Privacy Is Taking Its Place in the C-Suite

Times are changing in the C-suite. Newer titles such as chief user experience officer and chief growth officer are rubbing shoulders with the “traditional” executives—CEO, COO, CFO, and CMO. In the privacy and security space, the most notable of these roles is the chief privacy officer (CPO).

“From our benchmarking studies, we’ve noticed that CPOs are receiving a lot of clout as a senior manager,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, an organization that conducts independent research on privacy, data protection, and information security policy. “This is particularly true for industries with strict data regulations, such as healthcare and financial services. Privacy remains more of a midlevel or upper-management function in less-regulated industries, such as manufacturing.”

Customers Come First: Tools of the Data Breach Trade

The Three Faces of a CPO

In a world where both data breaches and privacy protection laws are madly proliferating, the role of chief privacy officer is critical on many fronts. Here are three functions:

1. Navigator toward Regulatory Compliance

Data privacy laws are constantly evolving as regulators try to keep pace in a fast-paced digital universe. According to the National Conference of State Legislators, for instance, at least 26 states have introduced or are considering breach notification bills or resolutions in 2016. And the stringent new European General Data Protection Regulation (GDPR), which will take effect in May 2018, is leaving companies bewildered and underprepared. A Symantec survey found that nearly a quarter of organizations will either not be compliant at all or only partly compliant by 2018.

“The data privacy landscape is drastically changing in the next few years,” Deema Freij, global privacy officer of security services provider Intralinks, said in a CIO article. “This means that companies will need dedicated resources to work their way through pending regulations, which will be complex, to say the least.”

2. Champion for Customer Privacy

“We’re seeing clearly significant challenges around maintaining privacy, both of customers and of employees,” Art Mazor, a principal of human capital at Deloitte Consulting, told Fast Company. “We’re finding companies are looking to emphasize the importance of those roles.”

Dr. Ponemon agreed. “One of the great challenges for privacy professionals is getting different functional areas in the company to operate at a high level of data ethics,” he said. “A CPO with true C-level clout will be much more successful in encouraging and enforcing compliance among their executive peers than someone without that level of authority.”

Roger Grimes, an InfoWorld security columnist, shared some insights on how CPOs can champion privacy inside an organization. What he called a “dedicated privacy advocate” can tell a company what data can be collected, establish data retention and deletion policies, manage legal requests for private data, educate other executives and the workforce, and create privacy documentation and policy.

3. The driver of a Successful Breach Response

When they work together, chief privacy officers and their security counterparts are the driving force behind a successful breach response. Sallie Milam is CPO for West Virginia Health Care Authority. She also facilitates the West Virginia executive branch’s compliance with state and federal privacy laws, policies, and best practices. In the event of a potential breach, she and her group work closely with the chief technology officer (CTO)’s security team. “I see our jobs as pretty [discrete] while requiring really good collaboration and coordination,” Milam told Government Technology.

However, the importance of a CPO may not be evident until after the fact, Dr. Ponemon noted. “Once a company experiences a material breach, it will appoint a CPO,” he said. “In the anticipation of a future breach, the chief privacy officer provides readiness training, develops an incident response plan, assembles the team, has procedures to contain the problem, and plans for prevention.”

The Downside of Being a CPO

Life as a CPO has its challenges. To be successful, a chief privacy officer with true authority requires a lot of valuable resources, Dr. Ponemon pointed out. “Nothing is really free,” he said. “For example, even one-hour privacy training for thousands of employees is costly.”

Relationship troubles may also plague CPOs, especially from security pros who often don’t see the value of privacy. “I would love it if IT folks got into privacy more if we could be building privacy into the heart of a project rather than trying to bolt it on at the end,” Milam said. “We could have those privacy principles built into the design right from the beginning.”

The Carrot and the Stick

Moving forward, companies must make data privacy protection part of their business strategy. For organizations in heavily regulated industries or that handle high volumes of consumer data, that means appointing a chief privacy officer.

CPOs must beware, however, that with the increase in power and visibility, comes an increase in accountability. “If there’s a breach, eyes will turn toward the chief privacy officer,” Dr. Ponemon said. “At the same time, a CPO can provide an organization with much-needed direction when it comes to protecting the privacy of sensitive customer information.”

Customers Come First: Tools of the Data Breach Trade