Companies are managing larger amounts of complex data and the cost of non-compliance with privacy regulations is higher than ever before, both from a financial and a reputational standpoint.
The growing role of privacy in business
According to ACC’s 2022 Chief Legal Officers Survey, 60 percent of CLOs expect an increase in privacy-related regulatory enforcement in their industry over the next year, and nearly 75 percent of CLOs expect the privacy landscape to at least “somewhat impact” their business operations. When asked to rate the top issues (out of 16 listed) in terms of their overall importance to the business, cybersecurity, regulation/compliance, and data privacy were by far the most important and have remained so for the past three years.
Additionally, 55 percent of CLOs reported data privacy protection as an issue likely to cause the biggest legal challenges for their organisation, ranking second behind industry-specific regulations at 66 percent. Compare this to as recently as five years ago when only 27 percent of CLOs reported privacy as being an “extremely important” issue for their organisation.
Privacy reports to the CLO in half of organisations
ACC’s annual CLO survey report, along with several other ACC studies, have shown a clear and dramatic increase in the importance of and focus on privacy issues. What has been unclear is where the privacy function sits and to what extent legal is involved.
We know that legal staff in the smallest legal departments are typically generalists, having either to handle all legal work (including privacy) directly or allocate to outside counsel specialists. That said, 75 percent of responding departments said that privacy is managed exclusively in-house according to ACC’s 2021 Law Department Management Benchmarking Survey.
However, the 2022 CLO Survey shows that privacy (whether handled by an individual or as an entire function) now reports to the CLO in nearly half of all companies worldwide. In companies where the privacy function does not currently report to the CLO, 15 percent believe it should. Out of 21 business functions, privacy now ranks as the third most common reporting line to legal after compliance and ethics.
Most common functions report to legal
The CLOs role in regards to privacy matters cannot be overstated as businesses that have invested in and are prepared for security attacks have reported experiencing 15 percent fewer breaches than those who are unprepared. And should a breach occur nevertheless, companies who are prepared suffer a lower financial impact and less downtime before their systems are back up and running again.
Legal’s oversight of privacy is being demonstrated through the investment in privacy technology. 13 percent of CLOs believe that privacy issues will be their top resource challenge through 2022. 56 percent said they have already implemented technology solutions in preparation for complying with data privacy regulations, and 23 percent of CLOs report that they plan to adopt data privacy technology solutions to improve efficiency in the next year.
Aside from privacy, the report discovered that CLOs are also taking on an even greater role when it comes to compliance, ethics, risk, and regulatory affairs. Showcasing the growing range of responsibilities that are now falling under their control, the central role CLOs are playing when it comes to major decision making and oversight within their company cannot be understated.
An increase in hiring and compensation is expected for privacy professionals
The EU General Data Protection Regulation came into effect more than three years ago, and since then two-thirds of the world’s countries have enacted privacy legislation. General support for these kinds of privacy laws is high, sitting at an average of 83 percent believing that laws such as these have a generally positive effect on business. For companies within the EU to ensure that they are compliant, they will have to place a greater focus and investment on hiring legal counsel to help deal with this issue.
19 percent of CLOs say they expect to increase the hiring of privacy professionals in 2022, which is up from 14 percent in 2021. This number is as high as 30 percent among larger companies (with more than US$10B in revenue), likely due to the scale and complexity of the privacy issues faced.
The ACC Foundation’s 2020 State of Cybersecurity Survey also showed that 24 percent of companies have a data protection officer, and 22 percent now have a chief privacy officer, up from 16 percent in 2015.
Higher incomes are being awarded for privacy-related positions
Along with our partner Empsight International LLC, ACC also collects extensive compensation data on dozens of in-house legal positions each year. The median base salary in US dollars for the three most common privacy roles in the legal department, Chief Privacy Officer, Privacy Director, and Privacy Manager, has increased since 2014, with Chief Privacy Officers showing the most substantial change.
Over the course of eight years, the median base salary for this position jumped from US$ 190,000 to US$ 285,000 (a remarkable 50 percent increase). Base salaries for Privacy Directors and Managers were the highest in 2021 as well, though the increase for those two positions was more moderate.
A 2021 survey from the International Association of Privacy Professionals (IAPP) found similar results. Their data showed that in just two years, the mean salary of a privacy professional increased by approximately €4,950.
These multiple data points highlight the fact that with these added responsibilities comes added value placed on these roles and potential personal gain for any in-house counsel wishing to pivot towards a privacy-focused role.
The outlook for privacy in the legal department
All indications show that the legal department’s strong focus on privacy is here to stay. On December 10, 2021, the EU reached an agreement on the Data Governance Act, an act that will likely come into effect in summer 2023 and will apply to all data, rather than just personal data. This act will mostly affect privacy professionals in the way in which their company makes use of public sector data. This comprises personal data, and their potential to share or reuse this data. With this first EU initiative set in place regarding data legislation, and more on the way, hiring legal professionals who will solely deal with an organization’s compliance with these requirements appears to be essential for the future.
CLOs rank data privacy as a critical issue for businesses. Many oversee the function directly as part of the legal department and are also looking to hire privacy specialists in greater numbers.
ACC will keep monitoring the evolution of privacy in the legal department. For further insights on how the privacy function is structured and managed, keep an eye out for our 2022 Legal Department Benchmarking Survey (June 2022), as well as the 2022 ACC Foundation: The State of Cybersecurity Survey (October 2022) for valuable insights and trending data on the development of key privacy policies and practices.