Effective Privacy Officers – Beyond Legal Skills

Effective Privacy Officers – Beyond Legal Skills

In an article published by the Association of Corporate Counsel, I discuss the delicate relationship between privacy oversight and the role of the in-house lawyer. This blog post summarizes the interview. Assigning in-house counsel as the privacy officer or data protection officer (DPO) is common practice within companies – this trend often stems from considering the term “privacy compliance”, leading senior officials to assign privacy responsibility to legal professionals. However, in-house lawyers are not necessarily properly prepared for the demands of this role. 

When legal professionals become privacy officers without the proper education or training, there are significant gaps in their knowledge and abilities in performing their new role effectively. If you are a legal professional stepping into the role of privacy officer, I encourage you to obtain a CIPP/C and/or CIPM designation with the International Association of Privacy Professionals PRIVATECH’s CIPP/C certification training course provides an in-depth understanding of the Canadian privacy legal framework and the interplay between provincial and federal requirements, particularly in light of new regulatory developments and guidance. The CIPM expands upon this knowledge by teaching one how to create a practical and effective privacy management program for mature data governance. 

Although the reality is that legal counsel are still primarily being appointed as privacy officers, recently, there has been a slight downward trend in the privacy function being housed in the legal department (according to the IAPP-EY Annual Privacy Governance Report 2022), largely because developing, implementing, and overseeing a successful privacy program requires much more than legal skills and is not merely about compliance. There are both benefits and risks that arise when in-house counsel are appointed as privacy officers. 

Pros of in-house counsel as privacy officers: 

  1. Risk Identification and Breach Management: A risk-based approach to privacy is essential when reviewing policies and procedures. Legal counsel’s strong risk management perspective also allows them to anticipate privacy issues and handle potential breaches effectively, minimizing regulatory fines and reputational damage. 
  2. Liaison with External Stakeholders: Legal counsel’s familiarity with legal processes and terminology enables efficient communication with external stakeholders such as regulators, auditors, insurers, and external counsel. In-house counsel who have fostered these relationships can handle inquiries, respond to data subject requests, and represent the organization in privacy-related legal proceedings. 

Cons of in-house counsel as privacy officers: 

  1. Lack of Operational Focus: Despite having extensive legal knowledge, legal counsel might lack operational experience required for the role of privacy officer. Privacy officers must deeply understand an organization’s technology systems, internal processes, and data flows. Without this operational background, legal counsel may face challenges in effectively implementing privacy programs and considering practical solutions. 
  2. Conflict of Interest: Legal counsel’s role as advocates for the organization might conflict with the impartiality required of a privacy officer who must assess privacy program maturity or investigate data breaches. Close collaboration is important, however there should be a separation of legal, compliance, internal audit, and security functions to assure independence. 
  3. Skills Broader Legal are Needed: Privacy officers need skills in leadership, interpersonal communication, and project management to collaborate effectively across departments. In-house counsel may not be properly prepared or want to fulfill this need. 

Thus, appointing an in-house lawyer as a privacy officer is not a black-and-white decision. Legal knowledge and operational skills are both essential in the role of a privacy officer, and must be balanced well to successfully establish and support an organization’s privacy program. 

I strongly recommend certifications like the CIPP/C and CIPM to address areas of weakness and address skill gaps related to the position of privacy officer or DPO. Early bird registration FOR PRIVATECH’s training courses will close on October 1st, 2023. CLICK HERE to learn more about our offerings and success stories! 

Contact PRIVATECH if you have any questions about training or need guidance on the privacy officer role.