The future belongs to those who understand data. Nowhere will this adage be truer than in the General Counsel’s office. As data privacy is reaching the fore of consumer consciousness, and as the United States inches toward a possible federal data privacy law, an increasing number of Chief Privacy Officers are being tapped for the ultimate legal hot seat: the General Counsel spot.
Visibility and knowledge: Up, down, and across
A CPO (Chief Privacy Officer) works deeply in all aspects of an organization: product, e-commerce, advertising, analytics, engineering, business development, HR, customer care, PR, and more, touching every part of the business. Part of their mandate is to work collaboratively to “change hearts and minds” both horizontally and vertically in an organization, says Kirsten Daru, General Counsel of Tile, who made this transition after a decade at Electronic Arts, culminating with the Chief Privacy Officer title. Daru argues that the level of visibility across and up and down that a CPO has gives the role a uniquely intimate level of credibility and visibility within an organization. Unlike many of their commercial counsel colleagues, privacy officers/attorneys are involved in nearly every deal, and their legal knowledge must be equally deep and broad, from contract negotiation to product deals, compliance, corporate law, regulatory reporting, employment, advertising, M&A, litigation, and government affairs. This combination of broad access to the business and understanding of the laws creates depth, breadth, and visibility throughout an organization that is unparalleled by its other legal counterparts outside of the privacy function. This positions the CPO who is also an attorney for organic promotion or matriculation into a general counsel role.
CPOs and GCs both move holistically through the business as creative problem solvers but also have the same three goals: achieve business objectives, minimize risk, and exceed employee and customer expectations, according to Daru. These objectives inform the analytical process and decisions of both roles. “Whether data mapping or configuring an analytics system… working on a commercial deal, or giving product advice, you have to think of those three things,” says Daru. Getting privacy right achieves that end and propels a business forward; thus, a strategic CPO is thinking like a GC long before she is tapped for the role.
Another crucial way in which the two roles think similarly is around culture and business perception in the marketplace. “Privacy is a compliance matter, of course, but it is also a culture issue” posits Sue Gaudi, another notable CPO-to-GC leader who started her in-house journey at Torstar (owner of the Toronto Star, among other media properties), eventually becoming CPO, then segued into the General Counsel role at The Globe and Mail for nine years. Viewing privacy as a matter of culture is a keystone way to show customers that a company cares and is increasingly a competitive differentiator. Both roles are required to consider how the industry handles similar issues and consider deeply not just what the company can do legally but what it should do. The difference in how a CPO and GC think and approach business hurdles and public perception is not one of scope but one of scale.
Getting from A to GC
While the ever-heightened visibility of data privacy in the cultural landscape will surely propel an increasing number of privacy leaders into the GC’s office, there are some universal considerations a privacy leader aspiring to own a corporate legal program should bear in mind.
“By definition, a GC is a generalist. [For a General Counsel,] it is important to have a handle on all things legal and often all things non-financial risk. [For privacy leaders seeking to move into a GC role,] it is helpful to have developed a broader practice,” says Gaudi, who did just that early on in her in-house career. As her time at Torstar dovetailed with PIPEDA coming into force, she volunteered to work on the PIPEDA rollout as a way to work across the business, birthing both her career in privacy and her internal reputation as a cross-functional resource. The PIPEDA rollout presented Gaudi with “a large growth opportunity for me in project management, advocacy, and collaborations – all things that serve a GC very well.”
This sentiment is echoed by Daru, who encourages GC hopefuls in privacy to “raise your hand to take on projects” and to “network internally and externally,” with the reminder that policy and operational projects are those that afford the most cross-functional experience; one could find herself counseling the CEO and an entry-level product engineer in the same day, on the same project. Daru and Gaudi both urge privacy professionals to leverage that exposure to build a reputation in the business as someone who pushes objectives forward, instilling trust within the business; to take advantage of the honor that it is to be in privacy, which provides access to so much of the business; and to cultivate a collaborative and creative reputation, dispelling any internal myths of privacy pros as being the “no” attorneys.
While privacy is still growing and gaining value and visibility in both the corporate and cultural zeitgeist, privacy’s growth trajectory is so significant that it makes the rise of the CPO-to-GC model an inevitability. With the significant overlap in both exposure to the business and like-minded creative thinking, it is easy to argue that no one is better suited for the top job. Expect this trend to emerge most notably in healthcare and healthcare tech, but don’t be surprised when its trending supersedes industry vertical and slowly becomes the obvious norm for next-generation GC talent harvesting.