Putting Data Security Risks in Perspective: The Proper Role of a Chief Privacy Officer
This is likely to be a politically incorrect posting. I hope I do not offend too many people, especially those new data privacy professionals.
As kids, we were always excited when an ice cream truck visited our neighborhood offering a new flavored ice cream. For a brief period of time, the new ice cream flavor was the popular rage.
In the corporate legal and compliance world, we are witnessing an analogous phenomenon – the arrival and influence of the new data privacy officer.
I am not dismissing the importance of data privacy compliance, but I am suggesting that we all need to take a deep breath and put data privacy risks in context – while they may be the newest flavor of the day, they are not the exclusive or numero uno risk that has to be addressed to the exclusion of all other risks.
Yes, data privacy is new; no, that does not mean that every little data risk has to be mitigated to the point of elimination.
Some of this is just a learning curve and making room for a new and significant issue to be addressed. Let’s be candid – data privacy government enforcement is not the most significant risk right now, although the legal risk from collateral litigation and potential reputational harm is significant.
Chief compliance officers have several significant risks that they face every day. Data privacy officers also face significant risks but they do not face the scope and severity of multiple risks.
How does this issue come up? When a CCO is seeking to address a specific issue, a data privacy concern may be identified. A CCO then has to consult with the data privacy officer to determine the nature of the risk and to develop a solution to the potential problem.
Some data privacy officers take this as a moment to educate everyone in the room on data privacy, reiterate (over and over) how important data privacy risks are to the organization, and then analyze the issue by insisting on eliminating all risks. CCOs are often forced to back down and permit the data privacy officer to declare the solution without any compromise or meaningful consultation. Such a dynamic is harmful to the overall compliance function and corporate management.
To be candid, this dynamic may change over time. As compliance officers learn more themselves about data privacy risks and companies gain more experience in this area, companies will naturally start to balance off risks and make educated decisions respecting risk trade-offs and overall risk management.
As the new compliance “kid” on the block, corporate actors are reluctant to counter data privacy concerns with competing business needs, risk tolerance determinations and realistic risk appraisals. Until that happens, the stature and influence of data privacy officers may be annoying to compliance and legal officers since they have observed other risks (flavors) of the month rise and fall with experience. Eventually, data privacy risks will blend with the overall compliance risk framework, earn a ranking based on experience and analysis and settle into its “rightful” (realistic) place in the risk management world.
Legal and compliance officers may become a little frustrated and even jealous of the data privacy officer’s role and influence. For now, they have to sit back and observe the data privacy officer’s disproportionate influence over senior management and the board until the issues start to settle. There is no reason to react negatively or seek to undermine the data privacy officer. To the contrary, this is a time to learn about data privacy legal and compliance developments, monitor enforcement actions and identify industry trends and best practices. After all, legal and compliance have a lot to add to management of this important risk.