Who’s Minding Your Data? The Case for Dedicated Privacy Leadership

Data is undoubtedly the new currency in today’s digital age. Just like we protect money in banks, we need to safeguard data with strong security measures. As consumers demand greater control over their personal information, organizations face increased data privacy risks, including inaccurate data subject requests (DSRs), breaches and leaks, which can lead to reputational damage, financial penalties and legal action. Meanwhile, shadow IT and generative AI are introducing risks faster than most IT and security teams can address. This underscores the need for robust data privacy measures amid evolving, complex regulations.

A tough challenge, to be sure. So, who ensures your organization navigates these challenges effectively? Enter the data protection officer (DPO), who serves as the gatekeeper of data privacy. The DPO oversees data privacy, ensures compliance and acts as the liaison with regulators. 

Globally, the DPO is gaining prominence within organizations. In the EU, where data protection is a fundamental right, the EU’s GDPR mandates a DPO for any organization processing personal data of EU residents, regardless of the location of the organization. The GDPR mandates explicit consent, access, correction, deletion rights and breach notification within 72 hours, and noncompliance can lead to fines up to €20 million or 4% of global turnover, whichever is higher.

Data privacy in the US

The US emphasizes data privacy and consumer protection through sector-specific laws that prioritize business interests. While the DPO role is starting to emerge, just 32% of US companies have a designated DPO in place, according to a 2024 report.

Additionally, the absence of federal privacy legislation has led individual states to introduce their own data privacy legislation. As of April 2025, over 20 states have enacted or are in the process of enacting data privacy laws, with others readying legislation in the coming years. 

While key requirements of individual state laws vary, generally, they each act to grant consumers rights regarding their personal information, including the ability to access, correct, delete and obtain copies of their data, as well as opt out of targeted advertising and data sales. The overarching goal of these laws is to enhance transparency, accountability and consumer control over personal data in the absence of a federal privacy framework. These laws apply to businesses that handle large volumes of consumer data or derive significant revenue from data processing. Most require companies to conduct data protection assessments, maintain transparent privacy policies, and respond to consumer requests in a timely manner.

This patchwork of individual state laws can be overwhelming for organizations, but there is some good news. In April 2025, eight state regulators announced a bipartisan group, the Consortium of Privacy Regulators, which will work together to implement and enforce privacy laws to protect consumers. The bipartisan group includes the California Privacy Protection Agency and the attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon. Since these states’ laws have some common features, the consortium allows regulators to pool resources, share expertise and coordinate investigations. As more states continue to roll out legislation, there’s hope that all can work together to help advance the rights of consumer privacy.

Data Privacy

Your Sensitive Data Is Now a National Security Matter: The DOJ’s New Data Security Program

by Randall Cook, Vince Mekles and Rachel Woloszynski

April 29, 2025

90-day implementation window closing on regulations affecting companies with genomic, biometric, health and other personal information

Read moreDetails

The DPO role within an organization

The DPO can play a key role in adapting to the evolving regulatory picture, maintaining legal compliance and public trust. Though the role itself can be misunderstood, as you consider creating this role for your organization, one thing is clear: The DPO must be an expert in data protection laws, operating independently and without conflicts of interest.

As crucial as this role is, many organizations may not have resources to create a dedicated DPO position. The challenge then is deciding who should take on this critical responsibility. Do you assign it to your chief technology officer (CTO), general counsel (GC) or chief information security officer (CISO)? 

The most obvious track would be to assign it to a chief privacy officer — someone with a deep legal and privacy background and connected to the systems that process personal information. However, many businesses are not equipped to expand that role within the company. In that case, the role often falls to the GC, whose legal background should help them keep up with the privacy regulations at the state, federal and international levels.

Other options may include the CTO, who while expert in the tech stack and data flow, is typically distant from regulatory and privacy-specific requirements. The CISO also gets floated to own the role as they are close to breach detection and security controls but may have limited expertise in privacy law and compliance nuances.

While these options may work in the short-term, the ideal solution is to resource a dedicated DPO, who offers privacy-first expertise with a focus on compliance.

As you seek to implement the DPO role, some points to consider:

• Understand the role: Ensure you have a solid understanding of the DPO’s responsibilities, including compliance oversight and risk management.
• Evaluate expertise: Seek out individuals with specialized knowledge in data protection or privacy laws and experience across various industries to ensure they can handle your specific needs and stay up-to-date on the latest regulations.
• Optimize your tech stack: Ensure your systems and tools are equipped to support the success of your DPO.