Why Enterprises are Adding Chief Privacy Officer to C-Level Leadership

Many Fortune 1000 companies and SMEs already have one or more C-level executives dedicated to IT security, including a Chief Information Officer (CIO), Chief Security Officer (CSO), Chief Information Security Officer (CISO), Chief Data Officer (CDO), and/or Chief Compliance Officer (CCO). They may also have a team of attorneys dedicated to privacy law, which begs the question: Is another C-level executive really necessary to oversee consumer data privacy?

Short answer: Yes.

Much longer answer: Yes, and here's why:

Why Appoint a Chief Privacy Officer?

CPOs have been around since the pre-Internet 1990s; however, they have never had as many responsibilities as they do today. The amount of data that companies collect and use has increased exponentially, and the regulations governing that data have expanded at a similar rate.

However, the main difference between new and former laws is a focus on privacy policies. The new legislation contains specific requirements for user-accepted privacy policies, acceptable use, acknowledgment of liability, and restrictions on the use of privacy policy language.

This has elevated the necessity for a chief privacy officer to provide leadership for a huge variety of responsibilities, including:

Avoiding reprimand. Non-compliance carries significant legal risk for issues based around personal data notices, transparency, collection, use, storage, processing, return, incident management, reporting and more:

• General Data Protection Regulation (GDPR) – Non-compliant businesses face fines of “up to 4% of annual global turnover, or €20 million (whichever is greater).” Actual fines are assigned according to a tiered schedule based on several factors, including the size of the business.

• California Consumer Privacy Act (CCPA) – Non-compliant companies are open to individual and class action lawsuits in the event of a data breach. The California Attorney General has the authority to issue fines to non-compliant companies of $7,500 per intentional violation, and $2,500 per unintentional violation.

• New York's SHIELD (Stop Hacks and Improve Electronic Data Security) Act – The New York Attorney General may take action to secure civil penalties against non-compliant companies, including awards for both actual damages and lack of breach notice. Penalties begin at $5,000, or $20 per violation (whichever is greater), up to $250,000.

This does not take into account the direct financial and reputational consequences of a consumer data breach, which if anything can be more severe.

Navigating complex privacy laws and regulations. There are more than 100 countries with various privacy laws on the books, and an expanding number of sub-national standards, protocols, and regulatory regimes, sometimes with conflicting or contradictory requirements.

In the US, the absence of a federal standard has prompted states to take on the challenge of personal data protection individually. Keeping in compliance with the web of data privacy regulations this is creating is challenging in itself and exacerbated by the continued introduction of new state-level laws. In addition, businesses are expected to also abide by applicable compliance standards from NIST, HIPAA, ISO, CIS, IAPP, etc.

This requires a team of highly specialized data compliance experts, and teams need a leader; one in a position to make strategic decisions to create a cohesive program that encompasses all applicable personal data including customers, clients, patients, employees, and students.

Providing leadership for consumer data security. While other corporate roles also oversee data security, consumer data security is the specific and sole domain of the CPO. Structuring, implementing, and managing appropriate policies and procedures, designing and enforcing security protocols, maintaining processes for data storage and handling, avoiding breaches and interruptions to business operations, managing incident response... all these functions and more can be enhanced by an effective CPO.

Maintaining adequate attention to privacy at the leadership level. Adequate attention encompasses a spectrum of strategic management leadership duties in this context, including:

• Updating compliance programs to meet evolving standards for best practices
• Ensuring compliance with breach notification laws in the event of an incident
• Implementing and maintaining staff training for data privacy technologies, processes, and techniques
• Providing ongoing guidance and advice for enterprise privacy operations, strategies, and goals
• Supporting ethical, privacy-aware behavior across the enterprise

Key takeaway: There's more consumer data to manage than ever and it's critically important for enterprises to effectively review data collection practices and policies to ensure they are in compliance with global frameworks that govern the use, safety, and privacy of this data.

Question to consider: Does your company have the leadership resources in place to provide a suitable level of oversight?

A New Frontier: The Mandated CPO

The GDPR is the first widely implemented international standard that requires a role responsible for ensuring compliance for data security:

“The duties of a Data Protection Officer (DPO) include: Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments, increasing employee awareness for data protection and training them accordingly, as well as collaborating with the supervisory authorities.”

New Zealand's updated Privacy Bill implements many of the same regulations as the GDPR, and Australia and India are also creating their own versions. The CCPA does not have a specific requirement for a CPO-like officer. However, the obligations of the act are numerous, far-reaching, and complex: organizations subject to the CCPA operate at a disadvantage if they do not have senior-level leadership for consumer data privacy, and the CCPA is viewed as a model for other states pursuing similar regulations.

Key takeaway: The era of the mandated CPO is here to stay.

Question to consider: Is your organization keeping pace with evolving regulations and mandatory (or de facto) requirements?

Outsourced Chief Privacy Officer Solutions

Many enterprises lack suitable expertise, scale, or candidates to nominate an effective CPO from inside the company, and others don't want to redirect resources away from mission-critical operations. Are these companies doomed to non-compliance? Of course not, they're simply engaging a search outside their organizational perimeter to find outsourced CPO solutions.

The GDPR says that the DPO role may be hired externally, to allow organizations that lack sufficient in-house resources to meet their compliance obligations; other standards make the same allowance. This has given rise to professional outsourced solutions, including “shadow” or “virtual” CPOs who are contracted to provide close support for clients that lack expertise and necessary resources for privacy, regulatory compliance, data protection, or information governance.

Key takeaway: External CPO solutions are available, and significant advantages can accrue from accessing superior knowledge leadership, professional skills, and technical capabilities from third-party chief privacy officer services providers.

Question to consider: Is your organization suffering a CPO performance gap by trying to do everything in-house?

Making the Executive-Level Leap

The requirement for a chief privacy officer in today's evolving security environment shouldn't be viewed as an additional burden or resource drain. Instead, view this as an opportunity: effective CPO leadership can be a source of sustained value and continuous improvement for enterprises in a wide range of sectors.

To learn more about how your company can benefit from enhanced privacy leadership, contact us for more information about Avertium's full range of personal data privacy and related services.