TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Aligning the chiefs: The merging of CDOs and CPOs Related reading: GDPR year one: Three CPOs report back



Chief data officers and chief privacy officers have a common thread in their work: information protection.

CDOs are in a unique position because they bring together the ever-expanding catalog of available information and opportunities to bring value to their organizations. As they work objectively to manage and govern the full body of enterprise data, CPOs are also tied to information management. Specifically with personally identifiable information, CPOs are charged with implementing the policies, procedures and controls for the data's organizational use while balancing compliance efforts under regulatory, ethical and contractual obligations.

In essence, the data responsibilities of a CPO are a subset to those of a CDO. These shared duties with datasets make a case for organizations to possibly merge the two positions into one.

Traditionally, CPOs work in the areas of law and compliance for organizations, which has them well positioned to focus on the treatment of the information. However, there has been a significant refocus on how information is used in an organization. With the rapid growth of data science in recent years, there's now an increased recognition that the leverage of information has great benefits.

Having a CDO organizationally separate from a CPO increases the challenges to have them collaborate while also raising compliance risks. Instead, having a CPO within the office of the CDO — or even the same person — provides the opportunity to leverage information with compliance built in with clear accountability to operational leadership.

Combining the roles of CDO and CPO offers organizational clarity around the commitment to pursue the opportunities provided by data. Such a merge also allows the ability to highlight and recognize the importance of respecting compliance obligations.  

A CDO should be as conversant in business goals, along with the data vision and strategy, as they are in the data privacy program. A consolidation of responsibilities embeds privacy in the fabric of operations instead of allowing it to become an afterthought. It also enables the goal of implementing privacy by design and allows privacy impact assessments to become “punctuation marks” rather than major activities.

Those working in risk management or as general counsel might point out that a benefit of separating a CPO from core business operations is that it helps ensure organizational objectivity and independence. The case could be made that the separation might reduce the chances that privacy requirements can be de-prioritized relative to revenue objectives.

On the other hand, it could be argued that privacy already falls by the wayside in the CDO being separate from the CPO as it introduces a risk for privacy to be an afterthought. Implementing privacy requirements later in a project or following its completion greatly reduces the chances of success, increases the cost, and extends timelines.

For a merge to be successful, though, relationships with counsel and internal audit teams need to be in place to help ensure the effectiveness of a privacy program. Privacy is a legal concern, which may call for outside counsel to supplement and boost the skills of in-house counsel. With internal auditing, making sure data handling is included in the scope of the audit is a priority.

The benefits that come with merging data management and privacy capabilities are potentially significant, and they can be considered for different reasons. It could be argued that a merge helps improve the pursuit of data leverage, whether as a source of new revenue or a way to improve products and services. Combining can potentially optimize management decision-making, as well. However, the top consideration is how a merge can lead to stronger, safer privacy programs that can best align with the business.

Photo by Tim Johnson on Unsplash

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment Bastian Cremer • Jun 26, 2019
    Sorry, but no. Both roles have an overlap but ultimately conflicting objectives. Merging them into the CDO role creates an irreconcilable conflict of interests subjecting the organization to a loss of effective privacy control. The counter-argument that a merger could improve timely consideration of privacy concerns neglects this. Think about it: would merging the general counsel, the chief compliance officer and the head of risk management into e.g. the CEO also be a good idea since "[separation] introduces a risk for [these functions] to be an afterthought”? Ensuring that privacy is integrated effectively into business processes is a governance task. Doing away with the function is the exact opposite of solving it.
  • comment James Howard • Jun 28, 2019
    Bastian - thanks for your feedback.  First, I'm not advocating eliminating the CPO.  To the contrary, i advocate making it a lot more prominent by more closely aligning it with the users/handlers of information.  There is no doubt that checks and balances need to be maintained (e.g., internal audit), but practically speaking, Privacy compliance is far too important in order to protect the brand, and needs to be brought much closer to the front line.  There are three trends that are accelerating: (1) the growth, use and leverage of information - much of it PII-- (2) the number and size of data breaches and mis-uses (nearly 2 billion records so far this year) and (3) the complexity and prescriptiveness of privacy legislation.   In the balance between investing to increase revenue, or slowing down to implement controls, history shows the former wins; Privacy By Design was first conceived in 2009, but has yet to become truly embedded in business.  So my (provocative) disruption is to shake up the model, and bring the CPO way forward.
  • comment Matthew Bernstein • Jul 2, 2019
    I'm with James on this.  I was the global head of Information & Records Management for a very large bank until a year ago (I now run my own firm) and I worked closely with the CDO and CPO (and CISO).  Integrating the understanding of the "non-functional" characteristics of data (privacy, info sec, retention, business critical, etc.) with the "business value" (e.g., utility for AI) and with other "compliance" requirements (e.g., data lineage) makes sense.  There will always be tension between what the "business" wants to do and what "control" functions want to do; making the CDO share accountability for using data in a legally compliant way will result in data scientists taking these requirements more seriously.  I saw this happen with GDPR, and it's some of what I'm working on now (e.g., anonymization).
  • comment Emma Butler • Jul 8, 2019
    I agree with Bastian on this. There would be a conflict of interest in the EU as the DPO / CPO cannot be involved in decision-making and collection and use of personal data. The DPO also has to consider and represent the individual, possibly the only person in the business with this as an integral aspect of their role.  It may be different in the US, but in the UK (and wider EU in my view) privacy is not just a legal concern. The CPO / DPO role is a practitioner, often not a lawyer, who advises the business on compliance requirements, risk and helps them implement privacy-friendly solutions. If you are doing privacy by design properly, then your CDO and CPO can work together effectively and privacy won't be an afterthought.