In April 2020, I started my role as chief privacy officer of Silicon Valley Bank after serving in the position at Capital One. My time at SVB was both enriching and challenging, marked by the development of a mature global privacy program amid tremendous growth at the bank. Unfortunately, this journey took an unexpected turn earlier this year with the failure of SVB. As I embark on my search for my next CPO role, I’ve been surprised by the prevalence of law degrees being listed as a mandatory qualification for open CPO positions.
Complex privacy landscape
Granted, CPOs are expected to navigate a complex landscape of data protection laws and regulations. Monitoring, interpreting and providing legal guidance on privacy laws is a crucial role companies must have in place in managing privacy risks effectively. I'm not an attorney, yet I’ve been successfully building and running corporate privacy programs for the last 24 years. What I'm used to seeing, at least over the past 18 years at my last three companies, is a corporate privacy office that works closely with designated attorneys who specialize in privacy law.
The evolution of privacy laws
In the early 2000s, corporations may have been able to get away with having attorneys draft and post privacy notices without the necessary operations, controls, remediation, monitoring and testing activities you need in place to ensure compliance today. Data privacy laws have evolved tremendously over the past decade. This legal complexity may have led to the notion that CPOs must hold law degrees to interpret and comply with these regulations. While legal knowledge remains important, it should not be considered a major determinant of a CPO's effectiveness.
Emphasis on operational skills
Since relatively new privacy laws like the EU General Data Protection Regulation and California Consumer Privacy Act provide the ability for data subjects to access or delete data, the right to restrict processing activities, or require the implementation of privacy by design, companies must understand what it takes to build, manage and monitor privacy programs through operational processes, controls, privacy technology, tools and automation. The emphasis should shift towards an operational skill set for CPOs to effectively manage data privacy in the modern digital age.
Operationalizing privacy
It is crucial for CPOs to have the ability to turn legal requirements into practical actions throughout the company’s various departments. Operationalizing privacy controls entails seamlessly integrating privacy considerations into an organization's daily activities, systems, policies and processes. This requires a deep understanding of business process, technology and applications, data flows, data classification and taxonomies, products and services, risk mitigation strategies, incident response, data retention, marketing, third party risk, monitoring and testing, training, and effective collaboration across various departments — none of which requires a Juris Doctor degree or law firm experience.
Collaboration between legal and the privacy office
If you can find a job candidate with a JD and deep experience implementing privacy operations and controls, great. But I believe the best approach is to let the legal experts focus on providing legal advice and counsel on the requirements of privacy regulations. Let legal work on drafting, reviewing and negotiating privacy provisions in various contracts and agreements, monitor privacy laws and regulations, interpret laws and their impacts on the company, respond to litigation, assess potential legal risks, or draft or review privacy notices. However, don't also expect your legal counsel to build and run the operations of a global privacy program, manage the overall privacy execution strategy, integrate controls into business processes and provide legal counsel to itself (conflict of interest!).
Conclusion
Both roles are essential for effective privacy management. In-house privacy attorneys should primarily concentrate on providing legal guidance and ensuring legal compliance, while the CPO takes a strategic and operational role in developing and implementing the organization's privacy program across various functions. My advice to hiring managers: keep the CPO postings coming, just remove the JD from the list of required qualifications.
