Google No Longer Has a Chief Privacy Officer. Should You Follow Suit?

On June 4, Reuters reported that Google’s chief privacy officer is departing after 13 years at the company. Google does not intend to replace him because instead, it is reorganizing the privacy function by placing privacy professionals in specific product teams. 

“How companies are protecting and managing data is far more important today, particularly as AI advances. We are seeing a major shift in how organizations are thinking about digital governance at large,” says Caitlin Fennessy, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP). “Privacy leaders within organizations, privacy professionals and privacy teams are taking on more and more aspects of digital governance, and if you're watching this field broadly, you're probably seeing their titles shift.” 

Specifically, chief privacy officers are becoming chief privacy and AI governance officers, chief privacy and cybersecurity officers, and chief privacy and AI ethics officers. And, over the past 24 months, organizational leaders have been tapping privacy leaders and their teams to pick up AI governance and build AI governance programs. 

“We did interview-based research with a slate of leading organizations about how they are structuring digital governance, and a lot of them right now are taking a step back and trying to think about how they restructure,” says Fennessy. “I’m calling it ‘digital governance’ for lack of a better term, but their internal governance structures.” 

Related:Special Report: Privacy in the Data-Driven Enterprise

Many of the existing risk and governance structures were built for the pre-digital age. Combine that with a continued influx of new technologies, new risk factors and new regulatory requirements, and it becomes clear why change is necessary.  

“When we launched our AI governance initiative about two years ago, the reason that we felt we could enter this space was because privacy professionals were already getting the work. And now we recognize that it will be an interdisciplinary field, and some will absolutely come from other domains,” says Fennessy. “The reason we think that privacy leaders are being tapped and should be tapped is because data is central to all of this. Privacy leaders have always had an interdisciplinary approach.” 

Specifically, chief privacy officers have been working with legal, IT, communications, and user experience designers, so they already have the necessary interdisciplinary mindset and collaboration skills. 

Why Changes Are Happening Now 

Mature organizations have had governance structures in place for decades or longer, but with the modern speed of business, appropriate structures need to be put in place pronto. 

Related:Privacy’s Va-Va-Voom Year

“Stepping up to put in governance structures that are ripe for the digital age has to happen comparatively light years faster than how we built governance in the past. We all need to come together and explore what’s working [because] we don’t have decades to solve this challenge,” says Fennessy.  

The first step is recognizing that the legal requirements for digital governance are evolving and increasing in number. Organizations need to think about them holistically, recognizing that there are tools, particularly in the privacy domain, that can be leveraged to address some of these challenges.  

“Tools can be a time saver and they can make governance more functional for the organization so that other teams don’t view some of these digital governance responsibilities as a time sink when it’s an integrated part of a process that probably already exists, and onto which we can tag a few more questions, considerations or risks as part of an existing process,” says Fennessy. “Make sure that there is an escalation process that brings together the right stakeholders, ideally with a single leader who can see across these teams to identify risks that are emerging across them and undoubtedly intersecting so that there aren’t inconsistent approaches to regulations.” 

Related:3 Key Privacy Trends for 2024

Why a Chief Privacy Officer May Not Be Enough 

Privacy as a centralized function is what’s at stake. One reason why distributed structures may work better is that more people would have privacy and compliance top of mind. 

“It’s probably become apparent that siloing the privacy responsibilities within an organization in the way that the chief privacy officer title tends to be a recipe for product development and other teams to feel like privacy is not their responsibility,” says Peter Jackson, counsel in the intellectual property group at law firm Greenberg Glusker. “As a result, decisions can be made that affect privacy down the line, because of the way that products are developed or designed from the beginning, or at various junctures along the way, that don't take into account the privacy ramifications of those decisions.” 

Designing privacy into products is considerably easier and more effective than bolting privacy onto a product after the fact. Like IAPP’s Fennessy, Jackson also sees enterprises wanting more people responsible for privacy.  

“The way that products had been developed to date hasn’t had an adequate privacy mindset from the outset,” says Jackson. “Meta has been under an FTC consent decree around privacy for what could be more than 10 years. It keeps getting revised,” says Jackson. “And if you talk to people who are involved in compliance effort, they’re around privacy. My understanding is that it’s sometimes difficult to have a global understanding of where personal information is in a bunch of different buckets, and they may not know where all of them are. And that just illustrates that one of the richest companies in the world isn’t able to internally understand what information it has that relates to a particular individual and that continues to be the case after a long period of time under this tremendous scrutiny. I think it’s indicative of the broader trend that what we're doing, the way that products have been developed to date hasn't had an adequate privacy mindset from the outset.” 

Bottom Line 

Google’s reorganization of its privacy function indicates a larger trend that involves more people who are responsible for it. In today’s world of analytics, AI and now GenAI, organizations need to be more concerned than ever about understanding the type, location, and quality of data as well as its use.  

Over the past couple of decades, unicorns have been built on the personal information individuals have shared. Meanwhile, the amount of privacy regulation has continued to expand globally and will continue for the foreseeable future.