In September, the Osano privacy team was lucky enough to attend a couple of industry events with privacy executives and privacy pros on the West Coast, including the IAPP's “Privacy. Security. Risk.” conference in Los Angeles.
From demos with prospects, meetings with customers, coffees with partners, connecting with new and older friends, and dancing with a purple cowboy hat at the after party, the Osano team was able to enjoy time with each other as well as our friends in the broader privacy community.
As always, there were some valuable learnings, great connections and an opportunity to discuss some of the challenges that privacy pros are facing today. We also were really lucky and got to debrief our resident tech genius, co-founder and CTO Scott Hertel on some of these sessions. It was awesome to nerd out over coffee on some of the themes we heard, and how we can continue to evolve our platform with innovation privacy solutions.
Being in-person and having the chance to chat over coffee is always a treat, and I deeply appreciate the time from those we met with and who shared thoughtful perspectives on evolving privacy risks. Just like other pros, we really benefit from being able to chat through privacy challenges and how we can all work together to do the right thing
Here were my takeaways:
Privacy pros have a lot on their plate. While the job descriptions and scopes vary by business, it's clear that privacy pros are covering an ever-expanding list of responsibilities: privacy, cyber compliance, online safety, digital risk, AI, corporate governance, ESG, training and enablement, government affairs and policy, and more. And with those changing responsibilities, the structure of teams is changing too.
We're increasingly hearing of data governance responsibilities and amended titles, with increasing partnership across privacy-adjacent functions such as GRC and security. This is reflected in the expanded mission of the IAPP to cover privacy, AI governance, and digital responsibility globally as well as the launch of a IAPP’s Cybersecurity Law Center.
With increasing responsibilities and limited or no additional budget or headcount, privacy pros are facing a number of challenges, including scope creep and the risk of burnout and overwhelm. Privacy leaders need to take steps to ensure that they are planning how they can support their teams before burnout sets in. This might mean considering training and development opportunities, prioritization, and tooling that supports automation.
Enforcement and private litigation are on the rise, with regulators emphasizing that more is on the way. However, enforcement patterns and litigation trends vary by geography.
All regulators are warning that enforcement is coming. States like Texas, Colorado, and New Hampshire have established specialist divisions to handle privacy complaints sharing litigation resources. Each says that they are well staffed and ready to enforce. Organizations therefore need to take heed of this, evaluating the privacy commitments they make, ensuring that they can honor privacy rights being exercised, and understanding their data flows.
Privacy pros need to ensure that they are thoughtful in how they build their program in a way that anticipates defense. Documentation of analysis, decision-making processes, and rationales are critical. Regulators have abandoned investigations when shown the "why" behind decisions. Regulators want to see a program—this means getting away from just writing policies or checklists to show how they are operationalized. Having auditable records can help provide explanations and justifications of decisions.
In the past quarter, there has been a slowdown of new privacy laws globally. In part, this is because many legislatures aren’t in session in the summer months but also because it's an election year. That said, we anticipate the progression of bills to continue in Q1, particularly as governments take a "whole of society" approach to data regulations versus industry or sectoral. And this will continue to roll out to cover privacy and AI.
Overall, it’s clear that the role of the privacy pro is changing, and their list of responsibilities aren’t shrinking anytime soon. If anything, the only constant in a privacy pro’s life is that change is inevitable—that, and the fact that Osano is there to support you when contending with these new laws, responsibilities, and trends.