October 2019 The Rise of the Chief Privacy Officer

Data Privacy & Security: Introduction

The reputational damage linked to a series of high-profile data breaches, combined with strict data privacy rules introduced by GDPR have cast a spotlight on the protection of sensitive consumer data. More than two million cyber incidents occurred in 2018, resulting in more than $45 billion in losses, according to the Internet Society’s Online Trust Alliance (OTA), so it is hardly surprising data protection has become a priority for the boardroom. Household names including Facebook, Yahoo, Marriott and Sony have all fallen victim to breaches, and as the threats become increasingly sophisticated and pervasive, consumers and regulators have been calling for firms to adopt more aggressive counter-measures. With increased scrutiny over how personal information is protected, the need to establish, hire, or elevate the role of Chief Privacy Officer (CPO) continues to grow.

The Why The What Regulation Mandate Under GDPR, which came into force in the EU last In the absence of a prescriptive law around how year, organizations must demonstrate who is these roles and their mandates should be defined, accountable within their organization for data there is considerable variation from firm to firm. protection. Not all organizations are required to Privacy is about personally identifiable information appoint a Data Protection Officer (DPO); the role and the CPO is ultimately responsible for how that applies specifically to a public authority or body, or information is collected, stored, shared and if you carry out certain types of data processing transmitted. A major component of the role is activities. Inevitably GDPR led to a flurry of DPO therefore compliance, but in many cases the CPO is appointments to ensure compliance with the new also responsible for incident response, working laws. closely with the CISO. In the US, California has led the way in privacy Increasingly one of the most important “advisory” regulation with new laws due to come into effect in components is around the commercial use of data. December 2019. Several other states have also Organizations with access to rich data sets have to been looking into this topic, and the prospect of tread a fine line between using the data to both privacy laws being passed at the Federal level enhance customer experience and build new seems increasingly likely. New guidance from the revenue streams, whilst Committee of Sponsoring Organizations of the ensuring they don’t fall foul Treadway Commission is expected to address how of privacy laws. The CPO companies can apply the principles of enterprise is therefore playing an risk to protect against cyberattacks, increasingly pivotal role how to better craft risk-appetite statements, and as an advisor to business how to better manage risk and compliance across leaders. an enterprise. October 2019 The Rise of the Chief Privacy Officer

The Where Organizational Alignment & Resourcing

Chief Privacy Officers tend to be legal, compliance or We are observing some privacy legal teams that are (increasingly) technology professionals. Naturally already large and rapidly growing in size, while others certain industries prioritize privacy more than others, are lean and expected to lead by influence, and which is reflected in how they are aligned leverage existing resources within the organization. organizationally. Ultimately, it can be argued the Some global organizations are choosing to roll out a structure is less important than collaboration between lowest common denominator approach and apply the key constituents, critically the CPO and CISO. In minimum standards globally. Others are choosing not technology organizations for example, the role is at a to centralize their programs and instead allow each minimum considered a key member of the legal region to develop their own policies, which makes the executive management team, if not an independent Chief Privacy Officer role inherently more challenging. function with a seat at the executive committee table. At others, it may be 2-3 levels down within the legal or compliance organization, and inevitably with less stature comes less influence.

The Who Qualifications Collaboration and influence: Strong communication skills, the ability to build consensus and influence key One thing that is consistent across industries is the stakeholders is critical. In the US, most CPO’s are also demand for talented privacy professionals. As with very engaged with external advocacy efforts. most roles of this nature, there is an important

technical component that requires staying current with both technology threats and the evolving Compensation regulatory landscape. Mid to senior level privacy attorneys and CPOs are However at a leadership level, given the cross- being courted by companies of all shapes and sizes, functional nature of this role, and the fact that many with compensation levels steadily increasing as the large global organizations lack a centralized talent market grows tighter. CPOs at top tier “command and control” organizational construct, companies are targeting compensation close to and in “soft” skills are particularly critical to success, notably: some cases north of a million dollars, with some of the tech companies in Northern California compensating closer to two million dollars. Crisis management: CPOs who are familiar with crisis management and can react

and prioritize quickly in the face of a breach are highly valuable.

October 2019 The Rise of the Chief Privacy Officer

Gender Diversity pools can reach into other sectors to find the pre- There is a very balanced talent pool of females and requisite skills. males in privacy leadership roles. Most CPOs have trained as technology, intellectual property, In a recent search we conducted for a Global Privacy litigation, or regulatory attorneys, which are largely Counsel, our long list comprised 229 candidates in professions that foster gender diversity. A minority of Europe and the USA, across payments, technology, current CPOs are non-attorneys with broad-based professional services, telecoms & media, retail, compliance experience, so while the mandates are financial services, insurance, hospitality, healthcare likely less advisory and more compliance focused, and energy sectors. Interestingly, 44% of qualified gender diversity is again very evenly balanced. Also, candidates were female. industries that have traditionally less diverse talent

Conclusion The reputational risk attached to a data breach is such that we expect more organizations will appoint and/or elevate the Chief Privacy Officer role. Organizations need to be prepared to invest in these hires and act quickly as the talent spectrum is moving fast in response. Organizations where the CPO role has real stature are able to demonstrate to consumers and the external community that the organization is taking data privacy seriously. However as is the case with most leadership roles of this nature, it is a combination of tone from the top and a strong “risk culture” that determines how safe an organization really is.

Please turn the page for a summary of key CPO appointments this year October 2019 The Rise of the Chief Privacy Officer

2019: Selected Key Privacy Leadership Hires and Promotions

• Michel Protti, VP, Partnerships Product Marketing at Facebook was promoted to Chief Privacy Officer. • Tamara Connor joins KPMG as Information Protection and Privacy Counsel from E*Trade Financial where she was Associate General

Counsel and Chief Privacy Officer. • Andy Roth, Partner at Cooley, joins Intuit as Chief Privacy Officer. Roth replaced Scott Shipman, who joined AppLovin as Chief Legal Officer. • Kristy Tompkins, Senior Counsel, Global Data Use & Privacy at Visa joins Warner Bros. Entertainment as Senior Counsel, Privacy and Information Security.

• Farah Zaman, Global Data Privacy Counsel at Colgate-Palmolive, joins Meredith Corp. as Chief Privacy Officer. • Christina Montgomery, Legal Secretary to IBM’s is promoted to VP and Chief Privacy Officer. • Harvey Jang, Senior Director, Global Data Protection & Privacy Counsel at Cisco is promoted to Chief Privacy Officer and Counsel. • Renard Francois, Global Chief Privacy Officer at GE, joins JPMorgan Chase & Co as Global Chief Privacy Officer. • Darren Bowie, Chief Privacy Officer and Associate at AIG, joins MUFG as Chief Privacy Officer. • Tami Dokken, Chief Privacy Officer and Global Data Protection Officer at MoneyGram International, joins The World Bank as Chief Data Privacy Officer. • Juliana Spofford, Assistant General Counsel, Privacy & Compliance at Dun & Bradstreet is promoted to Chief Privacy Officer. • Deb Sokol, acting North American Chief Privacy Officer at Citi joins Allstate as Senior Privacy Counsel. • Chris Murphy joined Electronic Arts as Chief Privacy Officer & VP, Legal Affairs from General Motors where he was Lead Counsel, Global Cybersecurity & Privacy and Chief Privacy Officer. Chris replaced Kristen Daru, who joined Tile as General Counsel. • Amy Carlson, Chief Privacy Officer for Stoel Rives, joins Motorola as Senior Privacy Counsel. • Nubiaa Shabaka, Global Head of Cybersecurity and Information Security Legal and North America Head of Privacy and Data Protection Legal at Morgan Stanley, joins AIG as Chief Cybersecurity & Privacy Legal Officer. • Tricia Wood, Senior Counsel Global Privacy at Liberty Mutual Insurance, is promoted to Chief Privacy Officer. • Ben Hayes, Chief Privacy Officer at Nielsen, is hired as Zeta Global’s first Chief Privacy Officer. • Susan Myers, Chief Administrative Officer for Fidelity in India was promoted to Senior , Chief Privacy Officer at Fidelity Investments.

• John Crisan, at Johnson & Johnson, assumes the role of Chief Privacy Officer. • Karen McGee joins Levi Strauss & Co. as Chief Privacy Officer from Intel Corporation where she was Managing Counsel, Privacy Legal. • Nuala O’Connor joins Walmart in a newly created role as Chief Counsel of Digital Citizenship. She previously held senior privacy counsel roles at General Electric, Amazon.com and the Department of Commerce.

Meet the team!..

David Carden, Partner Rachel Kalogiannis, Consultant Kaila Malone, Associate [email protected] [email protected] [email protected]

Follow us on LinkedIn Latest news and insights Learn more about Leathwaite