As time goes on, there seems to be a big increase in C-level roles for organizations. Traditionally, the Chief Executive Officer (CEO), Chief Operations Officer (COO), and Chief Financial Officer (CFO) were the primary and only C-level executives and officers in an organization. As technology expands, so do executive roles. Privacy regulations are a part of this expansion and the need for an executive with a privacy background is desired and in some cases mandated by regulation.
According to Byron Connolly and his article on CIO Magazine role Chief Information Officer (CIO) became common in the late 1980s. As technology began to play a larger role in organizations, CIO’s became the go-to executive for technology throughout the organization. As time went on, the role of Chief Technology Officer (CTO), Chief Information Security Officer (CISO), and CxO (x meaning insert function here…) became common. However, as information privacy grew in prominence throughout the early 21st century, the role of the Chief Privacy Officer (CPO) became a reality. While the first CPO may have been appointed in the early 90s, it wasn’t until the early 2000s that the International Association of Privacy Professionals (IAPP) started to meet the growing demand of privacy professionals throughout the world.
The Chief Privacy Officer (CPO) is a senior-level executive responsible for managing an organization’s compliance with information privacy laws and regulations.
The Chief Privacy Officer (CPO) has a myriad of responsibilities. First, they must have executive level experience or strong leadership experience. Second, they must be knowledgeable in all matters related to information privacy that includes jurisdictional laws, regulations, enforcement models, compliance, terminology, policies, and privacy program development. Typically a CPO has a law degree, but having a law degree is not a requirement. CPO’s might also have an information security and technology background.
Some executives and organizations may scoff at the need for yet another C-level person being at the table. Unless the current executives have experience and knowledge of information privacy, they should consider hiring a CPO. As more and more data breaches and incidents become commonplace, the role becomes more and more imperative for all organizations so that they can be mitigated. As personal information proliferates legitimate and illegitimate websites and databases, it is important to understand the risk versus benefits of collecting personal information, whether personal information can be collected and used, and how to respond to an incident or breach is imperative for an organization. Doing nothing is no longer an option.
While the functions of the CPO may be distributed throughout an organization, gaps may exist. A CPO can ensure those gaps are filled and enhance existing knowledge of information privacy and impacted functions across an organization. A CPO may also be imperative to aiding in generating new revenue opportunities as it relates to personal information. While earning revenue off of personal information may raise concerns, it is a practice that can be done legally and ethically to ensure private information is not mishandled. Who knows what the future will hold for the CPO, but as privacy regulations continue to proliferate the globe, such as GDPR, it is important for organizations to evaluate whether a CPO is someone who may help navigate the subjective waters of information privacy.
Monica Reichert, CRM has been in RIM/IG for many years in many industries (currently the Legal Industry), is a Certified Records Manager and is currently undertaking a Masters degree in Information Management through Dalhousie University. Monica firmly believes that privacy and protection of personal information is everyone’s business!