The Chief Data Officer is in a unique position because they bring together the ever expanding catalog of available information and opportunities to bring value to their organizations. To be effective, they need to look at information objectively, realizing the upside potential, while managing risk and acknowledging their handling responsibilities.
An “I” in PII stands for INFORMATION
The range of information can and should include all the sources that can help achieve the desired objective, including information about people, such as Personally Identifiable Information (PII). After all, PII is just a class of information, which in many cases can enhance the quality and value of products and services.
But PII is unique in that because it pertains to individuals, it is increasingly subject to a wide range of obligations, whether regulatory, contractual or ethical. The Chief Privacy Officer is tasked with implementing the policies, procedures and controls around how PII is handled within an organization.
Since the scope of a CPO’s role is to manage compliance for information tied to individuals, and the CDO’s responsibility is around governing and managing the full body of enterprise information, it follows that the CPO responsibility is a subset of the CDO’s responsibility.
Bringing the CDO and CPO together
Traditionally, the CPO sits in the legal and compliance area of organizations, which positions them well to focus objectively on the treatment of the information, looking at it through a legal lense.
In last several years with the rapid growth of data science, there has been a significant refocus on how information is used in organizations, with the increased recognition of the benefit information leverage can bring. Organizations have responded by hiring data scientists and appointing CDO’s located within the business side to focus on leveraging information as an asset.
Having the CDO be organizationally separate from the CPO increases the challenges to have them collaborate, and raises compliance risk. Instead, having the CPO within the Office of the CDO — or even be the same person — provides the opportunity to leverage information with compliance built in, with clear accountability to operational leadership.
Why is this better?
Merging the CDO and the CPO roles provides organizational clarity around the commitment to pursue the opportunities data provides, while highlighting and recognizing the importance of respecting the compliance obligations. The CDO should be equally conversant in business goals, and the data vision and strategy as they are in the data privacy program.
In addition to the positive optics around emphasizing the importance of privacy, this model embeds privacy in the fabric of operations, not as an after-thought. It enables the goal of implementing Privacy By Design, and a Privacy Impact Assessment (PIA) becomes a “punctuation mark”, not a major activity.
Checks and balances
To be sure, colleagues (in Risk and General Counsel’s offices) would point out that a benefit of separating the CPO from core business operations is that it helps ensure organizational objectivity and independence, supposedly reducing the chances that privacy requirements can be deprioritized relative to revenue objectives. But I would argue it happens anyway, in part because the separation raises the risk for privacy to be an afterthought. And implementing privacy requirements as an afterthought (or even just later in a project) greatly reduces the chances of success, while increasing cost and extending timelines.
So there are two key relationships that need to be in place to help ensure the effectiveness of the Privacy program:
- Counsel: Privacy is a legal concern, so the CPO/CDO should have a strong relationship and connection to Counsel. Even the largest organizations rely on outside counsel to supplement the skills of in-house counsel. This is a great idea and should be formalized.
- Internal Audit: The CDO/CPO should work with internal audit to make sure data handling is included in the scope of the audit plan. If there is an ERM (Enterprise Risk Management) plan, data risks and mishaps should figure prominently.
Organizations that are pursuing data leverage, whether as a source of new revenue, or a way to improve products and services or as a way to optimize management decision-making, should consider the significant benefits of merging the data management and privacy capabilities, as it may lead to a stronger – and safer – program, more aligned with the business.
Contact me at firstname.lastname@example.org