The latest annual Privacy Governance Report from EY and the International Association of Privacy Professionals (IAPP) was released on 24 September 2019.
In the second of our series on the report, we look at the global trends and changing face of privacy management within organisations, and the long-running question of where privacy should, and does, fit within the executive management team.
Where does privacy sit?
Ever since the introduction of the General Data Protection Regulation (GDPR) and the rapid rise of the Data Protection Officer (DPO), organisations have struggled to find a natural home for this function. While the GDPR mandates that the DPO report directly to the highest management level of an organisation, this doesn't necessarily mean they occupy a spot in the C-Suite. While 72 per cent of respondents confirmed their organisation had at least one DPO, the report identified a number of different approaches, with business variously categorising privacy as an issue for:
- legal and compliance
- risk; or
- technology and security.s in your privacy team?
Regardless of where they sit within these streams, 62 per cent of DPO's are the designated "privacy leader" within their organisation (more common in smaller organisations with tighter budgets and less sophisticated privacy programs).
Where does privacy sit in your organisation? What are the reporting lines?
The report confirms that "Legal" remains the dominant and preferred realm for privacy, with 31 per cent of privacy leaders also occupying the role of chief privacy counsel, and a notable increase of the number of lawyers participating in the report survey.
Reporting lines vary, from General Counsel (25 per cent), Chief Executive Officers (23 per cent), Chief Compliance Officers (22 per cent), Directors (21 per cent) and others. While the privacy and Chief Information Security Officer roles are generally treated as equivalents within the executive management tree, 51 per cent of privacy leaders still sit below the Chief Technology Officer. Very few privacy leaders occupy the role of Chief Information Security Officer or Chief Technology Officer, only 10 per cent and 4 per cent respectively, and they tend not to report to them.
Privacy leaders were found to be more likely to report to the Board where the organisation had revenue below of US$100 million, was headquartered in the EU or had less than 5,000 employees. This reaffirms the trend within smaller organisations to consolidate privacy roles within existing C-Suite or C-Suite functions rather than carving out additional and discrete privacy roles.
The report numbers suggest privacy and information security are considered more compatible and with more overlap than the privacy and technology functions. Regardless, the well-established security and technology functions continue to receive greater weight and emphasis at a management level than privacy.
How is GDPR influencing responsibilities and priorities?
There also continues to be a division of approach between the US and the EU, with US-based privacy practitioners more likely to have multiple and varied privacy responsibilities, including vendor management and ethical data practices, while the EU emphasis remains squarely focussed on GDPR compliance. This is consistent with the statistics, which indicate 62 per cent of EU DPO's are their organisations' chief privacy leader, while in the US only 43 per cent occupy this top position, with 31 per cent of privacy leaders sitting above the DPO role. Naturally, EU Boards appear to be more concerned with privacy compliance and their Boards are more likely to have direct oversight of the issue (35 per cent compared to only 10 per cent in the States). Compliance with law is the dominant priority for 88 per cent of EU privacy leaders, compared to 57 per cent in the US. Of course, this may change with the commencement of the California Consumer Privacy Act.
Specialised privacy risks
The report indicates that privacy professionals within organisations are yet to target emerging technologies, such as artificial intelligence and machine learning, as bespoke risk areas. Only 6 per cent have developed targeted guidelines, and 36 per cent did not consider it a unique risk factor. Possibly, this reflects the continued division and lack of overlap between the privacy and technology functions within organisations.
As it stands, privacy continues to be viewed as a predominately legal issue, particularly in the EU. While its importance and visibility at the C-Suite level is improving, organisations should exercise care not to conflate privacy with security, or to view it as a purely compliance-based exercise.
It is important to recognise the inevitable overlap between the privacy, security and technology realms. The difficulty that arises where privacy is pigeonholed as a strictly legal or compliance issue, is that it becomes part of a compliance box ticking exercise, rather than being built into product development and customer engagement process from the start. In doing so, you lose the opportunity to develop a pro-privacy culture across your business streams, and the opportunity to create greater efficiencies and opportunities further down the product development and customer service lines.
Whichever business unit you choose to locate your privacy functions in, ensure it is not isolated.
Read our previous instalment on privacy spend and budget here.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.