Only 12 states had an enterprise-level privacy official — either a CPO or someone with a different title but similar responsibilities — in 2019, compared to 21 states in 2022.
NASCIO’s new report draws on survey responses for 17 state privacy officials to examine how the role is evolving, states’ varying approaches and the challenges facing the role today.
INSIDE THE ROLE
State CPOs are tackling a wide variety of tasks, including developing privacy policies and helping stakeholders infuse privacy into their processes, per the report. Privacy officials also led trainings, responded to incidents and oversaw privacy impact assessment processes. Respondents mentioned working on data-sharing agreements and 59 percent said they were involved in approving proposed IT contracts and purchases.
Nearly all state privacy officer respondents — 88 percent — said they focused on a mix of policy concerns and operational ones, rather than primarily homing in on just one or the other. Many said they are working to develop a privacy program for their state (41 percent), while 29 percent said their state already has one created.
EMPOWERING, ENVISIONING THE PRIVACY OFFICE
NASCIO recommends in its report that states ensure their privacy officials have authority over the executive branch and that CPOs “at least have a collaborative relationship” with the rest of state government. But 2022’s privacy officials were less likely to have this purview than were their 2019 counterparts, something NASCIO said would be “concerning” if it proves to be a trend.
Fifty-three percent of CPOs had authority over the executive branch in 2022, compared to 83 percent in 2019, and 35 percent of 2022 CPOs had purview over only their own department or agency, compared to 17 percent of 2019 CPOs. But 2022 also saw a few CPOs saying they had authority over the entire state government, a level of reach shared by none of 2019’s survey respondents.
CPOs’ authorities also don’t always extend to enforcing enterprise privacy policies — fewer than half of CPOs today (41 percent) have this power. Thirty-five percent of CPOs said another entity or entities handle this instead — such as agencies ensuring compliance among their own teams and operations — while 24 percent said policies weren’t enforced.
States today do seem to be viewing privacy as part of a larger picture: They are more likely to bring the CPO role out of the IT department than they used to be, something NASCIO said reflects that privacy “is important across the entire enterprise and is tied to security and data, not just technology.”
Three years ago, CPOs often reported to the CIO or CISO (49 percent and 33 percent of 2019 respondents, respectively), while 25 percent selected “other.” 2022, meanwhile, saw CPOs reporting to a variety of figures including the CIO (29 percent), CISO (24 percent), an official in the governor’s office (6 percent), or a “different administrative head” (29 percent). Another 12 percent of 2022 respondents selected “other.”
SO YOU WANT TO HIRE A CPO?
When considering who to hire, it may be worthwhile to note the background of other professionals filing the role. Per the report, most CPOs had law degrees — 76 percent of 2022 respondents — and many of the others reported strong backgrounds in privacy, security and government. Many also had specific privacy credentials, including 10 with Certified Information Privacy Professional (CIPP) certifications.
In 2022, as in 2019, CPOs recommended that states looking to create a CPO position clearly articulate their goals for the position and also ensure that executive leadership is on board. To be most effective, a CPO should be given “strong authority” and put on equal footing with the CIO and CISO, the report states. CPOs recommended housing the position within the governor’s office; IT, legal or administration department; or another high “visibility” and “centralized” spot.
Several respondents recommended that states also appoint privacy officials at each agency who can then work with the state CPO and help raise awareness within their agencies about the importance of privacy. NASCIO underscored this and advised states train up agency-level privacy officers if they are unable to hire for such roles.
Whether states are hiring CPOs for the first time or looking to empower CPOs already on staff, they would do well to ensure the office has funding for both privacy-related initiatives and staff, NASCIO said, noting that lack of this is a common complaint.
Respondents indicated that the rising popularity of having a state CPO still has not produced much designated funding for the role, with only one person saying they had “a defined budget for privacy initiatives.”
CPOs also had advice for newcomers to the role, and recommended communicating and working closely with chief data officers (CDOs), CIOs, CISOs and legal teams. Respondents also said that CPOs should take time to learn about the different agencies they’ll serve. Each agency may vary in the amount and sensitivity of the data they collect, as well as the ways they use it and the regulatory obligations they face, and privacy officers must learn these nuances.
And at the end of the day, creating a privacy program can be a lot of work, and one respondent warned that it can take years and the passage of new laws and administrative rules to achieve.
“Start with a long-term view and be empathetic of the agencies you will be working with,” the respondent wrote. "Many of these agencies have never been told to build a robust privacy program. They want to improve; they just need proper guidance and time.”
