Customers and employees today are increasingly concerned about their privacy, how their personal information is collected, who controls that data and how it will be used.
The chief privacy officer, or CPO, plays a central role as an advocate for both customers and employees, ensuring a company respects privacy and is in compliance with regulations.
First noted in the 1990s, the chief privacy officer is a C-suite executive who develops and implements policies to protect employee and customer data from unauthorized access. Included in that is compliance with state, federal and international data privacy rules and regulations, so the CPO must be knowledgeable about current laws and regulations relating to data privacy, enforcement models, compliance technology, privacy policies and privacy program development. A law degree is helpful, though not a requirement.
Typically, the CPO works closely with other related executives, including the heads of compliance and security, chief information officer, chief information security officer and chief data officer. Some companies have created an executive position similar to the CPO — the chief data ethics officer — to ensure the company is ethically dealing with customer and employee data.
Whatever the title, the fundamental currency of the role is data. Customers today demand greater insight and control over how their personal data is collected and how it will be used, said Sharon Zezima, chief data ethics officer at Acoustic, a marketing technology company in Atlanta. “As a result, the role of the CPO has been elevated in recent years as brands look for specialized support with setting privacy strategy, protecting their customers’ interests, and regulatory compliance,” she said.
Heightened consumer expectations about data privacy and ethics means companies need to ensure adherence to ethical practices. "This position ensures the integrity of a brand’s data practices beyond privacy compliance," Zezima said. She said companies should take an expansive "human-centered" approach to data privacy that incorporates data ethics, governance, protection and privacy, and actively work with partners and regulators.
“An ethical data use framework throughout the data lifecycle, from product design to collection and use to destruction and disposal, ensures data utilization is not only legal but also deliberate and fair,” Zezima said.
The position of data protection officer is also becoming more common after implementation of General Data Protection Regulation (GDPR), the European Union's landmark regulation. Although the roles overlap, the data protection role is mandated for public sector organizations and all private companies that process and store personal data by Article 37 of the GDPR. The data protection role typically reports to the CPO to ensure GDPR compliance, and keeps the CPO informed about data privacy practices, new laws and regulations, and meets with regulatory authorities.
Related Article: The Growing Importance of Data Management in the Digital Workplace
Stay on Top of Privacy Regulations: GDPR, CPRA, CCPA
One of the greatest challenges facing chief privacy officers is staying on top of, and in compliance with, the rapidly growing thicket of privacy laws and regulations. Agility and continued evolution are fundamental.
“Challenges include an increasingly complex legal and regulatory environment with a growing patchwork of federal, state and international privacy and data security laws," said Rachel Reid, chief privacy officer at Voya, a New York-based financial and insurance firm. "As this environment continues to become more complex, we have continued to evolve our Privacy Office and team to keep pace.”
On Nov. 4, California passed Proposition 24, also known as the California Privacy Rights Act (CPRA), which complements California’s existing privacy law, California Consumer Privacy Act (CCPA). CPRA adds additional rules and provides consumers with more control over their data, who can access it and what can be done with it. Specifically, CPRA gives consumers the right to correct their personal information, know how long their data will be retained, opt-out of geolocation, and restricts usage of their sensitive personal information.
In 2019, New York's governor signed into law the SHIELD (Stop Hacks and Improve Electronic Data Security) Act. Civil penalties can be imposed against non-compliant businesses, starting at $5,000 and capping out at $250,000.
Similar to the CPRA and CCPA, the General Data Protection Regulation (GDPR) is Europe’s data privacy legislation. It is one of the strictest data privacy regulations passed so far. Although it’s a European regulation, GDPR applies to all businesses that collect and process the personal data of EU citizens or residents. Noncompliance can result in significant fines, currently capped at €20 million (approximately $23 million) or 4% of a business’ global revenue.
Other countries are stepping up to the privacy protection plate as well. Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA) in 2015, and South Africa’s POPI Act went into effect in 2020. The National Conference of State Legislatures maintains the Consumer Data Privacy Legislation list of current and proposed privacy legislation and regulations in the United States. The International Association of Privacy Professionals, the largest and most comprehensive information privacy community, is another resource for CPOs and privacy professionals.
Related Article: Is Your Business Data Safe in Slack and Microsoft Teams?
Create a Culture of Data Privacy
Given how quickly new legislation is being passed and implemented, the CPO’s role is vital for regulatory compliance. But ensuring regulatory compliance is a group effort that starts with key leadership and ends with all employees in the company, Reid said.
With more than 100 countries that have data privacy laws on the books, often with conflicting or contradictory requirements, the CPO has to be able to navigate the complex regulations and laws in order to assure compliance. Not only does the CPO have to understand current privacy laws and regulations, the job also involves meeting with regulatory agencies for guidance. “We also maintain contact with regulators to ensure that we clearly and accurately interpret and apply privacy regulations throughout our business,” said Reid.
Jim Pendergast, senior vice president of altLINE Sobanco, a division of Alabama-based The Southern Bank Company, said that while the chief privacy officer is ultimately in charge of regulatory compliance, the actual monitoring of regulations and legislation may fall to data protection officers. “The CPO might appoint one or two data protection officers (DPO) whose daily responsibilities include the finer details of industry privacy regulations and compliance," he said. "They report these ultimately to the CPO, with everyone able to use that information to recommend data policy evolution.”
Avoid Bad Press With a Data Breach Response Plan
A reputation is easy to build but difficult to repair. Data breaches occur frequently and the loss of customer data leads to identity theft and monetary loss. According to a report published by Statista in October 2020, there were 1,473 data breaches in the United States in 2019, with over 164.68 million sensitive records exposed, and in the first half of 2020, there were 540 reported data breaches.
By having a proactive strategy in place, companies can protect themselves from data breaches, and more importantly, protect their reputation. In cases where customer data has been lost, the CPO can manage the resulting public relations nightmare by having a breach response strategy in place. As IT and cybersecurity teams patch or remove vulnerabilities that enabled the breach to occur, the CPO can immediately communicate with customers, media, marketing and other employees, preparing press releases and social media posts and revising or updating company data privacy policies.
“Data incidence responses are one of the processes the CPO is responsible for helping set and guide," said Pendergast. "However, it's just one of the many hats they wear. Actually initiating and administering the steps of a breach response incident would fall on a data protection officer (DPO) or advisor themselves, since this is their specific expertise, then tag-teamed with IT and cybersecurity officials.”
Customers are quick to judge, but they will also forgive a loss of personal data if a company quickly owns up, resolves vulnerabilities that allowed the loss to occur, and works efficiently with banks and other institutions to resolve potential financial losses as a result of the data breach.
Collaborate to Develop Effective Policies
“A CPO needs to rely on the subject matter expertise of many different leaders and compliance experts across the organization to create evolving policies," Pendergast said. "The CPO is the ultimate face of it, though, branding and communicating it to customers and other executive leaders alike."
Pendergast said the CPO’s most important function is designing and spearheading data usage policies for the entire organization while making sure policies are aligned with long term business goals. “By default, designing a data usage policy requires everyone's participation but especially IT and department heads who are necessary to specify policy needs given each department's roles," he said. "But it's ultimately the CPO who strategically oversees the design of these policies."
With new data privacy legislation being passed every year, ensuring compliance with regulations is a huge task. The CPO is able to monitor data privacy laws and regulations, create data usage policies and privacy policies, develop a data breach incident response plan, and be the ultimate advocate for customer and employee privacy.