This report seeks to provide understanding about how organizations are defining and implementing their internal digital governance structures.

Published: September 2024

Contributors:

Joe Jones

Saz Kanthasamy

This report was featured in The Wall Street Journal article "AI, Growing Data Risks Expand the Role of Chief Privacy Officer" on 5 September 2024.

From digital entropy to digital responsibility

Entropy is a scientific term commonly associated with a state of disorder and uncertainty. One characteristic of entropy is that, according to theory, it increases over time.

Unmanaged or unchecked, entropy begets more entropy. As new technologies are developed, integrated and deployed across our societies, the impacts are far-reaching, transformative and, at times, destabilizing. Along with creating great opportunities and new risks, they can upend the status quo, bringing disorder to carefully crafted governance and regulatory mechanisms often designed for the predigital era. New regulatory, ethical and organizational initiatives aim to ensure such technologies are used responsibly and safely.

Understanding and navigating the overlaps, gaps and even conflicts between the sociotechnical and regulatory domains is complex work for businesses and organizations. Designing and implementing effective structural responses to the complexity of our digital regulatory world is ascending as a strategic priority within organizations. Since January, the IAPP has been researching the extent to which organizations currently or intend to structure their resources and decision-making to respond to digital governance.

The matrix of digital governance domains

The alphabet soup of digital governance regulation is complex and continually evolving. Organizations are leveraging and evolving existing governance structures to respond. Many are doing so with long-standing decentralized organizational approaches to governance that have yet to be meaningfully, let alone effectively, cohered and coordinated.

C-suite responsibility

Existing C-suite leaders of specific domains are seeing their personal remits expanded and elevated.

For example, 69% of chief privacy officers surveyed have acquired additional responsibility for AI governance, while 69% are responsible for data governance and data ethics, 37% for cybersecurity regulatory compliance, and 20% for platform liability. This trend continues at a team level, with over 80% of privacy teams gaining responsibilities that extend beyond privacy. At 55%, more than one in two privacy professionals works in functions with AI governance responsibilities. At 58%, more than one in two privacy pros has picked up data governance and data ethics. At 32%, almost one in three covers cybersecurity regulatory compliance. At 19%, almost one in five has platform liability responsibilities.

Statistics gathered from the 2024 IAPP Governance Survey.
More statistics and insights from the survey will be published later this year.

Research approach

Senior decision-makers are seeking to understand how organizations are defining and implementing their internal structures. In the absence of publicly available information on organizations' internal governance structures, the IAPP sought to interview senior leaders across various organizations to understand:

Research approach taken by the IAPP in
producing the Organizational Digital Governance Report

Interviews were conducted with more than 20 senior decision-makers who lead their organization's work on various aspects of digital governance. This includes insights from some relevant regulators. Given the focus on large multinationals, our insights are skewed toward organizations that are likely more mature in their approaches to organizational governance.

This report seeks to show some of the findings from those interviews, including by building out illustrative organizational charts that convey the variety, nascency and direction of travel in how organizations approach the transition to more cohered and coordinated organizational digital governance.

The insights and models presented are intended to facilitate discussion. They are not indicative of any one organization or intended to recommend any particular model to organizations. An important reflection from the interviews is how formative and consequential an individual organization's culture and footprint is to their chosen model. Every organization occupies a unique place in the wider environment. Different business models, digital technology applications, risk exposures and appetites, and resources all impact how organizations consider the design and implementation of their organizational digital governance.

This graphic outlines the internal and external factors organizations should consider when defining digital governance for their organization, building out a digital governance framework and deploying digital governance controls.

We welcome feedback on how your organization intends to cohere and coordinate its response to the increasingly complex landscape of digital governance.

What's in the full report?

This report consists of the following sections:

Organizational charts

These downloadable organizational charts convey the variety, nascency and direction of travel in how organizations approach the transition to more cohered and coordinated organizational digital governance.

Analog governance

An analog model for an organization seeks to implement digital governance within and through individual subdomains without a defined or cohered approach to digital governance.

• View chart (PDF)

Augmented governance

An augmented model for an organization seeks to implement digital governance through various interdisciplinary processes and structures within a defined and structured approach to digital governance.

• View chart (PDF)

Aligned governance

An aligned model, representing a commonly aspired to future state for some organizations, seeks to streamline processes and structures into a more singularly defined and framed approach to digital governance.

• View chart (PDF)

Additional resources