Much like in the Old West when the town sheriff and a few deputies did their best to keep the local citizens safe from the black-hatted bad guys who inhabited the surrounding empty land, today’s chief privacy officer (CPO) must keep data locked down at companies, organizations or government entities and beyond the reach of cybercriminals.
A bevy of stunning privacy breaches (think Facebook and FEMA) coupled with a greater urgency to comply with regulations (think GDPR) and an increasingly proactive approach to protecting data have prompted many organizations to mull and even elevate the position of CPO. A quick search on LinkedIn, Monster or any job site turns up a huge number of openings for CPOs and the even larger number of data breaches that have exposed the personal information of billions of people around the world certainly speaks to the desperate need for someone to be in charge, though the qualifications seem to vary depending on the organization.
What exactly are the duties of a CPO? Should he or she have cybersecurity tasks similar to that of a CISO? Is the role an offshoot or subset of a company’s CIO?
Paul Iagnocco, senior privacy consultant at TrustArc, says a CPO should be an organization’s champion of privacy tasked with not only determining what data needs protecting, but instilling the importance of keeping the corporate jewels safe to everyone in the organization, from the newest trainee to the C-suite. To accomplish this Iagnocco sees a CPO not as a technology-oriented position, but instead encompassing many roles ranging from teacher to cheerleader.
Peter Lefkowitz, chief privacy and digital risk officer at the software firm Citrix, agrees, but also tosses in a few more hats for the CPO wear. As his title suggests, risk and privacy go hand in hand at Citrix and Lefkowitz believes there is also a legal component to the position.
“There is so much accountability needed now as data is taking on a greater role in companies,” he says.
This means the CPO role is no longer a luxury, but a necessity.
With almost every company maintaining some amount of either customer or worker data that needs to be protected, Lefkowitz believes that a dedicated CPO is necessary or at the very least someone at the firm must be tasked with keeping an eye on the situation in addition to their normal duties.
“Every company needs somebody overseeing personal data due to legal and regulatory compliance,” he says, even more so in any company that deals with the European Union and must comply with GDPR.
Patrice Ettinger, Pfizer’s CPO and member of the board of directors of the International Association of Privacy Professionals (IAPP), notes a privacy point person is needed simply to keep track of all that is going on.
“The CPO plays a key role in ensuring that personal data is used appropriately and helps business leadership think strategically about data use under today’s rapidly evolving technology and regulatory landscape and consider expectations of individuals who entrust them with their personal data,” she says.
Another very tangible reason to have someone assigned to the job is to avoid the financial and reputational repercussions that can be incurred by those organizations that do not properly protect the data in their charge.
Violating the terms of GDPR is no joke and can result in substantial fines between to €10 million, or two percent to €20 million or four percent of the worldwide annual revenue of the prior financial year, whichever is higher, according to the GDPR statutes.
On top of any fines, a breached company can take a massive stock hit. Iagnocco looked back at what happened to Target after its 2013 data breach. Not only did the retailer have to pay out $18.5 million in legal fines for having allowed 41 million payment cards to be accessed by an outside entity resulting in the loss of the personal data of 70 million shoppers. Overall, Target’s execs estimated the breach cost the company $148 million and that does not count the massive hit the company’s stock took in the months following the breach being revealed.
And it’s just not private institutions that need to worry about protecting data. Government agencies that operate in the nation’s smallest villages up to the largest federal departments control extremely vital information that if obtained by a malicious actor can result in a terrible financial loss. There have been a steady stream of incidents in recent years ranging from the massive Office of Personnel Management breach to ransomware attacks against rural towns and counties that may have resulted in data being compromised in addition to the files being locked up.
“There is often an expectation by the public that these institutions are automatically protecting their data, but that is not always true. People think the government is always buttoned up, but it also needs a CPO to keep guard,” Iagnocco says.
There may be many tasks a CPO must have the skill to undertake, teacher, expert on the legal ramifications of privacy compliance and even a detective to dig out all the possible hiding places data may be squirreled away, but what is not needed are countless certifications nor even a degree in computer science or cybersecurity.
Citrix’s Lefkowitz says a CPO needs a different knowledge base and while a more than passing familiarity with cybersecurity operations is required, such a person does not need the skillset of a CIO or CISO. In fact, he sees many of those becoming CPOs coming from legal, accounting and auditing backgrounds.
Iagnocco agrees, adding, “A CPO does not need to have 48 certs, but needs to be able to have a conversation with the CISO. He needs to know what needs to be done, but not how to do it.”
Making sure everyone in the company understands that is very important. So much so that Lefkowitz believes defining the role of a CPO should be one of the first things a company does when it is creating the position.
The powers that be need to determine to whom the CPO will report and how senior of a position it will be in the company.
Specifically the CPO position must be clearly separated from the responsibilities of the CISO and CIO, but it also must be known all three share a common goal.
“The CPO is focused on “use” of data, and less on infrastructure, applications and security that typically fall under the domain of the CIO or CSO. Certainly the three will best serve their company if they collaborate and work together, as there are areas of dependency and overlap,” Ettinger says.
It should also be made clear that a CISO or the head of the IT department is not in charge of privacy nor should corporate executives make the mistake of believing these people will take care of privacy issues as part of their regular job.
Once all those points are hammered out and someone is hired, that person’s number one priority needs to be figuring out what data and level of risk is being handled, said Iagnocco, and not just the data retained inside the organization, but also by third-party vendors. Without this knowledge a CPO cannot function.
After the potential threats are determined, a CPO needs to come up with a privacy program tailored to the institution and this should include working with the other stakeholders and keeping an eye on worldwide developments, says Ettinger.
“The CPO needs to engage on a regular basis with the business and stay informed on how data might be used, and to stay current on external privacy developments, including the new and strengthened privacy laws that we are seeing globally, including in the U.S.,” she says.
This is particularly important, Iagnocco says, because so much that can impact a company’s privacy standing can come from the outside.
“I think a CPO has to be a strategic thinker, not tactical. The CPO must look at what might happen one or two years down the road,” he says, unlike a CISO who needs to worry about what is happening that second.
The legal ramifications that could result from a privacy breach also need to be regularly discussed, Lefkowitz says, so meeting with the C-suite and corporate counsel should be a regular occurrence for any CPO.
One of the conversations that needs to be held, says Mark Eggleston, VP, CISO and Privacy Officer at Health Partners Plans, is instilling privacy by design principles into new systems, and employing a mature framework to select and implement security controls.
Iagnocco is also keen that the human side of the CPO’s job not be forgotten. As stated earlier this includes being a cheerleader and teacher, making it everyone’s responsibility to protect not only their own privacy, but that of their customers, essentially creating a positive culture for privacy in the company.
“Job number one is to evangelize the importance of privacy inside and outside of the organization. When I was at Kellogg we held seminars and made sure what we were saying was understandable to staffers,” he says.
123 Main St.
The School of Corporate Hard Knocks
• Five years experience in a position protecting the privacy of the customers and wokers at a business with 100-employees that did extensive work with entities in the EU. Used my accounting, auditing and legal knowledge to create a framework from which I ensured no privacy breached occurred.
• Held regular meetings with the IT and cybersecurity department heads.
• Set up a seminar program to teach employees about the importance of meeting our privacy standards.
• Familiar with cybersecurity terms and basic practices.
• Experience with building, implementing, and maintaining a global privacy program and monitoring advancements in information privacy technologies to ensure improvement, adaptation, and compliance.
• Agile in responding to the changing role of the CPO and of the privacy environment. Capable of staying engaged with both the business itself and up to date on external privacy developments, including the new and strengthened privacy law.
• A great communicator capable of explaining the need of
maintaining privacy to anyone thus helping secure the firm from
fines and reputational damage.
• Privacy certification (CIPP or CHPC).
• CHC Compliance Certification.