In the years ahead, complying with data privacy regulations is going to be an extreme challenge for companies as they attempt to balance profits, reckon with existing and soon-to-emerge regulations geared at protecting the rights of individuals, and ensure enterprise security. Without a doubt, given all that is on the horizon, data privacy will become a central function for companies. As such, it will likely require a central person assigned to it. But just what that job entails, and even what to call it, is not yet clear.
This article examines the possible incarnations of a chief data privacy officer within a business, exploring the framework companies are using to create such positions, and explaining the role this person will play.
The Motivations for Creating a Data Privacy Role
As detailed in our previous blog on the data privacy regulations springing up around the world, the issue of how companies must protect customer and individual data is quickly coming to the forefront. Given the complexity of the regulations and how they vary across countries and states, it makes sense to have a role dedicated to managing the intricacies of these laws and the protection of consumers.
Essentially, the main goal of a data privacy officer will be to ensure that the organization or business recognizes that the privacy of data that is being created by and belongs to individuals is not only a business necessity, but an inherent human right. Companies need a role that understands that the value of data isn’t just about the profits a company can reap from it or the potential risks it will face if it is exposed, but rather that the data has intrinsic, personal value in and of itself, outside of the value it brings to the business. There are a number of perspectives worth considering when it comes to what this role should be called and the responsibilities it will encompass.
What’s in a Name?
Depending on how businesses view the role’s parameters, it could assume a few different titles. A strong perspective would be to avoid limiting the role solely to data privacy, but instead, title it chief privacy officer. This person would be tasked with protecting the privacy of data generated by individuals, customers, and employees, as well as the privacy of those people themselves.
In such a role, the chief privacy officer would be focused on ensuring that the organization is collecting and using the data in a way that is not just compliant but goes beyond the letter of the law and adheres to a higher standard. As mentioned above, such a view recognizes that the privacy of data is a human right because of its inherent personal value. The measures of success for such a role would obviously be to ensure regulatory compliance and to avoid privacy violations of any kind. But a chief privacy officer would also make sure that the data the business uses, collects, and curates is treated in a way that recognizes this inherent human right to ownership and privacy of personal data.
The chief privacy officer would also be responsible for an absolute accounting and inventory of all data the organization receives. Currently, organizations often have no idea about the extent of the data they’re collecting and storing or how it’s being protected or used. A chief privacy officer would have to correct this. Ultimately, such a role would be designed to avoid the type of problems that arose in the Cambridge Analytica/Facebook situation in which, although no laws were technically broken, people’s data was used to manipulate them.
When it comes to the day-to-day operations of the job, a chief privacy officer would have responsibilities that included, but would likely not be limited to, the following:
Taking a broader perspective of risk management and security for the business as a whole, the chief privacy officer could be part of a three-legged stool along with the CISO and the CIO. In such a setup, the CISO’s role would be to ensure the enterprise is protected from security risks that impact how that organization protects and drives revenue. The CIO would provide the infrastructure that actually makes protecting and driving revenue possible. The chief privacy officer would lead the oversight body tasked with ensuring the responsible use and privacy of data and would be supported in that effort by the CIO and CISO.
Another way to construct a data privacy organization would be to appoint a chief data protection officer. The chief data protection officer would likely supplant the CISO and serve on an equal level with the CIO. The data privacy officer would be a subsection of this role or a department within it, focused more narrowly on personal data and the law.
By contrast, the chief data protection officer would focus on managing the protection of enterprise-related data in various contexts and forms. The role would be predicated on the idea that the actual business value of data doesn’t come solely from how it can be used, but also how it is protected and managed competently so that its privacy is maintained. The role would be geared toward the protection of all data needed by the organization, including intellectual property and financial data.
A chief data protection officer role would be focused broadly on risk mitigation from a business standpoint, and security and privacy would both fall under its purview. This officer would have to constantly balance risk and make risk-based decisions that take into account security and privacy.
In the past, a CISO may have been asked by the board, “Are we secure?” The answer is not binary. Instead, a chief data protection officer would define secure as privacy times risk.
This risk would be determined ultimately by the potential impact that loss of the data in question would have on the business. It would involve implementing a variety of processes, both technical and policy-based, to ensure proper governance and management of data within the context of the goals of the business. For instance, a chief data protection officer might recognize that it is worthwhile for a business to give up some of its intellectual property to expand into a market like China, even though the security of that intellectual property would likely be lost in the process.
From any perspective, protecting data is of utmost importance. But as these two possibilities show how a C-suite-level, data privacy-focused role could be instituted, companies will face a dynamic situation when grappling with data privacy and have to make many decisions on how they want to handle such a position to best serve their objectives.