I’ve learned that life and work are so much richer when you’re not doing them solo. The relationships I’ve poured my heart into have given me some of my greatest rewards.
I also believe in celebrating birthdays, anniversaries, and all the small wins along the way. So in that spirit, this week my husband and I are celebrating 18 years of marriage.
In those 18 years, we’ve learned how to listen, compromise, adjust, support each other, and keep growing together. Quite honestly, without his support, Red Clover Advisors wouldn’t be where it is today.
And that idea – of building strong partnerships and continually listening, adjusting, and learning – is exactly what I see at the heart of every successful privacy program, too.
No privacy program is successful when it relies on a single person.
Just like a long-term partnership, privacy requires a strong foundation, shared ownership, and the ability to adapt as new laws, new initiatives, new leadership, and new technology inevitably come along.
One of the most common questions companies ask me all the time is also deceptively simple:
“Who should own privacy?”
My answer? Wherever it will get the attention it deserves.
Sometimes, though, it’s kind of like a hot potato – bouncing from group to group until someone takes it OR is voluntold to.
I’ve seen privacy in just about every function possible, including legal, compliance, risk, security, marketing, finance, and I’ve seen it report to just about every executive out there.
And some organizations have a matrix style where regulations might be covered by legal and operations by security.
For smaller companies, both reviewing the laws and operations might be covered by one person, part-time or full-time. And this is where gaining outside help is really important to supplement keeping up with the laws and operations.
Privacy Is Not (and Cannot Be) a One-Person Job
Privacy programs need clear ownership and a delineation of who owns the regulatory and operations.
Even when a single person is officially “responsible” for privacy, the reality is that privacy touches nearly every part of the organization because data flows everywhere.
A functioning privacy program typically depends on contributions from:
- Legal
- Compliance
- Marketing and Sales
- IT
- Product/ Service (how does your company make money?)
- HR
- Procurement and vendor management
- Customer support
- Operations
- Security
- Fill in the blank for other departments processing personal data in your company
Each of these functions is likely collecting, using, storing, and sharing data, and needs to have privacy considered. The impact may vary across departments, and that’s where operationalizing privacy comes into play.
Before companies can have effective privacy processes on conducting a data inventory, performing privacy risk assessments, honoring privacy rights, reviewing new vendors, etc., companies need to identify people responsible for participating in each of these areas.
Just who in marketing can explain what type of data is being processed? Who can explain the business processes in HR? Who can discuss the new product features that might involve personal data?
The Risk of “Zero”
Even early-stage or smaller organizations need more than zero people involved in privacy for the program to be resilient. I haven’t yet met a company that isn’t processing some type of personal data. Even an email is personal data. Every customer has some form of personal data.
The complexity of how it’s processed or what the obligations or privacy requirements are might vary, and that’s when the structure of the privacy organization might differ.
Where there is little data processed or the company just hasn’t gotten on board yet that privacy matters, or some companies have no one paying attention to privacy. (IMO, this is not a good plan).
And others rely entirely on one person to carry the full weight of the program.
No one person can do ALL that’s required in a privacy program. Privacy doesn’t live in a vacuum.
Privacy’s role is to ensure data is used according to company policy, in compliance with privacy laws, and meets customer expectations.
As we talked about earlier, privacy teams need to partner with just about every group in the company to gather information, understand what’s happening with data, and identify what if anything needs to be done differently with that data.
Is there a notice to be provided? Consent to be received? A privacy setting turned on by default?
I’ve seen privacy programs stall when an entire program depended on one person’s availability, institutional knowledge, and ability to keep everything moving.
Companies need to understand that privacy is a team sport. It’s a collective effort to comply with the many privacy requirements, consider customer expectations, and safeguard data.
The more partnerships privacy teams (including solos) can have with each function in the company, the more successful the program will be.
If you aren’t a simple phone call away from those functional leaders, now is a good time to identify who they are, pick up the phone, and schedule a call.
If you’re in person, have a coffee together. Get to know each other so that a real partnership, steeped in knowledge and understanding, can form.
Internal Structure: Clarity Beats Complexity
The privacy professional or privacy team are the privacy experts. Every other department does not need to become privacy experts. Companies have different expectations and methods for how they educate and partner with teams.
Some opt for a centralized approach where all decisions come to privacy. Larger companies opt for matrix style and have privacy experts embedded into groups or functions. While some companies sprinkle not official privacy pros into the company, but privacy champions.
Let’s review each approach.
A centralized privacy program ensures all reviews, decisions, templates, and assessments follow the same standards, creating consistency across the entire organization.
It also makes it easier for teams to know exactly where to go for guidance, reducing risk, rework, and delays by involving privacy early and uniformly.
On the flipside, a centralized approach can create bottlenecks when all reviews, templates, and assessments must flow through one team, slowing down business initiatives and overloading limited resources.
It may also reduce agility, as teams become dependent on a single queue rather than being empowered to move privacy-forward work ahead independently.
The matrix style embeds privacy experts within functions and brings privacy closer to day-to-day business decisions, enabling faster reviews, deeper context, and more proactive integration of privacy into products, marketing, operations, and technology.
This model also builds stronger relationships with teams, allowing privacy to scale more naturally through shared ownership and continuous collaboration.
However, this functional style can create inconsistency when different groups interpret requirements differently, leading to uneven templates, assessments, and decisions across the organization.
It can also make coordination harder, as decentralized inputs may drift from unified standards without a strong governance layer keeping everything aligned.
Privacy champions extend the reach of the privacy program by embedding knowledgeable advocates, who are not full-time privacy pros, across key functions, helping teams recognize when to involve privacy and translating requirements into practical steps.
This model allows privacy to scale without immediate headcount increases, strengthening shared ownership and reducing dependence on a single privacy lead.
Relying on privacy champions can lead to inconsistent application of standards if champions vary in experience or available time, creating gaps in reviews and decision-making.
It may also require significant ongoing training and coordination to ensure champions stay aligned with evolving requirements and do not unintentionally introduce risk.
Which model works for your company?
I’ll ask you: what is your company culture? Has one of these models succeeded in other areas before?
I’ve seen companies push for champions, but it fails due to a lack of specific role criteria, training, or acceptance by the business function to “listen” to this champion.
Or companies that try matrix without a clear explanation of decision-making authority – is it the privacy team or the business?
Selecting a model that aligns with the company culture is essential for it to be successful. And when it is clear, ownership will reduce work, confusion, and make a successful privacy program.
External Advisors Are Part of the Team
With the speed of privacy requirements and the pace of business change, privacy teams (either part-time, a team of one, or even with dozens of privacy pros) need external resources.
These external resources may include:
- Law firms providing legal interpretation and regulatory guidance
- Consulting firms helping operationalize requirements or testing privacy processes
- Fractional or part-time privacy support to fill day-to-day needs
- Technology partners supporting execution and automation
Many companies find that full-time privacy support is not always feasible or necessary at every stage, but having experienced, consistent support on a fractional basis can make the difference between a program that exists on paper and one that actually functions.
Each company also has different needs. Some need more day-to-day support with privacy rights, or cookie governance and testing, or data inventory, or support in evaluating new business use cases, while others need to stay on top of all the global privacy regulations coming in quickly.
It’s important to identify your privacy program needs and who the right external advisors are for your company. Also consider what other departments these advisors will need to work with.
We’re seeing more CTOs, CIOs, or IT departments (yup, seen it in each of them) own the privacy tech purchases. However, most of these teams just own the budget and have no experience implementing, using the software, or what the privacy requirements are.
Identifying the right participants is another critical piece to ensuring you have the right team in place. It’s why we build every Fractional Privacy Office to be right-sized for the company.
Right-Sizing for What Comes Next
Just like a long-term partnership, privacy programs need to be built for change. What works today might not be what will make a program successful next year.
As I shared in issue #1, new laws will keep passing. Business priorities will shift as new technologies are introduced and adopted.
Programs will need to keep adjusting their organizational structure and identify what needs to change to ensure it’s being efficient, meeting the business and compliance needs, and its customer expectations.
Despite being asked all the time, “How should we set our privacy team up?”, I’m here to tell you there is no single “correct” structure.
What are some of the common combos I see today:
Zero in-house: fractional privacy services supplemented by privacy counsel.
One in-house privacy counsel supported internally by privacy ops OR an external consulting firm.
One in-house privacy ops: less common, and this is then supported by external privacy counsel and external consulting.
Privacy team: combo, depending on need, supported by other teams, external consulting, and legal counsel.
A Simple Place to Start
If you’re unsure whether your privacy program has the right people and resources in place, start by mapping the team as it actually exists today, not how it appears on an org chart. And remember, there is no right answer other than the one that works best for your company’s privacy needs.
This exercise often reveals gaps, overlaps, and single points of failure that can be addressed well before enforcement, audits, or incidents force the issue.
Looking Ahead
Next week, I’ll build on this foundation by shifting from people to process, exploring why even the best teams struggle with getting data inventories functional.
As always, I want this newsletter to reflect what you are navigating right now.
Thank you to those who responded with feedback and topics you want to see covered.
I really do read (and reply) to each and every message (yes, it’s me doing it all, no robots), so please do hit reply and let me know what you’re thinking!
Until next time,
Jodi
💡 When you’re ready, here’s how we can help:
⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.
⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.