CPO or no? Protiviti’s Tom Moore on the evolution of the privacy role and its uncertain future
IN BRIEF
- When Google, a company estimated to hold between 10 and 15 exabytes of data — or the storage power of about 30 million PCs — makes a potentially game-changing decision regarding privacy, it’s probably a good idea for the rest of us to take note.
- Privacy should not be a reactive function. Customers want to collaborate with companies that they trust, and protecting an individual’s privacy leads to trust.
- The reality is that when the CPO is deprioritized within the organization, so is privacy itself.
The Information Age created an information explosion that shows no signs of slowing down. In fact, the increasing availability of information, including digital data, is speeding up exponentially. With the flood of all that new information come concerns for the C-suite about how to manage it safely and securely.
While some companies expanded the role of their existing technology leaders to deal with this challenge, others opted to expand their executive teams, and the role of the chief privacy officer (CPO) was born. According to the International Association of Privacy Professionals (IAPP), Jennifer Barrett Glasgow of Axciom Corporation was the first CPO. She began her oversight of privacy at Axciom in 1991. Barrett Glasgow’s job description then, for sure, was radically different from the role of today’s CPO, which continues to evolve as quickly as new information becomes available and privacy laws and regulations proliferate. Many privacy leaders in organizations have taken on new titles and enhanced responsibilities in the areas of A.I., trust and ethics, and data governance.
Regulation and legislation
Back in 1991, very few privacy regulations existed globally. Since then, in the U.S., states have stepped up to fill a regulatory void left by the federal government. More than two-thirds have addressed privacy regulation: 18 states have it on the books, eight states have active bills pending, and 10 have bills working their way through their respective legislatures. Meanwhile, in April 2024, U.S. lawmakers announced the American Privacy Rights Act, a bipartisan draft legislation that seeks to create a national standard for data privacy and security, addressing the unregulated sale of online data and aiming to ensure individuals’ right to control their personal information. Although it has no shot to pass before the presidential election in November, lawmakers are optimistic it could serve as a framework for legislation in 2025.
Globally, there’s also been a dramatic increase in the number of privacy regulations. The General Data Protection Regulation (GDPR) from the European Union, in force since 2018, created one of the largest shifts in how information is managed within organizations. Every year, more countries, including Japan, Singapore and South Korea, have introduced new privacy regulations. According to the IAPP, as of March 2024, 70% of nations and 79% of the world’s population are covered by some form of data privacy law.
As privacy regulations continue to expand rapidly, business leaders continue to question who owns the responsibility for ensuring their organizations’ data practices are compliant and who should be responsible for meeting any new compliance requirements. Legal? Technology? Compliance? There may not be one correct answer, and truth be told, privacy is a shared responsibility across the organization.
70%↑
as of March 2024, 70% of nations and 79% of the world’s population are covered by some form of data privacy law.
Is the CPO role in decline?
In an IAPP survey of privacy professionals conducted last year, 78% said their organizations’ most senior privacy leader was in the five highest levels of the organization, while 21% were in the two highest levels. The data also showed that most of those surveyed reported to either the General Counsel (32%), the chief compliance officer (16%), or directly to the CEO (15%).
The annual survey’s biggest one-year shift shows a decline in direct reporting to the CEO and a rise in reporting to the chief compliance officer (CCO). One possibility: This shift may illustrate a decline in the stature of the role for the CPO in organizations and may signal that privacy, like many other regulations, requires an integrated approach. Real-life indicators also point to the decreasing importance of the CPO. Anecdotally, there are plenty of instances when a CPO leaves the organization or the position is eliminated in a restructuring, and it is not filled.
This is exactly what happened earlier this year when Google eliminated its CPO role in a corporate restructuring and opted not to fill it. There are other examples in large organizations where the CPO role either remains vacant or isn’t even on the org chart any longer. Is this because of a lack of expertise in the field, an inadequate internal bench, or a reprioritization of efforts and focus within the enterprise?
Or is it, as is the case at Google, that the varied responsibilities for data privacy have outgrown the role of a single CPO? Whatever the answer, it’s safe to say that when Google, a company estimated to hold between 10 and 15 exabytes of data—or the storage power of about 30 million PCs—makes a potentially game-changing decision regarding privacy, it’s probably a good idea for the rest of us to take note.
Another possibility the CPO role is in decline may lie in the lack of measurable KPIs, making it difficult to conduct benchmarking for privacy professionals. The status quo is that information and data should be protected, so unless an information breach occurs, a regulatory investigation is launched or a fine is levied, some companies may have a hard time evidencing that the CPO role has had a significant and direct impact on customer sentiment, the business and its bottom line.
Of course, good CPOs will serve to preserve the “status quo” every day and in this sense may even be victims of their own success. And if the responsibility for privacy is, ultimately, being dispersed throughout multiple roles within the organization, pitfalls could begin to emerge. For instance, a team that is already resource-constrained could end up with increased privacy responsibilities, potentially, and inadvertently, losing its focus on privacy—a risky proposition.
What are the risks of losing focus?
The risk of a diminished CPO role is losing a dedicated function and leader hyper-focused on privacy. When teams pick up privacy as a second or third priority, important tasks and obligations can get missed. Regulations may not be reviewed fully, legislative efforts are not monitored for anticipated changes, and dealing with enforcement becomes even more challenging. This, of course, has a direct impact on operations and customer perception.
78%
of privacy professionals said their organization's most senior privacy leader was in the five highest levels of the organization, while 21% were in the two highest levels.
Privacy should not be a reactive function. Customers want to collaborate with companies that they trust and protecting an individual’s privacy leads to trust. Additionally, fines levied against companies found mishandling a customer’s data can have a significant economic and reputational impact on the business. Though COVID-19 may have slowed global regulators from enforcing regulations, they are now making up for lost time with increased legislative authority and automated tools. And the repercussions for noncompliance are making headlines with fines and consent decrees.
It’s also important to consider the effect on the career paths and overall morale of the privacy team. When the CPO is deprioritized or pushed down the org chart, it becomes more difficult to attract top talent, and when the privacy pipeline dries up, it’s tough to turn on again. Moreover, eliminating the role altogether leads privacy team members within the organization to seek other disciplines or external opportunities to advance their careers.
Not prioritizing the CPO also leads to many management conundrums. Without a CPO, where does the privacy direction originate? Who will listen to the voice of the customer for privacy concerns and respond in a consistent, centralized manner? How does the organization create internal privacy awareness? The reality is that when the CPO is dispositioned or deprioritized within the organization, so is privacy itself. With the ever-changing and expanding legislative landscape and the sheer amount of data at our disposal, one would expect the role’s strategic importance to be apparent and become more ingrained and elevated within organizations in the coming years.
Building customer trust
Those organizations that do employ and value the CPO role should expect continued cross-collaboration across the entire enterprise. Much like with the expansion and awareness of internal audit and compliance functions following new regulations, privacy awareness also needs to be well communicated and understood across the entire organization. Initiating activities like completing a Privacy or Data Privacy Impact Assessments required under GDPR and some U.S. state laws can only happen if the CPO and privacy team are well versed in the legislation.
The CPO needs to have a stake in the product change management and lifecycle process and work closely with the data governance teams to understand what data is collected, how it’s processed and how it’s protected. The CPO today has numerous vectors of responsibility, including state, federal and global law enforcement; leadership and board attention; internal business models, products and services; technology advancements; customer expectations; and competitor brand and product positioning. Though privacy can be a shared responsibility across the organization, the CPO needs to be the focal point across the enterprise and be accountable for building customer trust through the company’s data protection and privacy practices.
Whether your organization has a chief privacy officer, is looking to hire one, or has opted to split the role across several functions of the business, the one thing that remains certain is data privacy is not optional. More than ever, customers are demanding accountability from organizations about how their data is used, processed, shared and stored. It’s imperative that organizations invest in building a privacy program run by strong leaders who can navigate an evolving data privacy landscape. The risk of not doing so is eroding the company brand and losing customer trust.
Without a CPO, where does the privacy direction originate? Who will listen to the voice of the customer for privacy concerns and respond in a consistent, centralized manner?
