This is a very good document.
Does WMF have a privacy role?
The role, as I see it, is to be an advocate for the user's interests, answering questions like "would the user be surprised to know their data is being used for X", "would it be ok for NYT to publish that we're doing Y", "what's the impact if this dataset was released/hacked", and making sure data handling procedures are in place and followed. The privacy roles I've interacted with sit between dev/management and legal. Dev says "X would be a great feature"; legal says "here are the risks of doing X", and privacy says "X sounds great, go ahead; there is no private data handled in this pipeline" or "X is doable within a constrained access controlled, strictly logged and reviewed environment as it contains moderate PII".