Four privacy operating model scenarios offer pros and cons for firms making the shift

This is Part 3 of a four-part series aiming to help privacy officers revisit their current privacy operating model and assess whether it delivers the value expected by key stakeholders. This post discusses shifting privacy responsibilities and key functions from the second to the first line of defense; what is driving the change; and options for privacy program ownership within the first line of defense. Part 1 explored important elements that make a privacy operating model effective in delivering value. Part 2 discussed how organizations are responding to the evolving privacy regulatory landscape.  

As organizations grapple with navigating more stringent privacy regulatory requirements, combined with heightened demand on gaining customers’ trust on how their data is used and safeguarded, traditional responsibilities for privacy compliance are shifting to the first line of defense. There are three reasons behind the shift:

  1. Cost Pressure – continued cost pressure on the second line of defense, driving closer scrutiny of roles and responsibilities (72 percent of senior compliance officers surveyed by Accenture have quantitative cost reduction goals over the next couple of years1).
  2. Business Transformation – increase in the integration of second line of defense risk management activity, focusing capacity on timely, relevant advisory support for changing risk profiles (business growth considered the primary driver of transformation in compliance among compliance officers surveyed by Accenture, and 5x more important than regulatory change2).
  3. Stakeholder Expectations – regulatory and senior management expectation of higher touch and more precise day-to-day risk identification and assessment (only 29 percent of executives surveyed by Accenture indicated their ecosystem partners are working towards compliance3).

As illustrated below and based on the Accenture 2019 Compliance Study, 60 percent of respondents agree compliance responsibilities are shifting to the first line of defense. This is not a surprise, as the front office is well positioned to timely identify and respond to privacy risks in the course of its day-to-day interactions with customers.

Source: Accenture 2019 Compliance Survey

Increasing accountability for the privacy program within the first line of defense 

The shift of privacy program oversight from the second to the first line of defense has been primarily driven by regulations with strong consumer rights provisions, and focused on the use, disclosure and handling of personal data. This resulted in broader involvement of first line functions that have significant interaction with personal data, such as customer service, HR, IT and marketing.

More recently, we have observed that organizations establishing a more sustainable operating model for privacy have also explored shifting the ownership of program oversight to the first line of defense. This is a significant organizational change since it establishes a single point of accountability for privacy within the first line function.

Below are scenarios of potential privacy leadership roles within the first line of defense, including pros and cons. These roles would be built around key capabilities. The Chief Customer Officer as privacy leader would have strong customer experience capabilities and acumen. As for the Chief Information Security Officer and the Chief Data Officer as privacy leader, they would have strong technical backgrounds with a solid understanding of security controls and data flows. Moreover, a scenario can be explored where the privacy, information security and data management functions are all under one organizational construct for greater synergy and cohesion.

1. Chief Customer Officer as privacy leader

Pros: 

  • Maintains focus on consumer journey and delivers a positive experience when consumers exercise their rights (e.g., requests for data access or erasure, opt-out to selling of data)    
  • By understanding the potential trade-offs between changing privacy requirements and the opportunities created from more customer insights, can generate greater efficiencies for the business 

Cons: 

  • Newer organizational role, and therefore less established business as usual risk and control capability 
  • Role is not currently scoped to provide enterprise coverage across all lines of business 

2. Chief Information Security Officer (CISO) as privacy leader 

Pros: 

  • Allows delivery efficiency among privacy and information security function inter-dependencies, including maintaining safeguards around personal data    
  • Creates efficiencies in regulator engagement given existing channels for information security briefings 

Cons: 

  • Removed from day-to-day consumer engagement—would require ongoing enterprise partnership to understand consumer expectations

3. Chief Data Officer (CDO) as privacy leader 

Pros:

  • Creates efficiencies from proximity and management of consumer data 
  • Has visibility into data lifecycles 
  • Has enterprise view of organization 

 Cons: 

  • Removed from day-to-day consumer engagement—would require ongoing enterprise partnership to understand consumer expectations 

4. Organizational Evolutionnew first line role spanning privacy, information security and data office 

Pros: 

  • Promotes efficiencies across privacy and close dependencies for control and performance 
  • Helps position the organization as industry leader 
  • Helps to respond quickly to future changes in regulations and evolving industry expectations around privacy  

Cons: 

  • Industry shortage of talent to span domains 
  • May require similar increase in the scope of the second line role for efficient oversight 

The traditional second line ownership of privacy program by Compliance and Legal 

Accenture’s experience with privacy programs globally indicates that many organizations position second line ownership of privacy oversight within the Compliance, Legal and Operational Risk functions.

Due to its role, Compliance has gained experience in program transformation, including building its stature in managing larger program (e.g., Anti-Money Laundering and Volcker Rule in the case of financial institutions). Compliance tends to view regulatory requirements more holistically through a “spirit of the law” lens, due to its experience in program monitoring, oversight and governance. It has also gained more experience managing risks more comprehensively by working across the second line of defense, including deploying integrated risk assessment and testing methodologies.

However, Compliance should align with other organizational disciplines such as data management, information security and information lifecycle management to expand its oversight capability. This alignment can be addressed by having the privacy, information security and data management functions combined under a new role as outlined above.

Also key to monitoring and assessing the evolving regulatory landscape is maintaining a solid working relationship between Compliance and Legal. As Legal’s expertise is interpreting regulations, and defining the organization’s obligations, it plays a critical role in guiding organizations through a complex and dynamic regulatory landscape and overseeing how they respond to escalating changes across the business.

However, it should be noted that typically, Legal is less experienced in managing or overseeing broader transformations, including operationalizing processes to meet privacy regulatory requirements. Such transformations require managing dependencies across key functions within the second line of defense (e.g., Compliance, operational risk, third-party risk). Here too the Legal-Compliance relationship is key.

Ownership of privacy responsibilities depends on the strategic direction an organization is pursuing and its ability and capabilities to adapt to mounting privacy regulatory requirements and expectations, as well as customers’ demand for greater control over their personal data.

We will conclude this series in Part 4 by discussing how organizations can tactically designate key privacy functions and responsibilities across the first and second lines of defense.

Reference: 

  1. ”From Pressure Comes Clarity – 2019 Compliance Risk Study” Accenture, 2019. Access at: https://www.accenture.com/us-en/insights/financial-services/2019-compliance-risk-study-financial-services.
  2. Ibid
  3. “Accenture Technology Vision 2019,” Access at:https://www.accenture.com/us-en/insights/technology/technology-trends-2019.

   

Submit a Comment

Your email address will not be published. Required fields are marked *