Cybersecurity has historically received an overwhelming amount attention in boardrooms across the globe, as the need to protect information from bad actors is a threat firmly engrained in the consciousness of corporate professionals. However, in recent years, regulators and consumers alike have begun to shift this paradigm as individuals demand not only information security, but also a greater understanding and control over how their personal information is used.
Today, privacy is equally top of mind for businesses, as managing privacy obligations has become critical to any organization’s future growth. As a result of consumers’ ever-growing expectations of privacy, businesses must now comply with a number of state, national, and regional privacy regulations that impose serious operational challenges to those that do business in these jurisdictions. The prime example includes the European Union’s (EU) General Data Protection Regulation (GDPR), which has been the main driver of privacy-related compliance spending since the law came into effect in May 2018. Attention is now shifting to the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), amongst other privacy regimes as other legislative bodies struggle to keep up with the ever more attentive eyes of consumers.
In light of these significant operational challenges, Second Line Advisors recently partnered with Treliant, LLC to conduct a broad survey of privacy professionals to identify which issues are causing organizations the greatest concern. In several instances, we also sought responses that shed additional light on how organizations are addressing these hurdles.
Respondents hailed from a diverse spectrum of industries, with a particular emphasis on those in Financial Services, Healthcare, Life Sciences, Tech, and the Automotive industries. The large majority of respondents were self-described as internal privacy officers and counsel, including 64% identifying themselves as the organization’s “Chief Privacy Officer.”
As the scope of the survey produced broad feedback on several topics, we have identified the Top 5 Takeaways we have been able to make after reviewing the responses. They are as follows:
Top 5 Takeaways:
Nearly every organization identified budget as a top concern
The compliance obligations established by the GDPR, CCPA, and other regimes are vast. Unsurprisingly, it seems many organizations are having trouble convincing corporate leadership that the proper resources need to be allocated to addressing these new obligations. Budget concerns ranged from inadequate internal headcount, insufficient budget for software tools, and the inability to retain appropriate outside counsel and consulting firms.
Privacy professionals admit they lack the bandwidth to engage in much needed proactive thinking
A majority of respondents shared their frustration with the lack of proactive initiative and appetite to take on privacy responsibilities at their places of work. Tied to the frustration over inadequate budgets, the survey results indicate that internal privacy programs are generally only capable of mounting a minimal viable product that addresses base-line privacy compliance obligations. A sizeable minority of respondents also shared frustration with Chief Privacy Officers sitting in the Legal Department, as this type of organizational structure frequently renders privacy professionals to be too risk averse and thus unable to assist business lines with process improvement and innovation.
The continuously evolving legal and regulatory landscape continue to be a major privacy concern
Although the actual language of data privacy laws such as the GDPR and CCPA is not generally subject to change, the respondents to the survey expressed considerable frustration keeping tracking of the guidance and enforcement actions coming from privacy regulators. Many respondents also identified potential upcoming amendments to the CCPA as an impediment to their work.
Troublingly, several respondents indicated that privacy guidance tends to vary wildly, with different arms of the same organization receiving conflicting guidance depending on which outside resource they happened to engage.
The overwhelming majority of privacy professionals believe a Chief Privacy Officer should answer either to the General Counsel or directly to the Chief Executive Officer
Our survey results found that businesses have yet to adopt a consistent approach when it comes to placing a Chief Privacy Officer internally within an organization. This notwithstanding, survey respondents tend to be more in agreement with how the ideal business should be organized.
41% of respondents believe the Chief Privacy Officer should answer directly to the businesses’ CEO. Respondents selecting this answer came from a host of industries and headcounts ranging from small to medium size firms, as well as Fortune 500 business. A separate 28% of respondents believed the Chief Privacy Officer should answer to the General Counsel. Respondents in this category generally skewed towards larger businesses.
The role of Chief Privacy Officer and Data Protection Officer should not be combined
Mimicking regulatory guidance coming from several European regulators, survey respondents placed an emphasis on the role Data Protection Officers have as an independent and objective monitor of the businesses’ privacy practices. Many respondents similarly viewed the Data Protection Officer as an advocate for consumers and other data subjects, a function which is generally inconsistent with the responsibilities of a Chief Privacy Officer.
Interestingly, a large number of survey respondents indicated that the role of Chief Privacy Officer and Data Protection Officer have nevertheless been combined at their organization, indicating that this might be a battle that many privacy professionals have fought, and lost.
As is evident from the survey, privacy professionals across a host of industries are experiencing significant frustration as they seek to navigate the evolving 2020 privacy landscape. Although many are experiencing budgetary challenges, most companies are planning to invest in external resources including consulting services, legal support, and technology solutions. These resources will not only be dedicated to addressing privacy compliance obligations, but also helping organizations defeat silo-ing and provide privacy related support to process improvement and innovation efforts.