When getting started with privacy, one of the first factors you need to consider is who will be appointed the role of a privacy officer.
It can be confusing to know what the privacy officer does, who will fulfil the role, and what needs to be done in line with the law.
Luckily, we have Emma Pond—former staff member at the Privacy Commissioner (so she has first-hand experience on this topic) and Principal & Director at consultancy Simply Privacy—here to answer frequently asked questions about the roles and responsibilities of appointing a privacy officer.
Why do startups need a privacy officer?
Simply put, it’s a legal obligation to appoint a privacy officer—but what does that mean for your startup?
In New Zealand, everyone that is covered by the Privacy Act must have someone in the organisation as a privacy officer. However you don’t have to go out and hire someone new specifically for the role, it can be someone who is already within the business that also holds another role.
“Most people get volunteered into the role,” explains Emma. “So, ideally, you want someone that is keen and has an interest in the area.”
What is the role of the privacy officer?
The privacy officer is the subject matter expert in the business for privacy. They’re the one you go to with your tricky privacy questions, and if you had to liaise with the Privacy Commissioner about a complaint or a privacy breach, that’s part of their role.
“They’re also kind of the cheerleader,” says Emma. They’re doing the training and awareness activities, so that everyone else knows what privacy means for their role, and what they should be doing and thinking about.
Who should be appointed as a privacy officer?
The privacy officer is someone who is a good communicator and works well with other people. Emma suggests looking towards senior leadership, as they’re more likely to have influence of a wider scale and talk across the organisation.
Also, the privacy officer needs to be approachable. A pragmatic person that people want to come and get some advice from.
In terms of the main functions of the business, the role will vary on where it sits. If your startup has a big customer service approach, then it could be someone in that area of the business. As a B2B company, it could be someone in HR as you will have to worry about employee personal information. And often, it sits within the legal team—or any team that handles risk.
How can others within the business engage with the privacy officer?
For tech companies that build software, privacy is an important factor to consider early and often. The best approach is to bring the privacy officer into any design and planning phase from the offset. Emma notes that it’s “a very frustrating experience to be brought in at the end of a development or a project where you’re basically just being asked to give it a privacy tick.”
If there’s an issue, it can be quite an expensive and painful process to sort out. If you think about this at the beginning, you mitigate that risk.
What is a Privacy Impact Assessment?
“It sounds kind of formal, and big and tedious—which it can be—but it doesn’t need to be,” assures Emma.
A Privacy Impact Assessment looks at your privacy risks and what you can do about them, and looks at the change process to steer you in the right direction.
You want this to be simple enough that people actually do the processes as part of the assessment. It needs to be something that you do more than once, that you check in with.
What are the legal obligations regarding the personal information we keep or could keep in the future?
In terms of your legal obligations, you want your privacy officer to be present in the development of the software as often “things get built that you can’t delete information out of.”
In New Zealand, and privacy around the world, there are laws for holding certain kinds of information for minimum periods of time, e.g. tax for seven years. For personal information, you can only keep it under the Privacy Act if you have a valid purpose that is linked to the reason you collected that information in the first place.
“It’s a hygiene thing as much as anything and it can cost you money to store stuff you don’t need, and it can become a risk if you don’t need it and it’s just hanging out, it might just be subject to a data breach,” says Emma.
If there’s a lack of communication, that’s when things start to go wrong. When collecting personal information, Emma recommends a transparent approach. “It builds trust and good vibes with your customer base.”
Think about the why. Why do I need this information? Know what you’re trying to achieve, why you’re doing it, and only collect and hold that information that will help you to get there.
"We wanted a solution that was fit for purpose, reflecting our age and stage, while delivering the outcomes we wanted for our customers and people. After looking at what was available, Onwardly stood out as serving this purpose perfectly."
Founder & CEO
The cyber resilience platform turning everyday folks into security superheroes 🦸