Although organizations have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure, dedicated employees, and/or dedicated resources. While in some organizations “privacy” falls within the ambit of the legal department; other organizations have created offices that are focused solely on privacy issues and that report to a Chief Privacy Officer (“CPO”). There is little commonality in how these offices are staffed, funded, or organized. For example, while some CPOs report directly to senior management, others report through a General Counsel or a Chief Compliance Officer. The following provides a snapshot of information concerning data privacy within a company.
Percentage of CPOs that spend at least 50% of their time on privacy-specific activities.1
The average number of years of experience CPOs have in privacy related roles.2
Percentage of Privacy Offices that are housed within the Legal Department.3
Percentage of CPOs that report directly to the General Counsel.4
3.3 – 25
The range of full time employees retained by Fortune 1000 companies to deal specifically with privacy-related issues.5
If you are creating a privacy office, or reviewing the scope of an existing office, consider the degree to which the office should be responsible for the following functions:
- Drafting, reviewing, or revising privacy related policies and privacy related procedures (e.g., BYOD policy, website privacy policies, employee privacy codes of conduct).
- Following privacy related legal developments and trends.
- Training employees (g., providing core privacy training to the majority of employees, as well as specialized privacy training for employees that have contact with personal information).
- Responding to privacy related complaints or questions.
- Assisting the organization in negotiating contracts in which the organization is providing privacy related representations, warranties, guarantees, or indemnification (e., client-facing agreements).
- Participating in the organization’s incident response team.
- Conducting privacy risk assessments or privacy impact assessments.
- Assisting the organization when negotiating privacy provisions in contracts in which the organization is providing data to third parties (g., reviewing privacy practices of vendors and negotiating appropriate contractual guarantees).
- Conducting a data inventory or a data map.
- Monitoring or auditing the organization’s privacy-related practices.
- Reporting to senior management any significant privacy related risks or concerns.
- Managing the cross-border transfer of information between jurisdictions with different privacy standards.
- Working with developers, designers, or marketers to design privacy protections into new products, services, or promotions.