Thoughts after the IAPP GPS

The 2025 IAPP Global Privacy Summit confirmed what many of us in the industry already recognize: privacy has evolved from a compliance function into a strategic business priority. As someone who had the privilege of teaching Privacy Program Management for the CIPM (Certified Information Privacy Manager) designation at Summit, I was struck by how many professionals are grappling with the same challenge: how to operationalize privacy in a way that is scalable, efficient, and aligned with business growth.

Artificial intelligence dominated the conversation at this year’s Summit. Trevor Hughes, president and CEO of the IAPP, emphasized that for privacy professionals this is the time of the “&”. Organizations are depending upon their privacy team to take on a myriad of governance challenges. For example, with the EU AI Act and a wave of state-level regulation emerging in the U.S., organizations are scrambling to govern AI systems in line with privacy principles. Falling on the shoulders of privacy professionals, this is giving us the charter of Privacy & AI governance. The challenge? Most of us lack the tools to assess AI risks like bias, opacity, and data provenance.

Privacy and AI are only two areas of data usage where some level of governance is required. Many larger organizations have Data Governance teams that take a holistic view of their information use including legal compliance. I suggest that the same talents that make privacy professionals attractive for governing organizations’ AI efforts may also be applied to data governance in general.

Think of data governance as a framework of rules, policies, standards, processes, and controls that dictate how an organization manages its data assets throughout their lifecycle. Key principles underpinning data governance include accountability, transparency, data quality, data security, stewardship, and business alignment. Data governance’s primary goals are to ensure data is accurate, consistent, secure, available, and usable for informed decision-making, operational efficiency, regulatory compliance, and risk management.

This may seem as a parallel to the focus to that of a privacy program, however the scope of a privacy program is limited to personal information where data governance looks at all information assets.

Just as with AI governance, expanding into general data governance will require privacy professionals to take broader view of information systems. It will also require privacy professionals to gain some new perspectives and insight into new practices.

Notwithstanding the above, the basic requirements of establishing or validating a privacy program remain a challenge for some organizations. Teaching the CIPM class this year gave me the opportunity to connect directly with professionals working hard to build programs that are both compliant and resilient. What I heard again and again is that organizations need help translating privacy principles into operational practice. Advisory services provided by third parties are no longer a “nice to have” they are an essential part of how privacy gets done. Addressing privacy obligations through a comprehensive program is a great first step to preparing your organization for a more encompassing data governance program.

In a world where data is power, privacy and data governance are foundational need and done right, it’s also a competitive advantage.