Who should be responsible for information privacy: CEO or CIO?

post-title

Gwirio’s David Roux says that POPIA compliance is often misunderstood and rarely prioritised.

By David Roux, director at Gwirio

Your CEO is already tasked with a huge amount of accountability and key performance elements for the whole organisation, specifically driving revenue and strategic growth. Should they also take on the process elements and accountability of privacy as many organisations already do? Or should the CIO be tasked with privacy?

The CIO is already the master-of-technology in the organisation, the driver of the data engine and the keeper of the information infrastructure – in short, all the digital elements that touch personal information are under his or her care. It seems a natural fit, doesn’t it? The simple answer is that neither should be the Information Officer.

Noncompliance is at your own risk
The CIO and the CEO already carry quite a burden for the organisation. To be thrown into the deep end of a privacy and compliance journey might not seem so daunting but it is important to consider the associated risks.

Compliance is not a project but a continuous process that must be managed. Non-compliance with privacy legislation can end with a fine for the organisation and in severe cases, even jail time for the information officer – something everyone wants to avoid.

Your CIO focuses on technology, solutions for the operations and safekeeping of the organisation in a digital world. They tend to be invested in the processes, systems and resources and focused on return on investment. The CIO is tied to the organisation and its performance, driving revenue and results.

An information officer, on the other hand, should be more independent. They must be allowed to assess and evaluate systems and processes, evaluating risks and compliance, and looking at how information flows through the organisation. They must be able to focus on privacy.

The CIO tends to also be internally focused, keeping the data engine turning, while maintaining safety. The Information Officer needs to step beyond the technology and internal organisation. They need to assess partner processes such as recruitment and telemarketing, through to debt collection. They must also review the paper-based information flow, from collection through to the processing, storage and finally recycling.

It goes beyond legislation; don’t leave it to the lawyers
The role of an information officer is a diverse but critical one, which brings us to another question. If not the CEO or CIO, who then? Please do not appoint a lawyer as your privacy compliance officer. The role is more than understanding legislation and drafting new policies.

There is a definite role for legal privacy, as there is for information technology, but the champion should be a person that can bridge business and legislation, track various risk items and address these with management.

The Information Regulator has set out some basic elements for an information officer such as that they must be a full-time employee, in senior management, or reporting to the executive. They are accountable for educating the organisation on privacy and driving privacy principles, but more importantly, they are responsible for the development, implementation, and management of a privacy framework.

Many organisations miss the point of a privacy framework, and they miss the benefits it can deliver. A framework can help management understand what information is used in the organisation, how it is used, why it is used and how it is protected. This is value beyond the process and can identify new value for the organisation.

Critical elements that management and the information officer must understand, and address are:

  1. Privacy cannot be a project, as it is a continuous process. Information changes, processes change, and we need managed interaction with customers, employees and suppliers.
  2. A managed privacy framework must be deployed to drive compliance. This will provide the organisation with a template to identify potential risks, address process elements and measure progress.
  3. A data lifecycle management solution that helps to identify and track information. Privacy risk originates from all the information stored and processed. It is important for the information officer to know what information they are responsible for.
  4. Interaction with Data Subjects. Key to privacy is interaction with data subjects, beyond queries and complaints, but also to ensure data integrity and right to process information.

Compliance is, at its core, a journey. Although no company in South Africa is fully compliant, many have taken steps in the right direction.

Related articles

CIO Dinner: impact beyond the C-suite

CIO South Africa returned to eThekwini for an exclusive session featuring the nation’s top IT and finance professionals, aimed at exploring the true impact these executives have within the boardroom.

Top