People 'n' Issues
As data blurs the lines, CEO must not become CIO
By FRANCOIS KRIEL, director of change management practice Kriel & Co
The accelerated adoption of digital technologies has raised disruption in areas that have not been considered previously. Digital transformation skyrocketed upwards and onwards in a bid to safeguard customer and employee health and wellbeing, as well as data.
Consumer, business, government and non-profit organisations are all in the same boat – to help reduce safe physical distancing practices on all levels of our lives, from grocery and food delivery services to business-to-business e-commerce apps and videoconferencing solutions.
In other words, accelerated digital business disruption is the clear winner emerging from the disruption of the past year. And in some ways, this change stirred the proverbial teacup in many ways, often for the better. Organisations are now, well, (re)organising their internal frameworks and business models to stay competitive.
It has been a time when the Chief Information Officer (CIO) of medium to large organisations had quite an important seat to occupy, if not the driving seat.
Recent research by Gaertner shows that this trend will continue to pulse through the veins of organisations large and small. It is the single most disruptive shift in how businesses operate, and as a result, has broadened the scope that the CIO role should fulfil.
Entering the age of legally protecting data
In tandem, growing sophistication of digitalisation has come alongside a broader march equally sophisticated – toward a growing demand from customers calling on their right to protect organisational data and their personal information.
Recently, in light of the Protection of Personal Information Act (POPIA) the Information Regulator, in the same vein as the Promotion of Access to Information Act (PAIA), requires that the head of the organisation, such as the Chief Executive Officer (CEO) or Managing Director (MD) designates any person holding an executive level position within the organisation to act as the Information Officer. If not formally delegated, the CEO or MD is interpreted as the Information Officer by default.
The Information Regulator further states that the CEO or MD retains the accountability and responsibility for any power or functions authorised to the Information Officer.
The duties behold by this role would need to be clearly described in the designated person’s job description – another requirement by the Information Regulator.
Blurred C-suite lines
And here is where the lines of duty within medium to large organisations might get distorted. The Regulator clearly places final responsibility in terms of POPIA and PAIA with the head of the organisation – the CEO/MD. This should not be confused with the day-to-day implementation of these acts. The information in question requiring protection is in most cases digital, or should be, in a modern and post-COVID thriving organisation.
In my experience, this responsibility naturally dovetails that of the CIO’s now amended (and leading) role with a decision-making seat at the boardroom table. The forward-thinking expertise and skills of the CIO is instrumental to entrench the business into a digital-first era.
Why not the CEO?
The heads of medium to large organisations have a very specific and all-embracing role to play. Peter Drucker, modern business futurist, said it best in 2004: “The CEO is the link between the Inside that is ‘the organisation,’ and the Outside of society, economy, technology, markets, and customers.”
It’s a wide-angle lens role that is bestowed on CEOs while everyone else in the organisation applies a much narrower focus in one direction, for the most part, according to the Harvard Business Review.
In a medium to large organisation, the CEO does not get involved with the day-to-day operations of the organisation. This is a responsibility shared (among others) by the Chief Operating Officer (COO), the Chief Financial Officer (CFO) the Chief Information Officer (CIO) and the Chief Technology Officer (CTO).
The CIO as a focused enabler of business growth
CIOs are facing unprecedented challenges to improve business outcomes, transform business models, modernise technology and enhance customer experience. In the era where privacy matters, the focus applied by today’s CIO is ideally placed to now zoom in on the protection of personal data.
In terms of the POPIA, the CIO’s job description in terms of legal responsibilities should include the following day-to-day responsibilities:
- ensuring the organisation puts practical frameworks in place to lawfully store and process personal information under the provisions of POPIA;
- seeking legal counsel or liaising with the organisation’s compliance officers regarding implementation of the framework;
- facilitating communication with the Information Regulator relating to POPIA matters, e.g., in the case of a data breach investigation or when the organisation needs to act on public data requests; and
- having a good working understanding of data privacy legislation, such as the POPIA and GDPR.
Practically, the following job descriptions are fundamental for an organisation to thrive in an age where privacy matters:
- Align digital strategy development with organisational or enterprise goals. The CIO should act as the translator of the organisational and business strategy into a digital roadmap to give full effect to organisational goals and privacy legislation requirements. The CIO’s focus should ideally be more organisational, and less ‘tech’ as is commonly assumed.
- Translate leadership to implementation by way of change management. Create awareness among employees, IT and security teams by educating them on the place protection of information holds in the organisation.
- Project the ability to lead a project management team or effectively project manage various ongoing change, digital transformation, security or data privacy initiatives across the organisation.
In a world where change – such as legislation affecting organisations on a systemic level – happens quickly, we need the vision of the CEO to remain uncluttered and allow him/her to the opportunity to make tough decisions. The CEO’s focus on the wider purpose will help organisations thrive, which is how I explain the final POPIA accountability role that has been placed on the heads of organisations.
The role of the CIO should be to strategically, operationally and practically transporting the organisation there via a digital highway – in my view the only road that will lead thriving organisations to where they need to be, ahead.
A visionary boardroom understands this difference.