Privacy Officers Say Their Role Must Adapt with Times

“To stay relevant, we really need to be considering what's going on in what I call privacy-adjacent functions,” said Kim Gray, global chief privacy officer (CPO) at IQVIA. “Get out there and learn a whole lot more.”

According to a recent IAPP survey, Gray said AI governance, data governance and ethics, and cybersecurity compliance were three of the most important “extra” functions other privacy officers were taking on as part of their roles, so she educated herself and her team on those issues. “We as CPOs have a skill set that is relevant” and familiar to AI and cybersecurity, Gray said.

Especially on the cybersecurity front, as threat actors have gotten more sophisticated, privacy officers need to take on additional responsibilities, she said. “The first thing that organizations need to think about is creating their own risk profile, knowing what their vulnerabilities are, and paying attention to the reasons for the cyberattacks,” Gray said. “Perhaps everyone should be practicing [breach response] before it happens, so it goes a lot more smoothly when the inevitable incident occurs.”

Elizabeth Ortmann-Vincenzo, chief privacy officer at Banner Health, said the role of a privacy officer can shift with new policies as well, such as the 2022 Dobbs decision. Though changes to regulation can happen at any time, “we‘ve just got to comply with it as best we can for the time being and try to work with the requesting agencies and law enforcement to understand that the burden is not just on them, it's on us,” she said. “Our attitude … is we're all in this together. Let's help each other out.”

More recently, the Trump administration’s rollback of avoiding immigration enforcement in sensitive locations like hospitals is something the industry has had to deal with as well, Ortmann-Vincenzo said. “There was confusion, there was fear, there was upset,” she said. “There was a lot of requests for support, training." The CPO said she received questions including: "What are the procedures? What do I do when someone from [U.S. Customs and Immigration Enforcement] or Customs and Border Protection comes into my facility?”

The CPO's role “was giving them procedures, and very clear procedures, and making sure that they knew their support, who to call, what to do, what not to do, how to de-escalate any situations,” Ortmann-Vincenzo said.

The emergence of AI is also something the healthcare sector is beginning to grapple with, said Cora Han, chief health data officer at University of California Health. However, since “many vendors offer interesting tools, but they don't necessarily have a use case or a use case that might be relevant for your organization,” it’s important for organizations to first determine the problem they’re trying to solve, she said. “And then ask, perhaps, what data and tools are needed to solve that problem, because perhaps not everything is” best “addressed by an AI tool.”

But, Han said, it’s important to remember privacy when it comes to implementing new AI technologies. “There is often, I think, tradeoff between utility and privacy when it comes to these technologies,” she said. That balance “really requires some careful calibration, and I think this is particularly true with respect to healthcare data, given the complexity that is often in patient records. So there may be privacy-enhancing technologies that are already more effective in other industries, but people are proceeding with much more caution in the healthcare industry.”

Kirk Nahra, co-chair of WilmerHale's privacy and cybersecurity practice, agreed. “The whole idea of ‘things will be good in the future, but they're not quite there yet’ is very much part of the struggle right now, as we're all trying to implement these tools,” he said.

Gray said that when implementing AI tools and systems, it’s important to continue to consider the privacy risks, so privacy officer involvement is helpful. “If we actually were relying upon the existing privacy principles and using them as our basis instead of trying to recreate the wheel, I think that AI governance would go faster,” she said.