Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
A group of senior executives gathered recently to answer a seemingly simple question: Where should the privacy function sit within their organization? Around the table sat the chief legal officer, who also oversees compliance, chief information security officer, and chief technology officer — each making a case for why their team should own it.
The conversation grew familiar: Privacy touches everything — including security, human resources, IT, legal and compliance — but fully belongs to none. It is a debate playing out in boardrooms and leadership meetings across industries as companies recognize that how they structure their privacy function can define not only compliance, but trust.
Security
Given the overlap in safeguarding data and responding to incidents, some organizations place privacy under the security team. While security is an essential partner, this structure has drawbacks. It risks narrowing privacy to data protection and breach response, when in reality privacy also covers lawful collection, use, sharing, data subject rights, and transparency.
Security, like IT, may have more of a role as an "implementer" of privacy and security safeguards rather than an oversight function. Housing privacy within security risks reducing it to a technical safeguard instead of positioning it as an enterprise governance issue. It also lacks the independence and privilege protections that legal or compliance can provide.
Tech
Having privacy professionals embedded within tech teams can be valuable — if not essential — as they help build privacy considerations into products from the start. However, placing the privacy function itself under an organization's technology leadership creates a conflict of interest. Tech teams are often tasked with enabling business innovation and, in practice, may be the ones pushing the boundaries when it comes to privacy.
When the privacy function reports to tech leadership, it risks subordinating compliance and ethical obligations for speed or technical innovations. It could also lead to conflicts of interest where privacy officers have to push back on their own reporting chain when privacy concerns arise. Instead, privacy should act as an independent check on tech.
Human resources
Similarly, placing privacy within HR can compromise independence. HR handles massive amounts of sensitive employee data, from hiring records and performance reviews to health information and disciplinary matters. It is one of the departments most in need of privacy oversight.
Locating the privacy function within HR creates a fundamental conflict: Privacy cannot effectively oversee a department to which it reports. This structure blurs the line between implementing privacy protections and ensuring compliance, creating a fox-guarding-henhouse situation.
It also risks making privacy seem like an employee-relations issue, rather than an enterprise-wide compliance and governance function.
IT
Comparably, placing privacy within IT could also lead to privacy having a lack of impartiality. IT plays a crucial role in implementing privacy and security controls. For example, IT will help build systems that flag when sensitive data is transferred to a third party or embed restrictions on data access. These functions are essential for execution, but privacy must remain separate to provide independent oversight.
If privacy sits under IT, the same team building technical solutions would also be responsible for evaluating whether those solutions meet legal and regulatory requirements, another clear conflict of interest.
If privacy sits under IT, independence is lost. The same team tasked with building technical solutions is also responsible for evaluating whether those solutions are sufficient. Like security and tech, IT must remain a partner in execution, not the arbiter of privacy compliance. Instead, privacy should help oversee and ensure that IT solutions are sufficient per law or any contractual requirements.
Legal or compliance
There are compelling reasons why privacy is best positioned within the legal or compliance departments.
First, so much of the privacy function has become a matter of law. A key role is ensuring companies comply with an increasingly complex web of global data protection laws while still enabling responsible business use of data. This often requires interpreting complex laws to determine a company's obligations — work that demands legal expertise.
In jurisdictions such as the United States, only a lawyer may provide legal advice around a law's interpretation. However, privacy extends beyond legal interpretation to include execution, strategy, and day-to-day implementation, functions that do not require a law degree.
By placing privacy within legal or compliance, organizations ensure the privacy function has access to legal counsel for interpretation when needed, while the privacy leader themselves can focus on translating those legal requirements into operational practice. The chief privacy officer does not need to be an attorney; they simply need ready access to legal expertise to support their work.
Second, placing privacy within legal or compliance ensures consistent governance across a company. Privacy risks rarely sit neatly within one department. They cut across HR, IT, marketing, finance and beyond. A central privacy function within legal or compliance will aid in setting uniform policies, establishing accountability, and monitoring compliance across all business units.
Third, legal or compliance is best positioned to manage regulatory engagement and risk. Privacy teams regularly interact with regulators, respond to data subject requests, and lead investigations after incidents. Within legal or compliance, these sensitive matters can be handled under attorney-client privilege and can be supported by professionals trained to handle investigations, reporting and remediation responses.
Finally, embedding privacy within legal or compliance reinforces that privacy is a core governance issue, not simply an operational task. It elevates the role, signaling that protecting personal data is integral to building trust with customers, managing risk and supporting long-term business success.
Beyond functional considerations, reporting structure also sends a powerful signal about how seriously an organization takes privacy. Where privacy sits in the organizational chart shapes both internal culture and external perceptions. For candidates interviewing for a chief privacy officer or similar role, reporting into legal or compliance demonstrates that privacy is treated as a strategic function with real independence and authority.
Conversely, burying privacy within a department it's meant to oversee, such as tech, signals to both prospective talent and existing employees that the organization views privacy as subordinate rather than essential. The structure itself becomes a statement of values and commitment.
Of course, HR, IT, security and other functions must remain deeply involved. These departments play critical roles in carrying out privacy obligations and shaping everyday practices. Working closely with the privacy function, they help drive a culture of privacy throughout the organization. Legal or compliance can provide leadership and oversight, while every department shares responsibility for embedding privacy into the way the business operates.
While privacy execution is distributed across all functions, leadership and accountability for privacy should sit in legal or compliance. This structure provides independence, consistency and the right level of oversight to ensure organizations meet their legal obligations, safeguard individual rights, and build lasting trust with customers and employees alike.
As privacy laws and expectations continue to evolve worldwide, companies that structure their programs this way will be best prepared to meet future challenges and opportunities.
Noga Rosenthal, AIGP, CIPP/E, CIPP/US, is general counsel and chief privacy officer at Ampersand.
