Is a CPO Still a CPO? Privacy Leadership’s Evolving Role

COMMENTARY

The role of the CPO — chief privacy officer — is at a crossroads. A rapidly growing number of data breaches, continually evolving regulations, and the increasing complexity of digital ecosystems have made a robust, privacy-first approach to managing data more critical for businesses than ever before. The role of a CPO was once clear-cut: Ensure compliance with privacy laws, manage data collection practices, and mitigate data risks. Now, CPOs are balancing more responsibilities than ever. Privacy has an impact on every realm of the business. So, is a CPO still a CPO, or is the role something greater? And, is it a role that just one person can handle?  

The Expanding Scope of the CPO

In a recent episode of my podcast, “The Privacy Insider,” Google’s outgoing chief privacy officer, Keith Enright, remarked that the data privacy role has expanded so much, it requires a jack of all trades. In many organizations, the CPO might manage privacy, but also aspects of security, data ethics, and even AI governance. Privacy does play a role in all these areas. But can a CPO — or chief information security officer (CISO), or chief data officer (CDO), or chief AI officer — wear all these hats and have them fit? 

Whatever mix of letters that follows the C, many companies are striving for the same goal. They want a member of the C-suite whose mandate encompasses a broader responsibility: Be the steward of data governance, protection, compliance, and ethical use. That someone with any of the above backgrounds could be overseeing all of the above responsibilities shows how intertwined the technologies, data, and risks have become. Maybe that one job should be a more integrated team effort.  

Guarding the Wall Together 

For example, think about a data breach. Responsibility for preventing a data breach typically falls on the CISO. If a hacker pierces a company’s systems, that’s a security failure. But the reality of a rapidly changing threat landscape is that once you secure against one threat, another one is right behind it. For many companies, data breaches aren’t an “if,” but a “when.” How are you protecting what’s behind the wall? Good data privacy practices are good security. Are you identifying, safeguarding, and minimizing your most sensitive data? CISOs work hard on fortifying the wall, but if someone breaks through and there’s nothing to steal, you’ve contained the immediate damage, and also the reputational and regulatory damage that can follow. Protecting an organization on all sides calls for a tightly integrated strategy.  

And Then There’s AI 

The rise of AI presents some unique challenges: What are the ethical implications of AI? Can you trust it? What’s the recourse if sensitive data winds up in an AI model? Many companies turn to the CPO for guidance on the ethical use of these technologies, particularly around issues of consent, bias, and transparency. But AI governance is typically the domain of the CISO or the CDO, not the CPO. For now, no one person should own AI, because at this point in time, AI touches everything. Everyone shares the responsibility for using it wisely. 

However, CPOs can play an important role in charting a path for AI, aside from ensuring companies use it in a privacy-forward way. The ethics of using sensitive data — and as we are seeing with the European Union AI Act, the consequences of misusing it — are similar whether the offender is human or machine. Clear insight on handling and protecting sensitive data and experience with General Data Protection Regulation (GDPR) readiness can help privacy pros guide the business in managing AI’s complexities. 

The CPO as Partner

Managing risk in a modern organization is the ultimate balancing act. Sometimes it’s all hands on deck to shore up cybersecurity, sometimes it’s sensitive data protection, sometimes it’s AI. Privacy, security, governance, and the rest are all critical to maintain the balance, no matter what the challenge is. There may be a CPO, there may not be a CPO. Privacy management might be centralized or distributed across the business. But that doesn’t change the importance of data privacy management in helping to shore up system security, define AI governance, build trust, and mitigate risk. The best role a CPO can play is in demonstrating the value of a strong privacy program to make the whole business stronger.