NASCIO Report: State CPOs Facing More Work, Fewer Resources

There’s a bit of a paradox playing out in state government: The more important privacy becomes, the harder it is for the people in charge of it to keep up.

A new report from the National Association of State Chief Information Officers (NASCIO) examines this tension more closely, focusing on chief privacy officers (CPOs) across state governments and the growing gap between their expected responsibilities and their actual capabilities. The survey-based report, released Wednesday, centers on a simple but increasingly urgent reality: Privacy leaders are being asked to do more, often without the staffing, authority or funding to match.

At the heart of the findings is a shift that has been building for years but is now harder to ignore. Meredith Ward, NASCIO’s deputy executive director, pointed to a sharp rise in demand, telling Government Technology that “the demand on CPOs has exploded because of additional data created by digital government, data breaches and a demand from citizens who are increasingly focused on privacy.” And the surge in expectations is not subtle. Ward noted that it has become “much more of a mainstream topic than even five years ago.”

In 2020, only 17 states had a dedicated CPO, but by 2026, that number had nearly doubled to 31. It’s not just about having someone in the seat — what CPOs are doing has evolved far beyond simple legal compliance. State CPOs now handle a wide range of responsibilities that go beyond legal compliance, including enterprise privacy governance, managing data risk and reviewing vendor and procurement activities, according to the NASCIO report.

“When I think about the rise in CPO numbers, I can’t think of another position I’ve seen experience so much growth so quickly — and that’s in 13 years at NASCIO,” Ward said.

But the expansion of the role hasn’t come with equal growth in resources. The report makes clear that while many CPOs have a strong understanding of their responsibilities, execution is where things become difficult. Ward said: “Most CPOs know what their job is, but they are struggling with the authority, budget and staff to execute it consistently.”

Report findings demonstrate this; 54 percent of states are still in the process of developing a privacy program this year. That’s a 13 percent increase from just two years ago. The data show that while the role of the chief privacy officer is expanding, many programs have not yet reached full maturity, with more than half of states still developing the structures, processes and authority needed to make their privacy efforts fully operational. Only a smaller share fall into the “established” category, according to the report.

That pressure is also reshaping how privacy work gets done, especially in states that don’t yet have a dedicated CPO. In those cases, Ward said, “most state CISOs who don’t have a CPO are doing that work themselves and they would really like to have a state CPO” — illustrating how privacy and security roles are increasingly overlapping, in what she described as an “integral partnership” that is likely to deepen over time.

But that’s only one hurdle to climb, according to the report. When asked for their top three obstacles, CPOs surveyed consistently pointed to the “Big Three”: funding, lack of employee expertise or knowledge, and CPO governance issues.

Collaboration also emerged as a key strategy to navigate privacy challenges. Among CPOs’ advice to states looking to “elevate the role” is a focus on coordination and shared responsibility across government. Per the report, “statewide coordination, resources and cross-functional partnerships drive success”; though respondents stressed that authority alone is not enough without “funding, staffing, training and strong collaboration across CIO, CDO, CISO, legal, risk and agency teams.”

That idea reflects a broader shift in how state technology functions operate. Ward connected it to an ongoing effort within NASCIO to break down what she described as the “siloes of excellence” that can exist across agencies. In practice, that means moving away from isolated pockets of expertise and toward a more integrated model where privacy, security, data and technology leaders work in tandem. “Gone are the days when every entity could operate in a vacuum and not be collaborative,” she said.

The findings paint a picture of a role that is expanding and evolving in real time. CPOs are being asked to manage growing volumes of data, respond to heightened public expectations and navigate emerging technologies, while working within constraints that haven’t kept pace. The result is a balancing act that requires not just technical knowledge but, per the report, coordination across teams, clarity of purpose, and increasingly, support from the broader organization.

But for states, the takeaway is more about how to support the people responsible for privacy. The report suggests that without stronger alignment between expectations and resources, even the most capable privacy leaders may find themselves stretched thin.