As the baseball season heads toward the playoffs here in the U.S., it’s hard not to draw parallels between the growing privacy profession and Major League Baseball (MLB), that last major American sport with no salary cap and where the competition for talent is thus the most fierce.
Just as MLB teams look to hoard starting pitching—the Mets find themselves in first place with Matt Harvey AND Noah Syndergaard AND Jacob deGrom—so too have law firms and consultancies looked to hoard privacy experience and expertise. A year ago, we wrote about PwC’s run on privacy professionals, and it would appear they haven’t stopped.
This week, the company announced it has added Peter Cullen, CIPP/US—current executive strategist at the International Accountability Foundation and former CPO at RBC, chief privacy strategist at Microsoft and member of the IAPP Board of Directors—as privacy innovation strategist. As it’s not currently a full-time position; it’s something like the trade-deadline addition the Royals made with starting pitcher Johnny Cueto. We’ll see if it turns into an even bigger commitment.
“What I really love about PwC,” Cullen said over the phone from his home office, "is it's a firm that understands the inevitable future of new information use risks and is working very hard to create solutions to fulfill the needs that organizations are all very quickly going to need. At the same time, they are investing in solutions to top-of-mind problems right now.” PwC also, he noted, has built a substantial bullpen of more than 200 global privacy professionals.
This dual focus on the right now and the soon-to-be maps to how Cullen sees the CPO role changing. “It’s going from pure privacy compliance,” he said, “to enabling data stewardship.” And those are two very different roles that are also going to require new organization capability and capacity.
Privacy compliance is the challenge of right now, and Cullen doesn’t want to minimize that challenge at all. Privacy professionals need help with operationalizing compliance. Pointing to the fact that many privacy programs are housed in the legal department—newly released data collected by EY and the IAPP shows this is the case 44 percent of the time—Cullen noted that understanding the letter of the law and understanding how to operationalize compliance with that law are two very different skill sets. Further, even compliance professionals aren’t necessarily focused on preparing for future regulatory changes and expectations on business.
“The reality is that laws and regulations and how they are going to be implemented are evolving in a very fluid manner,” Cullen said. “To make a dramatic exaggeration, if your job is focused on knowing existing regulations and laws, and you’re not contemplating where those laws and regulatory approaches are going to move, you’re going to be quickly left behind in terms of meeting the expectations of the market."
And, he continued, "what privacy pros are struggling with is not just understanding that but thinking about the fluidity of their processes in their institutions and continually changing the way they think about information risk management.”
It’s that last part that gets at Cullen’s vision for the CPO’s future role.
“How do you assess the use of the information?” Cullen asked. “How do you manage the experience with the customer? That’s a lot broader than how we’ve thought about privacy … It’s not just understanding the current rules of the road and helping make them effective and efficient, it’s at the same time evolving what the road map needs to look like. It’s saying, ‘I know what the legal requirements are, but what are the ethical requirements, the fair requirements of the marketplace? How are regulators looking at that, and how are customers looking at that?’”
That’s a role that’s much more strategic for the enterprise. The CPO has “to be both a practitioner of the new requirements and the developer of the pending requirements. And then helping the organization to implement both ends of that. It’s a very tough role but also an exciting one with lots of opportunity.”
Tough enough that CPOs are frequently hiring outside help, with large firms spending 16 percent of their non-salary budgets on consulting services, on average, according to the EY-IAPP report. As firms compete for the work that represents, they’ll continue to build their bullpen depth with experienced former privacy pros like Cullen.