It's natural to take a risk-based approach to data privacy. However, I believe approaching privacy through a benefits-based approach has its own merits. Moreover, by managing customer privacy, there is significant business value derived from the resulting customer confidence and trust in the relationship:

At the outset, data privacy management enables certain aspects for an organization.

1. Transparency in processing customer data
2. Empowerment of customers to own their data
3. Efficient curation & handling of zero-data to service better
4. Standardize customer communication over preferred channels
5. Sustainable rights-management of leads and customers

The enablers stated above drive the competitive advantage of an organization to gain customer wallet share. On the flip-side, the enablers reduce the reputation and regulatory risk associated with an event of a data breach.

Further, if a customer trusts the organization by providing additional information, willingly – Which in-fact is called zero-copy data; It makes it imperative that the accuracy of that data is managed well for portability. The data capabilities that exist in a data-office, would ensure coverage of privacy requirements like managing classifications, entitlements in a catalog, discovery to name a few.

Coming from the aspect of “Accountability for Data Privacy” – is the need for a mature data ownership model in any organization. 

The accountability of data controls, whether entitlements around private data or security requirements, need to be captured by the data owners for all direct and in-direct customer identifying data. The data-discovery can be a good place to start to understand the privacy landscape. However, the data governance function directs, monitors, and evaluates while also enforcing accountabilities through business ownership and stewardship.

Further, associated data owners for private data can be updated in an Enterprise catalog that is enabled by metadata management. As data ownership is enabled, the existing privacy classifications and security requirements for customer data can be actively managed through the year. This also sets the context for the data owner in capturing entitlements (control requirements) across the data lifecycle, as a data controller, for any new data acquired.

I am assuming these perspectives will help you in translating privacy controls into operational capabilities with assistance from data function in your organization.