When to Hire a Chief Privacy Officer
(Post 1 of 4 in the series of Scaling CPO’s)
Most startups don’t have a Chief Privacy Officer and just rely on outside advice from external counsel or a privacy consultant. In Startup CXO our Chief Privacy Officer from Return Path, Dennis Dayman, strongly advocates for privacy to be baked into a startup at the very beginning. Some startups probably don’t have any help in this area at all but given the importance of privacy and security issues today that’s a mistake.
If your startup doesn’t start life with a Chief Privacy Officer you’ll have to heed some warning signs and here are some I’ve picked up over the years. First, you’ll know it’s time to hire a Chief Privacy Officer when you wake up in the middle of the night terrified that you’re going to find your company on the front page of the newspaper or served a subpoena to testify before Congress about a data breach. Even if you’re not waking up in the middle of the night you might be concerned about privacy if you are spending too much of your own time trying to understand what PCI Compliance, or HIPAA, or GDPR means to your business. Or if you really don’t see the connections between your business and privacy issues in general, then a Chief Privacy Officer can be very helpful.
You might get tough questions from your board on what your data breach client communication plan is, and if you don’t have a great answer and aren’t sure how to get to one, then it’s time to think about a Privacy Officer.
A fractional Chief Privacy Officer may be the best option for most startups…forever. Sometimes you can find one fractional executive for both the Privacy and Chief Information Security Officer roles. You probably can’t get by without a full-time leader in this area if you are large (>$50mm in revenue) and are sitting on a massive amount of consumer data, especially if that information involves PII, financial, or health information. But if that’s not you, a fractional Chief Privacy Officer may be the way to go. While a fractional executive is similar to an outside lawyer or consultant, an executive has a company title for external credibility and the personal commitment to the organization to ensure compliance. A fractional exeuctive is way more than a consultant since they’ll be able to provide guidance to employees and represent the company as if they were a full-time Chief Privacy Officer.
Not every startup needs a Chief Privacy Officer since you can cover your bases with lawyers or consultants, but if you’re collecting lots of data from jurisdictions across the world you’d be wise to get a Privacy officer, or a fractional executive, sooner rather than later.
(You can find this post on the Bolster Blog here)