Banner artwork by Sky vectors / Shutterstock.com
In-house lawyers are often the first people our business colleagues think of when it comes to dealing with new privacy requirements. If we're honest, it's not because we necessarily have any special expertise. It's more the combination of the words "privacy" and "regulation" that makes our colleagues want to hand over responsibility as quickly as possible.
It's nice to be needed. But we need to be honest when answering the call. Are we ready to take on the demands of what's required? Do we even know what we're getting into?
Here today to help us work through these questions are Career Path columnist James Bellerjeau and Senior Privacy Counsel Fazila Moosa.
Bellerjeau: Hi Fazila! We've started with the scenario that the in-house counsel has just been named the company's privacy officer. Presumably, there was some history leading up to this moment, and it doesn't come as a surprise to our hard-working lawyer.
Tell us a little bit about what you see happening as companies approach the privacy topic. Is it common for in-house lawyers to be closely involved? Is it inevitable that they are asked to take leading roles? Is it appropriate?
And for all those who find themselves with new responsibilities for privacy, what advice do you give about mastering the role?
Moosa: Lots of excellent questions here, James. Let me work through each of them.
First of all, a resounding yes — it is extremely common for in-house lawyers, the corporate secretary or general counsel, to be handed responsibility for privacy, often with an accompanying title of privacy officer or chief privacy officer. This is especially true in North America. The organizational objective here is to leverage the legal team’s expertise in legal analysis to navigate complex privacy regulations.
However, developing, implementing, and overseeing an effective privacy program is not just about compliance and certainly requires much more than legal skills. Therefore, we are starting to see a shift in where the privacy officer role lands, and I think this makes sense. The IAPP-EY Annual Privacy Governance Report 2022 indicates a slight downward trend in the privacy function being housed in the legal department:
Should the legal team own privacy?
Let’s look at the pros and cons of having in-house counsel serve as the privacy officer.
Pros of in-house counsel as privacy officer
1. Risk identification and breach management
Legal counsel possess a strong risk management mindset and can anticipate potential privacy issues before they arise. A risk-based approach to privacy is essential when evaluating the findings from comprehensive privacy assessments, reviewing privacy policies and procedures, and considering privacy training programs for employees.
Legal counsel must be fully involved in the context of a privacy breach as well, as the organization considers their responsibilities with respect to notifying affected individuals and reporting to privacy regulators. By proactively addressing risks associated with a data breach, legal counsel can help the organization minimize regulatory fines and reputational damage.
2. Liaison with external stakeholders
Privacy officers often need to interact with external stakeholders, including regulators, auditors, insurers, and external counsel. In-house counsel who foster these relationships and are already familiar with legal processes and terminology, can efficiently communicate with these stakeholders. They can handle inquiries, respond to data subject requests, and represent the organization in legal proceedings related to privacy matters.
Cons of in-house counsel as privacy officer
1. Operational focus
While legal counsel can bring extensive legal knowledge to the role of privacy officer, they may lack operational experience. Privacy officers need to have a deep understanding of an organization's data practices, technology systems, and internal processes. Without a strong operational background, legal counsel may struggle to implement privacy programs effectively and advise on mitigating the risks identified. They might overlook operational considerations when formulating privacy strategies, potentially leading to impractical or non-scalable solutions.
2. Conflict of interest
Another potential drawback of having legal counsel serve as the privacy officer is the potential for a conflict of interest. Legal counsel's primary responsibility is to protect the organization's legal interests. As an advocate for the organization, their role is technically not to be an independent gatherer of fact and evidence when it comes to assessing the maturity of their organization’s privacy program or determining the root cause of a data breach.
Although close collaboration is critical, separation of legal, compliance, internal audit, and security functions helps assure independence. As a result, many privacy regulators around the world prefer to see these roles separated. We have seen cases of solicitor-client privilege being claimed too broadly by in-house counsel acting as privacy officers, when the public is expecting more transparency.
3. Skills broader than a legal perspective
As mentioned, the privacy officer’s ability to collaborate across various departments is critical, including with IT, Marketing, and Human Resources. It is important to integrate privacy into other functions to ensure proper management of privacy risk on the ground. In-house counsel may not be as well positioned as someone in a broader compliance or operational role who needs to demonstrate:
- Leadership/interpersonal skills: The ability to effectively communicate (including to achieve buy-in from executives and board engagement), as well as to foster a strong privacy culture; and
- Project management skills: The ability to structure a risk mitigation project and oversee progress and outcomes.
In conclusion, appointing an in-house lawyer as a privacy officer brings a unique set of advantages and challenges. Striking a balance between legal knowledge and operational skills is crucial to successfully rolling out and maturing one’s privacy program.
Advice for new privacy officers
James, you also asked whether I have any advice for those lawyers who are taking on the privacy officer role. Being a privacy professional is a fantastic career move — but it can also be overwhelming.
My advice would be to get the training and education you need to do your job well. Identify your areas of weakness and then take concrete steps to address the gaps in those skillsets. For example, consider getting certified as a CIPP/C and/or CIPP/US (Certified Information Privacy Professional in Canada or the United States with the International Association of Privacy Professionals), or consider the CIPM (Certified Information Privacy Manager) designation that helps you operationalize data governance.
Privacy involves much more than diving into a new area of law. In-house counsel who rise to the challenge of also being an effective privacy officer for their organization will find themselves, with appropriate support and resources, rewarded with an exciting career in a cutting edge and evolving area of practice.