Organizational Placement of Privacy

Question for the community: where should a Chief Privacy Officer (or more broadly, the privacy function)?  Some alternatives include:

  1. Counsel’s office: Since privacy is a legal matter, it stands to reason that compliance would benefit from being embedded with the general counsel.  On the other hand, counsel is often positioned as a separate function to demonstrate objectivity and independence from operations.  Moreover, since lawyers are trained to look at situations through a legal-risk lens, they are sometime less able to “get to YES” and truly embed privacy in operations.  Operations folks may look at their Legal colleagues in general as someone providing “sign-off” and that perception might extend to privacy compliance.
  2. Risk Management & Compliance: again, the alignment has some logic, since privacy provides a set of requirements that overlaid on operational processes, and one should manage the risk of non-compliance.  However, similar to assigning privacy to the Counsel’s office, Risk and Compliance are often organizationally separate to maintain objectivity and independence.  As a result, there will likely be challenges in embedding privacy into operational processes to achieve Privacy/Data Protection by Design.
  3. Office of the Chief Data Officer: The CDO is tasked with understanding the full breadth of data for purposes of deriving value and helping the organization leverage data in existing and new initiatives.  As a result of developing and maintaining the inventory of an organization’s data, the CDO is in a natural position to assess the applicability of privacy requirements and embed privacy requirements in business processes.  The challenges include that the CDO may be perceived has having a conflict of interests by owning privacy compliance as well as data leverage goals (in much the same way as a CIO has a conflict of interests by owning the CISO function).  Another challenge is that CDOs don’t always own all data in the organization, instead focusing on the data to be leveraged or monetization.  This leaves key gaps – such as employee data.
  4. Office of the CIO or CISO: The CISO is tasked with protecting data and is often looked to when there are data incidents.  As a result, the CISO has operational processes as it relates to embedding security requirements as well as monitoring/responding to issues, so adding privacy requirements would seem like a logical extension.  Moreover, the CIO and CISO are very well versed at implementing tools and extensions, which will be required for an effective program.  Privacy professionals will be quick to point out that privacy requirements extend well beyond security, and compliance requires a different level of understanding of the nature of data and how it’s used; a privacy breach may exist where no “traditional” security breach has occurred.  Moreover, privacy requirements apply to information and processes across an organization – not just those within scope of the CIO.  You could have an entire privacy awareness curriculum that never mentions technology, instead focusing on how people handle information. 
  5. Operations (COO): Having privacy report of the COO can make sense, depending on the organization.   Whereas privacy has been around for many years, the passage of landmark privacy legislation – with significant consequences for non-compliance – has very quickly elevated its importance in organizations, making it a Board-level or C-suite priority in some cases.  Having it report to the COO gives it prominence and positions it as aligning with the entire company.  This helps enable the implementation of privacy processes as embedded components in business process.  If done right, the result is a less disruptive but more effective program.   The downside is that unless the organization is a very data-focused company, privacy may get lost among the COO’s other priorities, and may be the target of political struggles.

To be sure, any of these models can work, if provided with the appropriate leadership, support and oversight.  Moreover, the culture of the company and the nature of their business can also influence an appropriate structure.

Privacy is at a crossroads.  One the one hand, the emerging interest and concern from consumers (and therefore legislators) puts pressure on companies to acknowledge their responsibilities handling personal information properly.  On the other hand, since privacy has been around for a while and is conceptually familiar to executives, is there a level of privacy fatigue being felt?  As a result, are companies less motivated to address the risks, instead adopting a wait-and-see attitude?