NASCIO’s new roadmap helps chief privacy officers create statewide programs from scratch
The National Association of State Chief Information Officers on Thursday published a report that provides chief privacy officers with a roadmap for creating statewide privacy programs from scratch.
Titled “Creating a Privacy Program: A Roadmap for States,” the report names several factors contributing to the need of formalized privacy programs, including the increasing use of digital services and of generative artificial intelligence in state governments. (Many privacy professionals have warned that generative AI should be preceded by considering the technology’s privacy risks.)
The growing number of state chief privacy officers indicates a need for a more formalized structure, the report states. According to NASCIO, the chief privacy officer is one of the fastest growing leadership roles in governments — the number of state-level chief privacy officers has grown from just five at the beginning of 2015 to roughly 30.
NASCIO writes that because many states have enacted comprehensive consumer privacy laws, in the absence of federal privacy legislation, along with the growing frequency of data breaches, there is a greater awareness of privacy issues among constituents that chief privacy officers should consider.
The report notes that chief privacy officers face numerous challenges when trying to establish formal privacy programs, especially from scratch due to the novelty of the field. For example, because many privacy laws only focus on consumer privacy, states are left to establish their own privacy governance frameworks and manage enforcement for their agencies and offices. State privacy leaders also face a wide variety of challenges due to the variance of state IT operating models that lead to inconsistent operations.
The roadmap outlines six phases for building a robust privacy program, regardless of a state’s IT model. The first is to establish foundations with clear vision and leadership, followed by developing governance by mapping data lifecycles and adopting privacy frameworks. Third, the report says states should operationalize privacy by conducting inventories, implementing these governance policies and embedding a privacy-by-design posture into all processes.
Fourth, the report says state leaders should build awareness with tailored training and stakeholder engagement, followed by managing incidents with breach response plans and clear communication. And lastly, state chief privacy officers should monitor and improve with metrics and audits to stay ahead of legal and tech changes.
By providing clear guidance, such as a mission statement, and adopting a recognized privacy framework such as the National Institute of Science and Technology’s privacy framework, the report says, it will be easier for states to adopt a “privacy first” culture.
“Starting a privacy program from scratch can feel overwhelming, but focusing on key priorities like legal compliance and data inventory — while also building a privacy-first culture — will set you up for success,” the report reads. “It won’t be perfect right away, and that’s okay. By regularly refining your approach as your program grows, you’ll stay aligned with the evolving privacy goals of your state or organization.”
