Monday, 6 October 2025
Building a Global Privacy Framework
I was recently invited to speak at the OxGen AI Summit, about how data protection officers can implement and maintain a global privacy framework. Here are my thoughts on how you might approach it.
Figure 1: A roadmap to a global privacy framework
The figure above sets out a step-by-step approach to designing and implementing a global privacy framework. Before you begin, we would recommend familiarising yourself with common approaches such as the National Institute of Standards and Technology (NIST) Privacy Framework and the approach taught by the International Association of Privacy Professionals in the Certified Information Privacy Manager course.
15 common approaches
1: Scope
The first step is to establish your scope. Which jurisdictions do you operate in? Of those jurisdictions which have privacy laws? (Don’t forget to check for industry-specific laws and laws specific to special interest groups such as children) Of those privacy laws, which apply to your organisation?
Once you have determined that, make sure you have read them all, saved links and worked out sources for information and updates. We would recommend creating a matrix setting out the key requirements for each law so you can compare them.
2: Approach
The next question is what approach to take to compliance. Broadly, this could be centralised (the privacy team makes decisions), decentralised (the privacy team provides guidance, but decisions are made by the business) or hybrid (some decisions taken by the privacy team, with privacy roles within operational teams). The best approach will consider the complexity of the legal environment and the general approach taken by your company. Bear in mind that it is common for organisations to change their whole approach from time to time, so you may need to change this in future.
3: Objective setting
Now you are ready to decide what the goals for the privacy framework will be, now and in the future. What maturity state are you aiming for initially? What is the longer-term plan? What is your privacy risk appetite? How will your privacy framework align with your organisational vision, mission and goals?
4: Gap analysis
Once you have set your objectives, you are in a position to assess the gaps between your current state and your to-be position. You need to conduct this assessment at the right level of granularity. It can be helpful to get an outside perspective at this point to ensure you aren’t being overly optimistic or pessimistic.
5: Risk assessment
Having assessed the gaps, you can now determine how much of a risk each gap poses. This will help you prioritise the gaps so you can develop your action plan.
6: Stakeholder engagement
This is usually a good point to start engaging with stakeholders. By now you should have a clear idea of what the problems are and why they matter, so you will be able to articulate the need for change and answer questions. It is also often easier for people to find time to validate work than to create it, especially if it is in a new area so you are likely to get more specific feedback at this stage.
7: Roles and responsibilities
It is likely that you will need to get existing team members to formally accept responsibilities that may seem new to them. You may need to explain and train roles such as Process, Data and Information Risk Ownership, and recruit Privacy Champions. There will be boundaries between roles that will need to be negotiated, and the most important people are likely to be too busy to take that on. Engaging with your stakeholders and being creative about problem solving is essential. You will need active Board support to achieve this.
8: Documentation drafting
At this stage you will need to review your existing documentation to determine whether any of it needs to be updated or if there are any gaps. You might also need to update ownership in line with the changes to roles and responsibilities you have agreed.
9: Decisions and approvals
The changes you make will need to be formally adopted by the organisation, with a date for implementation and an implementation plan. You will need a structure such as a Steering Group with the authority and representation to make decisions. Members may need training to ensure they understand how to weight and consider the various aspects of the decisions they make.
10: Training needs analysis
Once the final shape of the privacy programme is determined, you will need to assess what training people will need and how it should be delivered. It’s important to consider what people have been doing, how it will change – and also other matters such as learning styles and barriers. It is easy for office workers to forget that not everyone may have access to, or familiarity with, computer equipment, that different roles may be staffed with individuals with different levels of language proficiency, and that the nature of some roles may make it harder to allocate time to training. It’s essential that the training needs analysis is conducted in collaboration with stakeholders from across the organisation.
11: Training
The training programme is likely to include general and role-specific training and may include eLearning, face to face training, on-the-job training, just-in-time reminders and awareness materials. It’s easy to think about the immediate needs at launch, but you should also ensure you consider induction and regular training. You should consider whether any of the training elements should include tests and if so what the required pass mark should be, and what should happen with individuals who do not achieve the required grade.
12: Metrics and monitoring
Once the framework is in place, it is important to ensure it is working as intended. To do this, it can be helpful to define metrics and monitor performance against them. You will need to consider how the monitoring will happen, who will create the reports and how they will do this, and who needs to receive the reports. It’s important to ensure that the time taken on monitoring activities is proportionate to the risks involved and that outcomes are acted upon.
13: Audit plan
Periodically, the effectiveness of the privacy framework should be assessed. We usually recommend a combination of internal and external audits that focus on high and medium high-risk areas.
14: Horizon scanning
Your privacy framework will need to evolve over time as your environment changes. You will need to consider how you will collect intelligence about new laws, standards, decisions, guidance, threats, technology changes and expectations. This could include subscribing to newsletters, following relevant content creators on LinkedIn, using cyber threat intelligence services, setting up alerts, attending events and webinars and more.
15: Objective setting
Finally, you need to return to your objectives, review them and decide on your next steps. Your objectives may need to be updated, or you may be ready to start the next phase of your action plan to achieve them. We recommend reviewing the objectives and maturity of your privacy framework every year.
Contact us to discover our Data Privacy expertise
