Data collection, storage and management have become the norm for nearly every business – but how carefully businesses handle that data is another question entirely. That’s where a chief privacy officer (CPO) comes in. A CPO sets privacy strategy within an organisation, navigates the complex and changing landscape of regulatory compliance and, perhaps above all, advocates for customers.
“The most important responsibilities for the chief privacy officer is to be the customer’s advocate inside an enterprise process to determine what is personally identifiable information (PII) amongst the mountains of data that is in an enterprise’s possession, find a way to protect the data as soon as it is generated or to not collect it all to de-risk being fined and make sure that the data is still usable for business operations,” says Ameesh Divatia, co-founder and CEO of data protection company Baffle.
You stand to lose more than just money if you ignore privacy regulations or if you experience a data breach – your business’ reputation is on the line.
Here are some solid reasons you need to hire a CPO, if you haven’t already.
1. Privacy regulations
Handling personal data comes with a lot of responsibility to protect the customer and the business. You’ll need to ensure customer, client and user data stays private and you need a high level of familiarity with compliance regulations.
“There are privacy laws in more than 100 countries around the world regarding how companies can collect, manage and store this data. In addition, there are financial and reputational consequences to being a good or bad actor with personal data, so it’s very important for companies to hire someone to help steer efforts to adhere to these regulations and ensure transparent data practices,” says Peter Lefkowitz, chief privacy and digital risk officer at Citrix.
“The legal risk is non-compliance with various laws around the world, which have specific requirements concerning notice and transparency, collection, use, storage, processing and return of data, as well as incident management. The requirements are not self-evident, and the penalties for non-compliance are steep,” says Lefkowitz.
Europe’s General Data Protection Regulation (GDPR), which goes into effect May 25, is top-of-mind for companies that do business in Europe. The new regulation outlines how business can use, collect and manage the data of EU citizens and gives individuals more control over their personal data.
2. Mandated CPO
The GDPR gives companies another reason to hire a CPO: You might be legally required to have one. The regulation mandates that companies “have a [data protection officer] (DPO) if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority,” writes Michael Nadeau for our sister site CSO.
“The risks will never outweigh the benefits (or a gamble) of not addressing and hiring some level of a privacy officer. A company’s trusted brand can diminish overnight with failed privacy, an organisation can miss potential revenue streams by not being compliant and certified, and GDPR could be costly,” Chris Bihary, CEO of Garland Technology.
3. Data breaches
There has been no shortage of headline-making, high-profile data breaches over the last several years. Breaches like those at Target, Sony, Home Depot and Equifax have cost companies millions of dollars.
“A CPO helps develop strategies to support how personally identifiable information is protected from these types of incidents and can fully brief the C-suite on the issues — both technical and business — which could arise from a breach,” says Deema Freij, global privacy officer of security services provider Intralinks.
4. PR nightmares
Having a proactive strategy in place to protect against a security breach can also protect your brand’s reputation. Worst-case scenario, a CPO can at least work to diminish the effects of an attack and create a strategy to avoid future problems.
“The more you have that is worth protecting, the more you need a CPO. It is less about industries that are at greater risk and more about identifying the value of what you need to protect. Perhaps one could think that healthcare or finance has a greater risk than retail, but our past few years of breaches with Target, Equifax, and Yahoo have shown different,” says Bihary.
5. Lost profits or interrupted business operations
A CPO helps organisations navigate privacy and compliance, while also building a sound strategy that will help protect the business. Businesses can gain some peace of mind knowing they have a point person dedicated to staying on top of privacy and compliance trends and who will build a strategy to prevent and manage any data breaches.
“Without a well-understood and well-managed privacy policy, and without a dedicated person or team to address, deploy, and manage these practices, there will be missed economic gain, followed by economic loss, and even failure. The interruption costs to the business could be crippling,” says Bihary.