Skip to content

Fractional Privacy Officer: Your Next Best Business Move

Photo by Glenn Carstens-Peters / Unsplash

Picture a small but growing business. Full of energy, excitement, and enthusiasm. Full of insight into a product or service and armed with big plans for the future.

But what if those plans don't account for privacy compliance?

It’s really common for businesses, especially SMBs, to put off dealing with privacy. It’s something that can wait til tomorrow. Or it’s something that we can handle internally when the time comes. No need to take on the expense of a full-time privacy officer. We can manage!

That’s always true, until it isn’t.

There’s another path to privacy, though, one between a minimalist DIY approach or the costly addition of a privacy professional.

Meet the Fractional Privacy Officer

For SMBs, privacy is no less a concern than large corporations. In fact, it’s a BIGGER concern.

Privacy is complex and expensive. SMBs often don’t have dedicated privacy team members. Maybe the budget doesn’t justify it, or maybe they want their team lean and agile. When it comes to meeting privacy regulations, size can be somewhat beside the point. The EU’s General Data Protection Regulation (GDPR) doesn’t have a floor for small companies. For US-based regulations like the California Consumer Privacy Act, there are eligibility guidelines, but companies are finding that meeting consumer privacy expectations is a smart business move.

Another metric to look at: the cost of missing the privacy and data security mark. The cost for a single data breach for an SMB: the average cost is $7.68 million. And unlike a massive billion-dollar company, SMBs can be tanked if they run afoul of privacy compliance regulations due to:

  • Costly fees and penalties
  • Legal action
  • Reputation damage
  • Loss of consumer trust

So the challenge: protect the business. But stay on budget. Protect customers’ rights and answer their questions. But also grow, grow, grow. Think outside the box. But also follow all applicable rules and regulations. All from within a team that’s never built a privacy program, doesn’t have industry insight, and doesn’t know where to start.

It’s a lot to juggle. Does that sound like a reasonable risk?

This is where fractional privacy officers (FPOs) come in. For companies without the budget or resources for a full-time privacy officer, fractional privacy officers create a huge amount of operational AND strategic value. Even though they aren’t full-time employees, they provide guidance specific to a business’ needs on a wide range of issues. This can include:

Building strategies

Fractional privacy officers keep businesses current privacy laws like GDPR and CCPA, where huge quantities of personal data are in play. They can keep an eye on upcoming state laws that guard consumer privacy. (There are a number of them in the works — stay tuned because, in case no one’s mentioned it yet, it’s an election year.)

A FPO can also help leadership teams evaluate how to integrate privacy throughout different departments. Privacy doesn’t necessarily start in the IT department: Sometimes it arises in legal or marketing or accounting. In fact, it can come from any operational area because it’s truly a whole-business priority.

Overseeing general privacy tasks

When it comes down to it, privacy is enacted in the day-to-day routines of the workplace. It’s in the nitty-gritty details of how business is handled:

  • Vendor relationships: A FPO can manage and assess relationships, making sure that compliance and privacy awareness are shared priorities.
  • Products and services: How do core business services stack up to a privacy review? (Keep in mind that these are just examples; privacy can and should apply to all aspects of a business.)
  • Does the marketing department work within the parameters of privacy laws?
  • What about customer service teams — do they have privacy-oriented processes?
  • Managing data: Does company data line up with individual rights?

Supporting internal teams

A culture of privacy compliance doesn’t happen without good team training. A FPO can guide company training practices so that everyone follows the book when it comes to issues like responding to individual rights requests.


Data Protection Officers (DPOs) are great. They play a crucial role in spearheading privacy  activities for an organization. They’re also totally specific to GDPR and companies that fall under GDPR’s jurisdiction. (Meaning, many US-based companies.)

But more to the point, DPOs don’t do the same work as a FPO. They are responsible for ensuring the company complies with GDPR. FPOs, on the other hand, focus on privacy, both strategically and operationally and really dive into the fine details.

Fractional Privacy Officers: When and Why?

How does a business decide if they need a FPO? Decision makers might think it’s more cost-effective to dole out privacy responsibilities to existing roles. But this approach is limiting. It doesn’t approach privacy as anything more than a legal requirement. (And moreover, budget consciousness does not equal effectiveness when it comes to privacy.)

So what does actually make an effective approach to privacy? The best strategies are the ones that include:

  • Long term, sustained, proactive action
  • Customer-centered focus
  • 360 thinking about an entire organization, not just the bullet items on a checklist

Let’s back up, though, and answer the question: When is a fractional privacy officer needed? Needing help with the following tasks is a good indication:

  • Data inventories, whether starting from scratch or review and updating them
  • Tracking compliance needs for GDPR, CCPA, and other regulations
  • Implementing privacy notices and policies that reflect business practices
  • Manage:
  • Cookie consents
  • Privacy impact assessments
  • Privacy evaluations for products, services, and third-party providers
  • Digital marketing compliance
  • Reporting for privacy program metrics
  • Individual rights implementation and testing
  • Support teams with:
  • Privacy management technology implementation
  • Privacy training programs

The biggest value that a FPO provides is in the 360 view of business activities. Think of it this way: even if a business is totally compliant right now, a good business plan includes growth. Expanding or improving services or product lines. New marketing campaigns and new channels for reaching customers. How are these activities going to line up with privacy requirements? Even if they do now, what will happen in six months? A year?

It’s not quite shaking a Magic Eightball and getting an answer about what’s going to happen with privacy regulations, but it might just be better. Besides, you know, industry experience and insight, a FPO puts businesses in the position of heading off issues before they become issues. They scan the horizon, looking out for what’s ahead. (Or to use buzzwords: they help businesses be proactive rather than reactive.)

Building privacy, one metric at a time

Here’s the thing. SMBs occupy a big part of the economic landscape and, as a result, they’re a diverse group. One commonality? All their customers expect to be treated fairly and have their privacy respected.

All companies, regardless of size, need to approach privacy as if it was mandatory. Because it is! Not legally, not across the board anyway. But it’s become mandatory within public opinion.

That’s why a fractional privacy offer delivers so much value. They help handle the technical aspects of privacy, yes, but they also help deliver customer experience and value.