The fact that each state in the U.S. seems to have specific privacy laws with no central comprehensive federal law makes it difficult to know what privacy regulations apply to your organization. Therefore, navigating the privacy legal waters requires extensive experience, knowledge of applicable international, federal, and state laws, and a background in IT, cybersecurity, and data privacy management.
Examples of Privacy Laws include:
- Health Insurance Portability and Accountability Act (HIPAA)
- European Union's General Data Protection Regulation (GDPR)
- California Privacy Rights Act (CPRA)
- Massachusetts Data Privacy Law
- New York Privacy Act
- Colorado Privacy Act (ColoPA)
- Virginia Consumer Data Protection Act
The Role of Chief Privacy Officer (CPO)
A relatively new role, the Chief Privacy Officer (CPO) is responsible for managing the privacy of data within an organization. The CPO creates company policies, procedures, and strategies relating to the privacy of data – customer and organizational data. Some regulations, for example, HIPAA, require organizations to designate a privacy official dedicated to compliance with privacy laws. In many organizations, that official is the CPO.
"The sum of data generated by 2025 is set to accelerate exponentially to 175 zettabytes. More data is created per hour now than in an entire year just two decades ago." – Dave Mosley, CEO, Seagate Technology
As discussed in several of our previous blogs on data privacy regulations, the issue of how companies must protect customer and individual data has quickly risen to the forefront. Given the complexity of laws and how they vary across countries and states, it makes sense to have a role dedicated to managing the intricacies.
Taking a broader risk management perspective, the CPO could be part of a three-legged stool with the CISO and the CIO. The CISO's role would be to protect the enterprise from cybersecurity risks. The CIO would provide the infrastructure that makes driving revenue possible. Finally, the chief privacy officer would lead the oversight body to ensure privacy and compliance.
According to the International Association of Privacy Professionals (IAPP) 2019 Salary Survey, the median annual salary for CPOs in the U.S. and the European Union was $200,000 to $212,000. According to the survey report, it is expected that job opportunities for CPOs will continue to match or exceed the expected 31 percent increase in jobs for all information security professionals projected by the U.S. Bureau of Labor Statistics from 2019 to 2029.
What is a Virtual CPO? (vCPO)
Often an organization does not have in-house talent, finds itself between in-house CPOs, or may decide to outsource the role for efficiency reasons. A Virtual Chief Privacy Officer is a service contracted to an external service provider. A high-quality vCPO service provider brings a team of experts with knowledge of data protection laws and practices and experience maintaining compliance with international, federal, state, and trade-specific privacy regulations.
Why Hire a vCPO?
For many organizations, it is efficient and cost-effective to outsource to a vCPO as a permanent solution. A single person can only know so much, whereas a vCPO service brings a bench of experts to the table. When data processing activity is particularly complex or involves a large amount of sensitive data, the vCPO brings a high level of expertise and support.
Using an outside consultant or vCPO is often an advantage because they bring an independent mindset by nature. In addition, a qualified vCPO is an expert in privacy law and practices and is unencumbered by internal politics or the ole 'we've always done it this way' syndrome.
Do you need a specialist, or can a vCPO service be one aspect of a vCISO solution?
Cybersecurity and privacy practices are specific and distinct. Nevertheless, the disciplines overlap, and most experts agree you cannot have privacy without good cybersecurity. The vCPO role can be a component of an overall quality vCISO service. Unlike a full-time CISO, with a vCISO service, you can buy just what you need when you need it, depending on your immediate or long-term requirements. Our clients come to us for everything from a targeted pen test on a specific system to a holistic cybersecurity, privacy, and compliance program. A vCISO program can be customized to your business security and privacy needs. The value a vCISO can bring to your organization includes cost savings, scalability, and flexibility.
Not every business can internally support the staffing and resources necessary to develop robust privacy programs independently. Fortunately, you can partially or fully outsource to trusted partners the job of CPO. At Truvantis, our vCISO/vCPO service is not a one-size-fits-all solution. Instead, we take a personalized approach to your business situation, cybersecurity, privacy, and incident response requirements.
Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations, and products. We specialize in helping our customers improve their cybersecurity posture by implementing testing, auditing and operating information security programs.