Chief data officers and chief privacy officers have a common thread in their work: information protection.
CDOs are in a unique position because they bring together the ever-expanding catalog of available information and opportunities to bring value to their organizations. As they work objectively to manage and govern the full body of enterprise data, CPOs are also tied to information management. Specifically with personally identifiable information, CPOs are charged with implementing the policies, procedures and controls for the data's organizational use while balancing compliance efforts under regulatory, ethical and contractual obligations.
In essence, the data responsibilities of a CPO are a subset to those of a CDO. These shared duties with datasets make a case for organizations to possibly merge the two positions into one.
Traditionally, CPOs work in the areas of law and compliance for organizations, which has them well positioned to focus on the treatment of the information. However, there has been a significant refocus on how information is used in an organization. With the rapid growth of data science in recent years, there's now an increased recognition that the leverage of information has great benefits.
Having a CDO organizationally separate from a CPO increases the challenges to have them collaborate while also raising compliance risks. Instead, having a CPO within the office of the CDO — or even the same person — provides the opportunity to leverage information with compliance built in with clear accountability to operational leadership.
Combining the roles of CDO and CPO offers organizational clarity around the commitment to pursue the opportunities provided by data. Such a merge also allows the ability to highlight and recognize the importance of respecting compliance obligations.
A CDO should be as conversant in business goals, along with the data vision and strategy, as they are in the data privacy program. A consolidation of responsibilities embeds privacy in the fabric of operations instead of allowing it to become an afterthought. It also enables the goal of implementing privacy by design and allows privacy impact assessmentsto become “punctuation marks” rather than major activities.
Those working in risk management or as general counsel might point out that a benefit of separating a CPO from core business operations is that it helps ensure organizational objectivity and independence. The case could be made that the separation might reduce the chances that privacy requirements can be de-prioritized relative to revenue objectives.
On the other hand, it could be argued that privacy already falls by the wayside in the CDO being separate from the CPO as it introduces a risk for privacy to be an afterthought. Implementing privacy requirements later in a project or following its completion greatly reduces the chances of success, increases the cost, and extends timelines.
For a merge to be successful, though, relationships with counsel and internal audit teams need to be in place to help ensure the effectiveness of a privacy program. Privacy is a legal concern, which may call for outside counsel to supplement and boost the skills of in-house counsel. With internal auditing, making sure data handling is included in the scope of the audit is a priority.
The benefits that come with merging data management and privacy capabilities are potentially significant, and they can be considered for different reasons. It could be argued that a merge helps improve the pursuit of data leverage, whether as a source of new revenue or a way to improve products and services. Combiningcan potentially optimize management decision-making, as well. However, the top consideration is how a merge can lead to stronger, safer privacy programs that can best align with the business.
Photo by Tim Johnson on Unsplash
