The Ever-Evolving Role of the Chief Privacy Officer–Turning Challenge into Opportunity

By Kim Richardson

Introduction

Data privacy is arguably the single most dynamic field of law. Privacy leaders are constantly managing a shifting and increasingly complex web of regulations, enforcement priorities, and litigation risks. Add to that the dizzying pace of technological advancements and you have a perfect storm of both exciting and daunting challenges, with the Chief Privacy Officer (“CPO”) often tasked with charting the course and navigating the ship across what can be very murky waters.

Artificial Intelligence (“AI”) is the latest example of a technological sea change that signals an inflection point that has the privacy profession rethinking and redefining its purpose, as privacy leaders are being tasked to take on broader data management responsibilities. A recent survey by the IAPP found that 69% of CPOs have added AI governance duties to their roles.[1] In fact, the leading global privacy professional organization, the IAPP, recently announced that it is officially expanding its mission beyond privacy to “define, promote and improve the professions of privacy, AI governance and digital responsibility globally.”[2]

So then how do privacy leaders respond to all of this change? We do what we have always done. We learn, we adapt, we grow, we ride the waves as they come, and we thrive. Experienced privacy leaders are well-equipped to embrace this next phase of holistic data management. The history and evolution of our profession demonstrates why.

A Brief History Of The Chief Privacy Officer Role (From One Attorney CPO’s Perspective)

Historically and today, the General Counsel’s Office is the most common reporting line for CPOs, and many CPOs are attorneys.3 In the early days (let’s say, 2000-2010), unless you worked in a highly regulated industry (such as healthcare or financial), working in privacy as an attorney didn’t feel much different from other attorney roles, outside of keeping up with the shifting regulatory landscape. In fact, many attorneys were adding privacy to a pre-existing broader role. Programs were in earlier states of maturity, and much of the day-to-day challenge involved working with business partners to ensure that privacy requirements were built into business products and initiatives. Concerns around social media, mobile apps, and online tracking dominated the privacy headlines, along with news of large security breaches of well-known companies.[4] There were a limited number of sectoral federal laws to consider, and state laws designed to address specific issues were few and far between, outside of the developing data breach notification laws that started with California in 2002. The EU Directive was in play, but international data protection regulation and enforcement were somewhat limited on a global scale. IAPP reached its 10-year anniversary in 2010 with membership of 6,000.[5]

The following decade saw an explosion of privacy regulation and enforcement and corresponding growth and maturing of the privacy profession. Data breaches increased on a massive scale in both frequency and volume, eventually resulting in every US state and territory having its own breach notification law by 2018. The EU’s General Data Protection Regulation (GDPR) took effect in 2018, adding a heightened level of rigor, accountability and enforcement risk to privacy compliance, with the potential of massive fines and extraterritorial reach sending a ripple effect across globe. The GDPR became the “gold standard” for comprehensive data protection regulation, and other countries and US states followed suit with comprehensive privacy laws modeled after GDPR in many respects. Transfers of European data to the US became increasingly challenging following the invalidation of the fifteen-year-old Safe Harbor Framework in 2015 and the ensuing path to the current Data Privacy Framework. US enforcement also intensified, with the FTC using its Section 5 unfair and deceptive trade practices powers to fill the gaps left by the US federal law’s sectoral approach to privacy regulation. The 2011 Google Buzz consent decree marked the first time the FTC required a company to implement a comprehensive privacy program, which is now a standard feature of privacy consent decrees.[6] Add to this the proliferation of US class action litigation and what can one say other than, it’s complicated! By the time the IAPP reached its 20-year anniversary, membership had surpassed 65,000. [7]

Looking Toward the Future of the Chief Privacy Officer

Through all of this change and growth, CPOs have adapted and taken on broader responsibilities. CPOs are already managing and/or partnering with cross-functional teams on privacy and data protection law, compliance operations, data security regulatory compliance and incident management, and data governance, ethics and strategy.[8] How then, can we leverage this varied experience as we move forward in the age of responsible AI governance?

Garner Stakeholder And Executive Support

While the importance of robust privacy programs may seem obvious in most organizations today, that has not always been the case. Privacy leaders have played an important role in bringing visibility to new issues that can have a profound impact on organizations. Just as the GDPR created a new era of enhanced rigor and accountability for privacy programs, the EU AI Act will likely have a similar effect on AI governance, being the first comprehensive AI regulation enacted, and carrying risk of fines and extraterritorial reach similar to that of the GDPR. Already we are seeing a flurry of guidance, frameworks, and proposed regulations emerging across the globe, and some limited instances of more targeted regulation.[9] The regulatory landscape is quickly forming, and CPOs are well positioned to help organizations who wish to leverage AI understand the value of planning proactively for effective data governance.

Create the Governance Team

Privacy has always been a team sport. AI highlights the need for increased formalized cross-functional collaboration across various disciplines and skillsets, including legal, compliance, operations, technical and business. Data privacy, security and governance functions are already closely aligned with the issues and processes relevant for AI governance. Given the breadth of issues and potential risks that need to be considered, close partnership with technical and business teams will be especially critical. Ultimately, the structure will depend on the organization’s existing governance mechanisms, the organization’s role with respect to AI (e.g., a “provider” or “deployer” in EU AI Act terms) and the applicable use cases. CPOs can help to leverage existing relationships and structures to help ensure organizations take a holistic view toward data management that accounts for all of the diverse considerations that come to play with AI.

Adopt a Governance Framework

Privacy programs are generally structured around a framework based on legal and industry standards that capture the key principles and elements required for effective compliance (e.g., GDPR, NIST, ISO). Privacy leaders can help drive adoption of an AI framework with core principles and controls designed to address the risks and requirements of appropriate uses of AI. As most privacy regulations trace back to core privacy principles established by the Organisation for Economic Cooperation and Development (“OECD”), many countries have adopted the OECD AI Principles.[10] These principles form the basis of the governance framework that organizations can implement to support responsible AI, and bear similarity in some cases to principles applied in privacy frameworks, such as transparency, security, and accountability. And assuming that the EU AI Act is likely to become the gold standard for AI regulation, it may well serve as the optimal framework to use as a starting point as the regulatory landscape continues to unfold.

Operationalize Risk Management

Like privacy programs, AI governance programs will need to implement policies and procedures to ensure that pre-existing and proposed uses of AI are identified and the right stakeholders are engaged to assess and mitigate risk. A good place to start is by leveraging data inventory and mapping work to identify AI uses and expand on those resources to collect additional information needed to support risk categorization. The EU AI Act takes a risk-based approach and determines obligations based on the risk of AI and the role of the organization.[11] The inventory and map can be used to assist with this initial categorization. Processes and tools used for Privacy Impact Assessments can be leveraged to collect additional necessary information to assess AI risk and ensure that risk mitigation measures are built into the AI implementation, similar to the privacy-by-design approach. The key will be finding ways to leverage existing risk management processes to coordinate efficient engagement across the various stakeholders who will need to be engaged for AI.

Enhance Training And Awareness

Last, but certainly not least, are training and awareness. Just as training and awareness are core pillars of privacy programs, education is critical for AI governance. One of the first requirements of the EU AI Act that will come into effect is the literacy requirement.12 Privacy leaders can leverage existing training and awareness methods to educate members of their organizations who may engage with AI with broad and role-based education that takes account of evolving use cases.

Conclusion

CPOs have much to build on to embrace the new challenges posed by AI. Privacy is an important consideration for appropriate use of AI, and privacy programs have many building blocks that can be leveraged to support effective AI governance. Privacy leaders are accustomed to translating complex regulatory requirements into actionable and operationalized compliance programs. We are accustomed to wearing multiple hats and working cross-functionally in collaboration with the organizational stakeholders that need to be engaged for AI governance. While every organization will need to determine the best approach and structure for them, CPOs and teams will undoubtedly play an important role and have a prominent seat at the table as we embrace the challenges to come and the new opportunities for growth and leadership that these challenges bring.

Endnotes

Kim Richardson is an accomplished Chief Privacy Officer and Legal Counsel with extensive experience building and leading privacy programs. Kim currently serves as VP Privacy, Chief Privacy Officer for Tandem Diabetes Care. Prior, Kim served as Chief Privacy Officer for Verily Life Sciences, and led Privacy at Mattel and Herbalife. Kim served as Vice President of Legal Affairs for Universal Studios Hollywood and held several positions at Disney, including Assistant General Counsel, Privacy. She also served as adjunct professor of Cybersecurity and Regulatory Compliance at Loyola Law School, Los Angeles. Kim received her J.D. from Harvard and her B.A. from UCLA, and holds several privacy certifications. https://www.linkedin.com/in/kim-richardson-esq-cipp-us-cipm-fip/

[1.] See IAPP’s Organizational Digital Governance Report 2024. https://iapp.org/resources/article/organizational-digital-governance-report/

[2.] See IAPP Press Release, September 23, 2024. https://iapp.org/about/iapp-expands-mission-and-launches-cybersecurity-law-center/

[3.] See IAPP-EY Privacy Governance Report 2023. https://iapp.org/resources/article/privacy-governance-full-report/ See ACC Docket, Privacy Professionals Are on The Rise, February 9, 2022. https://docket.acc.com/privacy-professionals-are-rise

[4.] For example, see the Wall Street Journal’s “What They Know” series. https://www.wsj.com/news/types/what-they-know. See Digital Guardian’s The History of Data Breaches. https://www.digitalguardian.com/blog/history-data-breaches

[5.] See IAPP White Paper “A Call for Agility: The Next-Generation Privacy Professional” https://iapp.org/media/pdf/resource_center/IAPP_Future_of_Privacy_Final.pdf

[6.] See FTC press release “FTC Charges Deceptive Privacy Practices in Googles Rollout of Its Buzz Social Network.” https://www.ftc.gov/news-events/news/press-releases/2011/03/ftc-charges-deceptive-privacy-practices-googles-rollout-its-buzz-social-network

[7.] See IAPP-FTI Consulting Privacy Governance Report 2020 https://static2.ftitechnology.com/docs/IAPP-FTI+Consulting+-+2020+Privacy+Governance+Report.pdf

[8.] See IAPP’s Organizational Digital Governance Report 2024. https://iapp.org/resources/article/organizational-digital-governance-report/

[9.] See IAPP Global AI Law and Policy and Tracker https://iapp.org/resources/article/global-ai-legislation-tracker/ and IAPP US State AI Governance Legislation Tracker https://iapp.org/resources/article/us-state-ai-governance-legislation-tracker/

[10.] See OECD Privacy Principles https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0188 and OECD AI Principles https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0449 https://oecd.ai/en/ai-principles

[11.] See IAPP Top 10 operational impacts of the EU AI Act–Understanding and assessing risk. https://iapp.org/resources/article/top-impacts-eu-ai-act-understanding-assessing-risk/

[12.] See “Understanding the AI Act: AI Literacy Requirements and Compliance Strategies for Organizations,” Ropes & Gray. https://www.ropesgray.com/en/insights/viewpoints/102jko5/understanding-the-ai-act-ai-literacy-requirements-and-compliance-strategies-for