Taking Ownership of Data Privacy Management

Taking Ownership of Data Privacy Management

Evolving data regulations around the world and growing scrutiny over privacy practices mean that companies should step up data governance with a dedicated team, as they can no longer afford to relegate the task to the IT department, writes 451 Research senior research analyst Paige Bartley.

Only 8% of organizations polled by the 451 Alliance said they have a dedicated data privacy team. This contrasts with another finding, where a significant proportion of respondents agreed that data privacy concerns pose a significant barrier for companies to be more data-driven in their business strategies.

Overburdened IT

Data management in most companies typically falls under the purview of the general IT department due to the nature of their role in handling data-related matters, even as their resources are overstretched to meet the demands of remote working.

Perhaps more worryingly, there could be systemic risk from assigning the IT team with the sole responsibility to keep sensitive information safe. It is a nuanced task that requires the expertise of the legal and compliance team, while the IT and other relevant departments need to step in to fulfill the technical mandates.

What it takes to do data privacy right

The rollout of regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), not to mention several high-profile data breaches, were wake-up calls for organizations to devote dedicated resources to data privacy.

Another survey carried out by the 451 Alliance in early 2021 shows a correlation between ownership of the data privacy program and scope or maturity of the effort within the organization. In other words, a dedicated team allows organizations to be more strategic to streamline data management at scale in-line with their business objectives.

A spectrum of privacy-related skills is required for the data privacy team, which can be recruited from interdisciplinary resources including compliance, legal, technical and data management, information security, and line of business. 

An effective data privacy effort should also have a bottom-up approach to represent views, pain points and objectives across the organization, from end users of the applications to the C-suite leaders.

Enter the CDO

Organizations may opt to hire a chief data officer to lead the team ­– a fairly new position in most organizations with varying responsibilities and reporting structure.

Meanwhile, others that fall under the GDPR oversight would have appointed a data protection officer – a role expected to be familiar with both jurisdictional law and technical data protection mechanisms.

Regardless of the title, Bartley emphasizes that data privacy responsibility should be complementary to the overarching data-driven objectives of the organization. Undue friction inflicted on data consumers within the organization would be unsustainable and defeat its purpose. Rather, the effort should be driven by data access governance technology, which offers self-service data users with firm but low-friction guidance.


Want insights on data privacy trends delivered to your inbox? Join the 451 Alliance.