While there is a primary focus on emerging trends in privacy-related to Legal regulations, there is, at the same time, considerable changes and evolution happening on the organizational and staffing side of privacy. Historically, the privacy function seems to be most matured in the health care space. Most health care providers or related organizations have an existing privacy officer and attorney focused on the privacy function in the HIPAA space. Financial services are another regulated environment with privacy controls and processes.
Enter GDPR and CCPA, and now privacy is suddenly moving from the healthcare and finance sectors into mainstream businesses and functions, front and center. Article 37 of GDPR requires the designation of a data protection officer (DPO) for three specific cases. In addition, privacy regulations like CCPA are expected to impact small and medium-sized businesses.
"A successful privacy organization leader needs to be anchored in a risk-based pedigree"
Who will bear the responsibility for Data privacy and who will run the program in US companies? What does this mean for organization structures? How is privacy going to be managed in a CCPA world?
In general, the organizational privacy landscape, beyond the large tech giants seems to be all over the place. The Privacy function most often reports to finance, legal, cybersecurity, or IT leadership.
Below are some examples of privacy structures commonly seen in the non-health services and non-financial services sector in the US:
Large Global California Tech companies (most skin in the game)
• An army of program managers, coupled with privacy committees and attorneys. Embedded in technical development teams are also privacy champions or ‘engineers’ who can translate privacy concepts to engineering design and code.
Medium size US Corporation with EU presence
• A lone privacy officer with no staff and near-zero budget reporting to technical leadership
• A lone privacy officer with no staff and near-zero budget reporting to cybersecurity leadership
Top US non-profit (least skin in the game)
• Privacy Director reporting into Compliance team
Who should privacy report into?
As an industry, we are still trying to figure where the Privacy function should lie, why the chaos?
CCPA and GDPR are moving privacy from a compliance function to a more centralistic and core function to the business.
GDPR requires the designation of a Data Protection Officer (DPO) and requires that the Data Protection Officer (DPO) reports to the highest management level in Article 38(3). This reporting requirement is interpreted by many to mean that the DPO should report to various C-Suite members or the executive board. CCPA does not have such a requirement.
However, corporate America has seen a trend towards the proliferation and dilution of the ‘C’ suite, and privacy could get lost in reporting to a ‘C’ function that doesn’t do much. I suggest two approaches here:
Option1: Privacy function reports into a C function that is considered independent and reports directly to the board. A function such as compliance or cybersecurity often has independent reporting to the board. The downside is that the privacy function is part of a larger compliance or security reporting framework.
Option 2: On the other hand, a more aggressive approach, that would also move Privacy front and center to the highest levels of the business, could be to make the Privacy function an integral function of the Chief Data Officer or the Chief Trust Officer.
So, we’ve got reporting down; what does the Chief Privacy Officer (CPO) need to run privacy successfully?
A successful privacy organization leader needs to be anchored in a risk-based pedigree. A background in assessing understanding and translating technical and business risk to the board is a fundamental requirement to run a privacy program. Additionally, the Privacy person must understand Data and the legal framework they are working in.
The best combination of skills and background to run the program would be a combination of legal, cybersecurity, and project management. That would imply that the skill set combination best fit for running a privacy function is a combination of cybersecurity, legal skills, and MBA skills. As we all know, finding cybersecurity skills already is a huge shortfall, and obtaining the combination of all three is wishful thinking at best.
Cybersecurity people are closest to the wire here since they are familiar with managing the risk and protection of data. They are familiar with data risk classifications and bridging the gap between the business and technical teams. cybersecurity people are familiar with technical and administrative controls for data protection. They are already embedded in the business for training and security review. Privacy seems to be the closest and natural fit with cybersecurity. However, the flip side is that many cybersecurity people find it difficult to take off the cyber-hat and put on the privacy one. Also, CISOs are already buried under their own cyber workloads, and privacy could take a backseat.
I suggest the person running the privacy function should have a combination of at least two of the three skills: cybersecurity, Legal or Business, and fill in the third with internal or external resources. So, a Chief Privacy Officer (CPO) who has a JD and an MBA could hire cybersecurity contracting resources to get the job done. A cybersecurity person with an MBA background could have a dedicated internal attorney or outside counsel to assist with their running of the Privacy function.
The Privacy function, as one CISO put it, ‘is where security was ten years ago.’ Privacy organizational structures will mature with time and the evolution of regulatory rules and frameworks and their associated enforcement penalties, which will drive hunger for talent and maturation in organizational structures. Until then expect the entropy to increase.