NASCIO shares roadmap to help chief privacy officers create statewide programs from scratch
The National Association of State Chief Information Officers shared a new report on Thursday that provides chief privacy officers with a roadmap to help them create statewide privacy programs from scratch.
Titled “Creating a Privacy Program: A Roadmap for States,” the report names several factors contributing to the need of a formalized privacy program, including the increasing use of digital services and generative artificial intelligence within state governments — the latter of which many privacy professionals have warned should be preceded by considering the privacy risks of the tech.
The growing number of chief privacy officers is also indicative of a need for a more formalized structure, the report said, adding it is one of the fastest growing leadership roles in governments and the national number has grown from just five state chief privacy officers at the beginning of 2015 to around 30 currently.
Additionally, the report said that because many states have enacted a comprehensive consumer privacy law in the absence of federal privacy legislation, along with the growing frequency of data breaches, there is a greater awareness of privacy issues among constituents that chief privacy officers should consider.
Despite all of these motivating factors, the report notes numerous challenges chief privacy officers face when trying to establish a formal program, especially from scratch due to the novelty of the field. For example, because many privacy laws only focus on consumer privacy, states are left to establish their own privacy governance frameworks and manage enforcement for state entities. State privacy leaders also face a wide variety of challenges due to the variance of state IT operating models and, therefore, cannot often operate consistently.
However, the roadmap outlines six phases for building a robust privacy program, regardless of a state’s IT model. The first is to establish foundations with clear vision and leadership, followed by developing governance by mapping data lifecycles and adopting privacy frameworks. Third, the report says states should operationalize privacy by conducting inventories, implementing these governance policies and embedding a privacy-by-design posture into all processes.
Fourth, the report says that state leaders should build awareness with tailored training and stakeholder engagement, followed by managing incidents with breach response plans and clear communication. And lastly, state chief privacy officers should monitor and improve with metrics and audits to stay ahead of legal and tech changes.
By providing clear guidance, such as a mission statement, and adopting a recognized privacy framework such as the National Institute of Science and Technology’s Privacy Framework, the report says that it will be easier for states to adopt a “privacy first” culture.
“Starting a privacy program from scratch can feel overwhelming, but focusing on key priorities like legal compliance and data inventory — while also building a privacy-first culture — will set you up for success,” the report said. “It won’t be perfect right away, and that’s okay. By regularly refining your approach as your program grows, you’ll stay aligned with the evolving privacy goals of your state or organization.”
