Top CPO Lessons Learned in 2020 and the Impact on Their 2021 Plans

PKWARE recently participated in a virtual roundtable event for CPOs and facilitated a discussion about how the events of 2020 had impacted their plans for 2021. The event included a diverse group of 53 participants, and common themes emerged that cut across various sectors. The year 2020 brought about both the culmination of the preparatory work many companies engaged in during 2019 for the California Consumer Protection Act (CCPA), and the surprise of COVID-19 that required many CPOs to adjust plans and adapt to their respective organizational circumstances. Interestingly, both the pandemic and CCPA underscored for many CPOs the importance of data-related skills in the privacy office.

COVID brought about various data-driven internal engagements for the privacy office. The heavy reliance on data across countries of operations and the need to adopt new controls over the processing of health data, from collection to disposal, highlighted the fact that not all global privacy programs are truly global in their reach. More specifically, adapting to the new reality of the pandemic demonstrated to privacy professionals how little they (and their companies) know about business processes that involve personal data. The move to working from home introduced new security controls and migrated more data to SaaS applications and other cloud environments. While these changes gave many privacy offices a higher internal profile, they also drew attention to the lacking skill sets needed to effectively address these challenges.

A positive realization for some CPOs was that preparing for CCPA helped their COVID response. This prep work that took place fairly recently required the privacy office to make new contacts with those processing personal data, discover where certain data was being processed, and led to the development of new data and identity inventories. CCPA forced privacy offices that were previously focused solely on policy and regulation to learn new technical skills. For example, CPOs had to better understand how their use of cookies and pixels aligned with their notices, and how to improve the rigor of consent management.

To many CPOs, COVID and CCPA demonstrated the fact that their offices are too removed from the details of data processing in their companies. Luckily for some, the higher profile of the privacy office in 2020 provided budget and staff growth in 2021 that will now include professionals with IT and data management skill sets. Related to this evolution is the overall COVID-driven realization that the development of practical information governance capabilities was also needed; this too supported the augmentation of privacy offices with new skills.

Next year promises to be an exciting year for many privacy professionals. The events of 2020 clearly expedited the maturation of the privacy offices in many companies. This evolution will likely show its impact on the questions CPOs will be asking about personal data and the solutions they seek to adopt. It’s clear that 2021 will likely continue to bring new challenges and regulations, and with higher visibility and budgets going into the new year, CPOs are expecting to be more prepared for the challenges that lie ahead.