Reasons Privacy Teams Are Expanding Responsibilities

Privacy isn't just about privacy anymore (and maybe never was). That's my takeaway from a fascinating new report from IAPP - International Association of Privacy Professionals. As regulations related to privacy, AI governance, cybersecurity, and other areas of digital responsibility rapidly expand and evolve around the globe, organizations are taking a more holistic approach to their values and strategies related to data. One indicator: over 80% of privacy teams now have responsibilities that extend beyond privacy. Nearly 70% of chief privacy officers surveyed by IAPP have acquired additional responsibility for AI governance, 69% are now responsible for data governance and data ethics, 37% for cybersecurity regulatory compliance, and 20% for platform liability. And, in my opinion, if privacy teams don't have official responsibility for other areas of data governance (AI, data ethics, cybersecurity), they should surely be coordinating with those other teams. https://lnkd.in/gM8WGx9T

DOJ Crackdown: Privacy Teams must restrict data flows before April 8, 2025! The U.S. Department of Justice (DOJ) has finalized a sweeping ban on data transactions that expose Americans' sensitive personal data and government-related data to foreign adversaries. This is one of the most aggressive data security moves in recent years. What’s covered? a) Prohibited data transactions: Selling, licensing, or sharing sensitive U.S. data with countries of concern or covered persons is now restricted. b) Data brokers in the crosshairs: The rule bans U.S. persons from selling or licensing access to bulk personal data to specific countries. This also applies to cloud, fintechs, health tech, and adtech vendors. c) Vendor & employment agreements are impacted: The rule imposes security requirements on vendors, employment agreements, and investments to prevent indirect data access. Which data elements are protected? The DOJ has identified specific high-risk data types that are now restricted: - Precise Geolocation Data (Within 1,000 meters, tracking patterns of life) - Personal Financial Data (Bank accounts, card details, investment records) - Human ‘Omic Data (Genomic, epigenomic, proteomic - critical for biometric surveillance & biosecurity threats) - Biometric Identifiers (Facial images, voiceprints, retina scans, fingerprints) - Listed Identifiers (Social Security numbers, driver’s licenses, MAC addresses, IMEIs, SIM card numbers, advertising IDs, IP addresses) - Government-Related Data (Employee records, security clearances, government contractors’ data) What should privacy professionals do? With April 8, 2025 as the enforcement deadline, privacy teams need to track and restrict cross-border data flows while ensuring compliance: 1) Scan websites & mobile apps - Identify third-party integrations, tracking pixels, SDKs, and APIs that collect protected data types and transmit them internationally. 2 ) Monitor network traffic for cross-border data flows -Analyze where sensitive data is sent, including cloud providers, analytics tools, and ad networks. 3) Review vendor & employee agreements - Ensure third-party vendors, foreign employees, and offshore teams cannot access restricted data or transfer it to high-risk jurisdictions. 4) Block unauthorised data transfers - Implement geo-blocking, access controls, and encryption to restrict data sharing with countries of concern. How prepared is your organization for these changes? What challenges do you foresee in tracking data flows? #privacy #datasecurity #DOJ #databrokers #AI

In 2020, Steve Zalewski challenged my assumptions. He asked a simple question, how does DataGrail help me sell more jeans? It changed my view on the market immediately: Companies are leveraging privacy to manage risk, protect their brand, and drive operational efficiencies. 1/ 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐢𝐬𝐧’𝐭 𝐣𝐮𝐬𝐭 𝐚𝐛𝐨𝐮𝐭 𝐫𝐢𝐬𝐤 𝐚𝐯𝐨𝐢𝐝𝐚𝐧𝐜𝐞—𝐢𝐭’𝐬 𝐚 𝐟𝐢𝐧𝐚𝐧𝐜𝐢𝐚𝐥 𝐬𝐚𝐟𝐞𝐠𝐮𝐚𝐫𝐝. Reputational damage from privacy missteps can have a much wider impact than fines or legal fees. Proactive privacy programs don’t just protect data—they protect revenue, brand trust, and long-term business stability. 𝟐/ 𝐑𝐞𝐠𝐮𝐥𝐚𝐭𝐨𝐫𝐲 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞 𝐢𝐬𝐧'𝐭 𝐣𝐮𝐬𝐭 𝐧𝐞𝐜𝐞𝐬𝐬𝐚𝐫𝐲—𝐢𝐭'𝐬 𝐚 𝟓𝟎-𝐬𝐭𝐚𝐭𝐞 𝐡𝐞𝐚𝐝𝐚𝐜𝐡𝐞. Teams are juggling a patchwork of state regulations that all have different rules for data processing, consumer rights, and DPA timelines. Investing in scalable privacy frameworks now prevents costly overhauls with each new law. 𝟑/ 𝐀𝐮𝐭𝐨𝐦𝐚𝐭𝐢𝐨𝐧 𝐝𝐢𝐫𝐞𝐜𝐭𝐥𝐲 𝐬𝐚𝐯𝐞𝐬 𝐨𝐧 𝐡𝐞𝐚𝐝𝐜𝐨𝐮𝐧𝐭 𝐜𝐨𝐬𝐭𝐬 Data subject requests (DSRs) increased 246% between 2021-2023. Automating workflows like DSRs and privacy assessments improves efficiency and eliminates the need for additional staff. If privacy is still viewed as a compliance function in your organization, it’s time to rethink the strategy. How are you positioning privacy as a business asset?