tools from third-party SaaS-based vendors. Sales,
marketing, and customer services, in many cases, even have their own
technology teams, leading to multiple owners for a single CRM, customer
marketing, customer service, and communication systems and, thus, creating
multiple silos of data.
PrivacyOps
Framework

In the PrivacyOps framework, a single team oversees privacy management of
the tech stack across the organization. This helps ensure that all departments
and lines of business can comply with GDPR and other regulatory obligations.
Accountability and ownership go hand-in-hand. PrivacyOps facilitates close
relationship across stakeholders, Privacy department, Digital and Innovation
teams and IT, all in order to ensure that the organization meets privacy and
data management requirements. Moreover, changes can be made quickly to
respond to data and information governance demands and requirements.
PrivacyOps
Framework

Customer Loyalty
"75% [potential customers] will not buy a product from a company — no matter
how great the products are — if they don’t trust the company to protect their
data " 2018 IBM Cybersecurity and Privacy Research
VC Funding and Investors
Steve Herrod of VC firm General Catalyst told The Privacy Advisor
that evaluating a company’s privacy practices is now part of his
firm’s due diligence, especially when companies are storing
customer data in cloud services.
PrivacyOps creates benefits for the marketing, sales, customer services, HR,
finance and other business areas because it aligns a company around customer
data and their needs. PrivacyOps also generates more sales by influencing key
metrics including: customer trust, competitive differentiation, shorter sales cycles,
and increased repeat business.
Finally, PrivacyOps has a compounding effect on every part of your business, from
the efficiency of managing sensitive data to lowering risks of breaches, penalties
and litigations, and increasing customer loyalty.
PrivacyOps
Framework
PrivacyOps
Growths Business

PrivacyOps is a new organizational model that increases your competitive
advantage and regulatory compliance through measurable improvements of
operational effectiveness and efficiency across your entire data lifecycle.
PrivacyOps unifies access management across informational silos such as
customer information, medical records, employee data, back-office operations,
and other key organizational departments that collect data.
PrivacyOps streamlines privacy operations across all functional areas, freeing up
resources to focus on key business objectives.
PrivacyOps consolidates privacy and access operations into a smooth operating
machine.
PrivacyOps provides harmonization, simplification, alignment, and focus that will
provide privacy compliance and ultimately a competitive advantage by increasing
customer trust; and helps increase core metrics like conversion rates, referrals,
customer retention, and revenues.
PrivacyOps
Framework
Conclusion

Feroot’s Privacy Platform allows you to quickly and efficiently manage on-
premise and third-party vendors across applications, both dynamically and
automatically. No more chasing down vendors for their latest privacy
agreements. No more updating stale spreadsheets. Enter information once,
connect to your third-party party vendors, and everything from consent
management, to data processing activities, to record-keeping documentation
flows appropriately and continually to the key stakeholders. Your organization
will save time, resources, and money and avoid the tedious task of manually
updating documents every time a new vendor is added to your tech stack.
Feroot’s Privacy platform helps you implement a PrivacyOps framework that
will:
• unify, automate and coordinate all aspects of GDPR Subject Access Request
compliance obligations.
• manages all stakeholder touchpoints automatically
• support your organization’s ability to process requests efficiently
• document responses for compliance and legal purposes
PrivacyOps
Framework
Feroot is an award-winning PrivacyOps platform
that helps you operationalize privacy
management across all departments and data
silos.
We help organizations instantly transform their
static data map into a dynamic, continually
updated, and accurate data registry.
Want to learn more about Feroot?
Contact sales@feroot.com
Our mission is to turn privacy compliance into
your competitive advantage.

PrivacyOps Framework

More Related Content

What's hot (18)

Similar to PrivacyOps Framework (20)

Recently uploaded (20)

PrivacyOps Framework