This year, the week carried a little extra significance for the state. Gov. Josh Stein proclaimed Thursday as Data Privacy Day, bringing awareness in his announcement that “personal information is valuable, and there are bad actors who work to profit from it at your expense.” Other state leaders say that message is meant to be more than a one-day headline, with Chief Information Officer Teena Piccione noting in the same news release that privacy shouldn’t feel like an abstract concept, but something residents can actually act on in their everyday lives.
But while these public reminders and designations help set the tone, much of North Carolina’s privacy work happens behind the scenes, shaped by the swiftly evolving ways data can be collected, shared and used.
At the center of that statewide effort is Chief Privacy Officer (CPO) Martha Wewer, who has led the Office of Privacy and Data Protection since May 2025. In state government, she said, privacy is far from theoretical — it’s directly connected to the systems residents depend on every day. And, she noted, state employees handle “vast amounts of data about constituents, the business of the state and the employees themselves.”
With that responsibility in mind, one of Wewer’s first priorities when appointed was uncovering where privacy gaps might exist. Before agencies could fully lean into new tools and become “a leader in the AI world,” Wewer said there was an important step that had to come first: understanding the data already in hand.
“Data classification became our priority pretty quickly,” Wewer said. “It means knowing what kind of data you have, how sensitive it is and where it’s located.” She described these efforts as foundational for everything that followed, especially as agencies adopted new technologies capable of processing information at scale.
Building on those initial realizations, North Carolina has been developing governance structures designed to link privacy and AI policy, rather than treating them as separate tracks. Last year, the state hired its first AI governance and policy executive, I-Sah Hsieh, followed by an executive order that created the state’s first AI Council and Accelerator. Wewer said her office collaborates often with Hsieh to make sure their efforts meet in the middle.
“We work really, really closely to align the AI policies with good data privacy practices,” she said. In her view, the privacy frameworks that have long guided government data stewardship provide a blueprint for approaching AI, often “overlaying” them.
That collaboration, she said, reflects how privacy, cybersecurity and AI oversight are deeply interconnected. “We like to joke that myself, our chief information security officer and our chief AI officer are sort of three legs of a stool,” Wewer said. “AI needs to work with cybersecurity and privacy to ensure that we are protecting the data.”
At the heart of that mindset is the idea that privacy can’t be an afterthought — it has to be built into systems from the very start, a concept Wewer’s office calls “privacy by design.” And to help agencies put this idea into practice, North Carolina has rolled out processes that surface privacy questions early, including privacy threshold analyses required before certain tools are adopted.
Alongside those assessments, her office provides regular training and has established privacy liaisons across agencies, spreading the responsibility rather than keeping it all in one place, according to the CPO.
Another rule Wewer often returns to is simplicity — only collect and work with the data that’s necessary. This principle forms the foundation of privacy protection and extends beyond government systems, she said, guiding the broader conversation around responsible data use. Their office’s focus on thoughtful, minimal data use actually connects to the public sphere, where consumer privacy debates have been heating up in North Carolina’s legislature. Lawmakers introduced a proposed North Carolina Consumer Privacy Act last year, mirroring laws in other states aimed at giving residents more control over personal information held by businesses.
According to Wewer, legislation like this “allows the constituents to have a better choice in how they share their data” and reflects a broader commitment to transparency. But she also noted that such laws are only part of the picture; it’s just as important for residents to understand their options and educate themselves about how companies use their information. This is why the conversations sparked by Data Privacy Week are important, Wewer said, but she hopes residents will take a step back daily and think critically about what data is being requested and why.
“It’s easy for people to get into the habit of thinking that I have to provide my information in order to get this service,” she said, instead of pausing to ask, “Do they need the information that they’re asking me for?”
Ultimately, Wewer said, privacy comes down to two fundamental ideas that should guide both government and the private sector: “choice and transparency.”
