I realized that the super random variety of emails, LinkedIn messages, and phone calls that I have weekly offers a unique lens into what’s happening in privacy.
People always ask me, what are other companies doing? So, I figured what better place than this privacy perspective newsletter to share what I’m seeing and what it means for companies.
Privacy Roles are Shifting
One message from a privacy pro told me he knew of a few Chief Privacy Officer roles that had been eliminated, and privacy was rolled into the Compliance office. This person was wondering, is this the start of a shift?
A different call shared that this company, where privacy reported to legal, had budget cuts for privacy tech and services. Two companies shared a shift that IT now owns the privacy budget, which is then getting cut.
I am hopeful that this is not a continued trend, as IT teams are not ideal owners for the entire privacy function and often don’t fully comprehend the full suite of privacy requirements. I do think it’s OK to have IT own the privacy tech stack as long as there is input from someone who will actually use the software.
While there are definitely companies losing privacy roles and shifting privacy into compliance, security, IT, legal (and wherever the decision makers decide it should go), I’m also seeing a LOT of companies hiring privacy talent at all levels.
We’re seeing a significant inbound activity to our fractional privacy officer services. This makes sense to me because companies still have privacy requirements and are trying to figure out what to do.
So, do I think there’s a shift? I do think that companies are moving who owns privacy, and we’ll see a see-saw of companies reducing privacy teams and others keep adding them.
Privacy is not going anywhere, and all these companies still need to manage privacy obligations and customer expectations. Remember my prediction in issue 1, where I said we’ll have more enforcements?
Friendly reminder that we don’t read about all the conversations with regulators. What regulators and companies discuss behind closed doors often stays there.
I think companies are managing budgets, privacy is new, and many inappropriately think that if they did a few steps for GDPR, CCPA, and maybe some other states, they are done. Those leaders don’t realize that’s the foundation and the beginning. It will take customer pushback, more enforcements, more laws, or privacy incidents for the companies that reduced privacy budgets to adjust them.
I also see the push into AI everything helping to support the need for privacy, which brings me to the next super popular topic … AI regulations & governance.
What’s Everyone Doing Around AI Governance?
One company is curious about AI governance and the latest on AI regulation. I’ll start with sharing my favorite new resource on staying up to date on US AI regulation, and that’s following my good friend and privacy attorney, David Stauss’ Peak Privacy Post on LinkedIn.
If you want to stay in the know, go subscribe (after you finish reading this newsletter, of course).
One tech company wanted to know what I am seeing with other tech companies on this issue: Is the processor (the tech company) saying that most of the privacy obligations are the customer’s responsibility, or are they absorbing some of those obligations?
Like the good non-lawyer I am, I answered, “Well, it depends.”
We got into a deep discussion on the use of AI, the intersection between AI and privacy, AI governance, and privacy risk assessments, which then led to a controller vs. processor discussion. Why? Well, what happens if the software also starts making decisions based on the customer’s data? What if the software also uses that data to build its own database or to help its learning? And what are the customer’s expectations of the software provider?
All these questions then got us talking about why those privacy risk assessments are SO important. A company can’t answer these complex AI governance questions without all these privacy-related questions. And all those questions are asked in privacy risk assessments (or PIAs, DPIAs …take your pick of the acronym. They are all fairly similar with slight nuances).
CCPA’s Privacy Risk Assessments are Taking Companies by Surprise
It’s taking companies by surprise that they need to start documenting privacy risk assessments (technically, CCPA says to have this started by 1/1/2026). Of course, other laws have required PIA, and GDPR requires DPIAs.
We’re finding that companies are looking at whichever ones they have and adjusting them so they have one privacy risk assessment that can work for them all. Like all parts of privacy, it runs the gamut on maturity anywhere from Word documents to Excel sheets, to basic software, to leveraging advanced automation.
The right solution for you? The one that will actually get anything documented. I’ve seen companies stand still for 6 months or 1 year + trying to find the “best solution,” and yet personal data is collected, used, shared, and stored this entire time with little to no evaluation.
Spend some time reviewing your privacy risk assessment process. Start with, do you have a process? Is it working? Is there someone actually completing assessments and reviewing them? Once reviewed, what happens if there’s a risk and issue?
Now is probably a good time to review your assessment template to ensure it’s in line with applicable regulations.
A common complaint that we hear is that assessment templates are too long and not always relevant. This is where the threshold assessment comes in. Think of it as a short list of questions about a product or feature to determine if a PIA is even needed. This step helps minimize the impact to the business of completing unnecessary information and also reduces review time from the privacy team.
Once you have a functioning process with an updated template, then you can look to the next maturity step for your organization and consider where you can make improvements. It’s really important to right size for your company and not get software when you have no process.
Some common improvements are moving from a manual document to using basic assessment technology and then using technology to automatically flag privacy risks.
Performing a privacy risk assessment is only part of the process. Someone actually has to review it for accuracy, completeness, and, of course, for privacy risk. We see many companies so focused on the template that they forget to identify a person versed in privacy to review it.
While I was writing this (fun fact that it takes me a few days to write, review, edit, etc.), I talked to a company that hasn’t started doing any privacy risk assessments. That led us down the path of, do they have a data inventory since they are so intertwined. The CISO said: it’s like a spider web. Yes! It is, and that’s a great way to explain it.
Why? Privacy is interconnected.
A data inventory informs when to do a privacy risk assessment and has a lot of the base information to populate a risk assessment. Both of these activities help a company learn about the data being processed and identify impacts to other parts of the privacy program. These include: does the privacy notice need to be updated, has a vendor been properly vetted, can a privacy right be honored, and is the data properly secured?
Privacy risk assessments aren’t just a random checklist of questions that get filed away. They are what actually make a company stop and think before processing data. They are where all the good and deep conversations happen, beyond just can we use the data, which is a part of it, but also addresses should we use the data?
Questions like what would the customer expect from us collecting, using, or sharing this data? How could processing this data impact our business or marketing campaign?
Do you need software?
That’s a great question. We actually wrote all about it in a blog late last year (and it’s been a popular article that people keep sharing).
An ideal state is using software for data inventories and privacy risk assessments so that they feed each other and remove duplicative work. It can also use automation to flag risks. Software is not required to be compliant; it just makes it all easier. And software that people ignore isn’t helpful or compliant either.
My answer? If you have nothing, identify your budget and timing first to determine if software is viable. If it is, explore that. If it’s not, then begin with the process, create a template, and do a pilot risk assessment to start. If your organization already has a privacy risk assessment in place, then review the assessment template today to ensure it complies with the jurisdictions in scope like, GDPR and CCPA’s new requirements.
Then move to your process and ensure they are getting completed on time, when they should be reviewed, and risks mitigated.
Don’t forget to train the people.
Process and policy only work when people know what to do. Companies manage these risk assessments differently. We have seen the business owner be trained to complete them on their own. We have had some companies train business owners to just complete a threshold assessment, and then the privacy office completes the privacy risk assessment.
Getting Started Today
Now is the time to get your privacy risk assessment program running smoothly. They are critical to flagging risk and of course required, especially with CCPA’s new requirements.
The best option is truly unique to each company, and we firmly believe in right sizing to your company’s risk, budget, resources, and volume of assessments to complete. To help get you started, check out our resources here.
We’re also in the process of creating a great new CCPA privacy risk assessment resource. What would you like to see in it? We love creating materials that are most useful to you!
Remember, hit reply and let me know because I read each and every message!
A significant number of you are likely reading this while iced or snowed in and I hope you are staying warm!
Until next time,
Jodi
When you’re ready, here’s how we can help:
Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.
Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.
The post What Does My Inbox Say About Privacy These Days? appeared first on Red Clover Advisors.