Leadership Matters

Perspectives on the key issues impacting senior leaders and their organizations
June 6, 2019

Beyond Data Protection: The Rising Role of the Chief Privacy Officer

By Spencer Stuart's Legal, Compliance & Regulatory Practice, Scott L. Vernick, Esq.

We are now in a time when the grand bargain of the internet — users providing their data without asking questions in order to receive free services in return — is up for renegotiation. Threats are growing increasingly sophisticated and pervasive, from formjacking (using malicious code to steal credit card information from websites) to ransomware (denial of access to a system or data until ransom is paid), and consumers and regulators are calling for more aggressive action. Being unprepared comes with a hefty price tag: In April, Facebook disclosed it expects to be fined up to $5 billion by the FTC for privacy violations.

With increased scrutiny over how personally identifiable information is protected, the need to establish, hire, or elevate the role of a chief privacy officer (CPO) is growing. Given the newness of this role, we share answers to the most common questions we receive about the CPO role and the broader data/privacy landscape. 

My organization has a chief information security officer. When do we need to bring on a chief privacy officer?
Privacy and data are related, but separate concepts. Data security is about the protection of digital assets, and to do this, chief information security officers (CISOs) focus on data governance and infrastructure. Privacy is about personally identifiable information and the chief privacy officer is responsible for how that information is collected, stored, shared and transmitted, as well as ensuring compliance with a complex set of domestic and foreign regulations. 

Here are some situations when organizations should consider hiring a chief privacy officer:

  • Before a merger or acquisition
  • When expanding the business into new regions where you are legally required to have one (e.g., New Zealand, Australia and India are all establishing some version of GDPR)
  • When building new Internet of Things capabilities (i.e., “smart” devices that capture individual user preferences and data)

As a best practice, many Fortune 1000 companies already have an attorney or team of attorneys dedicated to privacy law. With the General Data Protection Regulation (GDPR), one of the most significant pieces of legislation in the area of privacy, the California Consumer Privacy Act and additional state and federal laws under consideration, it will likely not be enough to have a dedicated privacy function.

Many organizations will need to elevate privacy to the C-level and appoint a CPO.

Where should the CPO sit within an organization?
It depends on how the role is defined. A major component of the role is compliance and, sometimes, the CPO is also responsible for incident response. In this case, it becomes a risk management function and typically falls under legal or compliance. It can also report into the CISO. Ultimately, the structure is less important than collaboration between groups, as the CPO and CISO must work together closely. Additionally, with 61 percent of board directors we surveyed reporting their top concern is cybersecurity, the CPO will be expected to interface regularly with the board to discuss how the organization is protecting the consumer.

What makes a good CPO?
The role of the chief privacy officer is a relatively new one, so we are often asked what skills are the most important. The CPO must be knowledgeable about privacy and data security laws and while some technical knowledge is important, he/she does not need to have the same level of expertise as the CISO. Most CPOs have trained as technology, intellectual property, litigation, or regulatory attorneys. A smaller minority of sitting CPOs are non-attorneys with broad-based compliance and risk experience.

Given the cross-functional nature of this role — and the fact that many CPOs shift industries — we’ve found that certain “soft” skills are especially critical to success, including: 

  • Collaborating and influencing skills – This work is highly cross-functional, working not only with function leads, including the general counsel and chief compliance officer, but also the rest of the C-suite and key business leaders. Strong interpersonal skills and the ability to build relationships and consensus are critical, particularly with the CISO.
  • Project management and prioritization – The best CPOs are those who can originate and implement an enterprise-wide project while understanding what to prioritize in an environment where decisions need to be made quickly based on data from multiple sources.
  • Crisis management – CPOs who are familiar with crisis management and can mobilize and prioritize quickly in the face of a breach will be most successful. 
  • Learning orientation – Threats and regulations are always evolving, so chief privacy officers and their teams must be comfortable being constant students. It’s also important to remember that the privacy law landscape is new relative to centuries-old traditional legal doctrine, so the privacy leaders of today have largely learned their skill on the job. 

Conclusion
In an environment where the stakes for a data privacy breach are higher than ever before from both a financial and reputational perspective, we anticipate that more organizations will appoint and/or expand the scope and prominence of chief privacy officers. In addition to managing compliance and implementing privacy best practices, bringing on a CPO demonstrates to the board, consumers and marketplace that your organization takes data privacy seriously. However, hiring a CPO is not the end point. Commitment from the board and C-Suite is critical to not only ensure the individual leader is successful, but that the privacy function as a whole is embraced and prioritized by the entire organization.