How Global Data Privacy Laws Are Changing the CDO Role

Data regulation is the new reality, requiring an ever-increasing depth of knowledge in compliance, law, security and privacy. Failure to adhere to the various, evolving regulations by an organization not only has financial implications such as fines, loss of market share and even stock value, but also can destroy the trust a company was built on. Added to this, privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have continued to evolve with more industries across various regions enacting new rules and regulations.

As regulations are no longer impacting just one state, one country or one industry, the responsibility and scope of a Chief Data Officer (CDO) is dramatically different from what it once used to entail. When the CDO role originated more than 15 years ago, it would have been reasonable to apply a simple data-handling policy across the broader organization, regardless of its location in the world – an approach which would likely yield significant consequences in today’s regulatory environment.

Much like compliance regulations, the CDO role has significantly evolved both in scope and responsibility. Let’s explore:

Today’s Chief Data Officer

Historically, CDOs were primarily concerned with determining the types of data an organization will capture, retain and exploit, as well as how it will be utilized. Today’s CDO faces a broad landscape of data to control, surrounded by numerous metaphorical landmines represented by data privacy regulation and, depending on the country and region, penalties that may be levied at both a federal and state level.

The CDO must not only be internally aware of data-handling activities, but also become externally aware of data-centric laws in each market the organization both operates in and collects data from – all while being a trusted advisor to the business. The latter is even more critical, as a common misconception occurs when organizations only acknowledge and maintain awareness of laws where they have a presence – not necessarily awareness of every law for all data sources collected.

The CDO in most instances is the single point of responsibility for ensuring an organization fully understands the sources of its data, how it’s handled, why it’s handled and what boundaries and limitations exist. Without this holistic view and central point of control, a business may struggle to maintain adequate control of the existing and new data being collected, as well as its broader implications.

Heightened Focus on Security

Data privacy is no longer just a concern for legal, compliance or security teams; it should be one of the biggest concerns for all departments within a commercial organization, including the board. As organizations continue to comply with the many data and privacy regulations, the responsibility to coordinate with both the board and the Chief Information Security Officer (CISO) falls on the CDO’s plate. These relationships are critical to every CDO’s success, as the CDO will often encounter scenarios overlapping the fields of data security and legal compliance.

One of the responsibilities of the CISO is to provide full monitoring and continuous awareness of personal and sensitive data across the business from a security perspective. By working together with the CDO, the CISO can have a better understanding of where all of an organization’s data lives and can gain key insights into how to prioritize data management and mitigate risk.

As technology and data security practices have evolved, more organizations have deployed capabilities to find and monitor all forms of personal data across the entire company. At this time, the CISO and CDO must work together to ensure that all of the PII within the company is secure and compliant on an ongoing basis, no matter where it is stored.

Repercussions of Noncompliance

Keeping data safe from breaches, fraud and attacks and ensuring compliance with all international data privacy regulations are some of the most important roles the CDO is tasked with. As the ever-changing rules and bylaws for each regulation continue to evolve, it’s critical that the CDO pays close attention to how each regulation differs, along with the heavy cost of being noncompliant.

Unlike its European counterpart, the GDPR, which imposes fines based on the degrees of violation, the CCPA allows individuals to pursue legal action against companies for their infractions. Noncompliant companies could be on the hook for up to $2,500 per individual violation of a data breach — an amount that can quickly get out of hand.

While in the past it has been common for data to be stolen from an organization due to the data being unknown and stored or processed outside of the organization’s security controls, with the recent data privacy laws, there is no room for costly oversight or lack of data awareness. These common challenges can quickly turn into potential data breaches and/or heavy civil and regulatory liabilities.

To add to the mix, today’s data is more than just employee information and customer lists; it can also include data from a variety of next-generation technology, such as biometric and facial data. With 90 percent of data breaches caused by human error, the CDO can reduce the chance of significant damage by a breach by educating themselves and employees on the different types of data and where they may be storing this information.

Need for Increased Monitoring

Privacy regulations like the GDPR and CCPA have increased transparency and given consumers the ability to opt-out of data-sharing policies, but as the regulations grow in scale and complexity, CDOs are exploring ways to meet these requirements without hindering business success.

Because an organization must now accept the responsibility of storing sensitive data as a cost of doing business, it’s important for the CDO to confirm that all collected data is being continually monitored to ensure it isn’t stored or transmitted to locations outside of the organization’s security controls. This is similar to having locks on all entry points in an office to prevent access, but also deploying motion sensors and camera surveillance on all sensitive areas to verify that the physical access controls are preventing unauthorized access.

All too often, sensitive data files within an organization can either be over-shared or inadvertently copied from a secure encrypted location to an unsecured location (e.g., the My Documents folder on a Windows desktop). This can result in potentially large quantities of highly sensitive personal data ending up across a number of unknown and insecure locations.

Now What?

We all know that data security and risk mitigation is an integral part of modern business. Ensuring that your data is kept secure is important, but recent data security regulation means that securing data to a high standard is now mandatory, not just good practice.

A major, ongoing challenge will be determining what information falls under the new regulations and how to find that information within the organization. Therefore, CDOs must look at compliance as a journey. This means establishing the proper people, processes and technology to support regulations, with the understanding that compliance isn’t achieved overnight. With the right steps in place, and under the CDO’s leadership, the compliance journey can become both achievable and repeatable so that it can be relied upon for the long term.

By establishing complete and ongoing visibility of all regulated data, an effective CDO can make a significant impact to the organizational process, company balance sheet, company reputation and risk mitigation effort. Most importantly, the CDO serves a crucial role in avoiding regulatory penalties and ultimately, avoiding a costly data breach.