The Rising Importance of Chief Privacy Officers
Over 100 countries around the world have adopted some form of data protection and privacy legislation according to UNCTD. Spearheaded by the EU’s General Data Protection Regulation (GDPR), a new wave of privacy laws is holding companies accountable for the personal information they collect, how it is being used and protected.
These new responsibilities have led to the appearance of new compliance and data protection oriented positions within companies. Along with GDPR-mandated Data Protection Officers (DPOs), Chief Privacy Officers (CPOs) have emerged as a new class of C-level executives charged with developing and implementing policies designed to protect personal information from unauthorized access.
Their role however is not strictly regulatory, it has a strategic dimension that is not only about protecting data and ensuring compliance, but also looking into how privacy can help build customer trust and enhance a company’s reputation, adding value back into the business.
Data Protection as a Key Concern
The main reason for the appearance of CPOs is the growing importance of data protection, both as a legal requirement and as an essential part of cybersecurity frameworks. With companies collecting progressively larger volumes of data and the sale of data becoming an important source of revenue for both businesses and cybercriminals, data has never been more valuable and vulnerable. Major data breaches can irremediably impact customers’ trust in a brand, with small and mid-sized companies often going under within 6 months of a data breach.
Data protection laws have also become more complex in recent years, with the likes of the GDPR and the California Consumer Privacy Act (CCPA) setting the bar higher than ever for data protection requirements. The new privacy laws granted unprecedented legal rights to data subjects in regards to their personal information, allowing them to request access to it, its deletion, correction or transfer. They also brought with them fines so high that noncompliance is no longer a financially feasible option for businesses.
It is therefore no surprise that organizations felt the need to appoint a CPO to be in charge of protecting personal information. In case of bigger organizations, CPOs have larger teams working under them, while in smaller companies, one individual is in charge of data protection efforts.
CPO vs CISO
Many companies question the need for a CPO if they already have a Chief Information Security Officer (CISO), but while both roles have a strong security element, they do not overlap. CISOs are concerned with the overall security of data on company networks, focusing on data governance and infrastructure, whereas CPOs are tasked with specifically protecting personal information and overseeing how it is collected, stored, shared and transmitted as well as ensuring compliance with the latest data protection regulations that apply to the company domestically and internationally.
CPOs need both legal expertise and the technical knowledge to propose strategies that are both in line with compliance requirements and viable for the existing company infrastructure. Because of this, CPOs work closely together with CISOs to develop and implement data protection strategies, with CPOs bringing their regulatory knowledge to the table and CISOs using their technical expertise to create effective data protection strategies.
CPOs and Data Breaches
A CPO’s responsibilities are not limited to data protection, but extend to data breach response plans that ensure that companies have a course of action planned in case a data breach does occur. While data protection measures and an effective cybersecurity framework such as the CIS Controls can prevent 97% of cyberattacks and data breaches, there is still a 3% chance a data breach will still occur.
Sometimes a new unforeseen threat can strike a company before it has a chance to protect its data against it, other times they can be the victims of relentless attacks or employee carelessness which is why it’s worth keeping in mind no data protection strategy is bulletproof and CPOs are there to ensure that, in case it does happen, the company can react swiftly, minimize data loss and take the proper legal steps to report the incident to data protection authorities.
With privacy laws like the GDPR granting companies only 72 hours to report a major data breach, organizations must already have the mechanisms in place to generate the necessary information for incident reports as well as a tested way of notifying affected customers of the breaches. They must also have a plan in place to manage the reputational damage the organization may incur in the wake of a data breach. All these data breach response plans fall under a CPO’s responsibilities.
The importance of CPOs has risen with that of data protection as both a legal obligation and security requirement. Their status is likely to continue to climb in coming years as stricter data protection legislation sweeps the globe and large scale data collection creates the need for increasingly complex personal information protection strategies.