Jodi Daniels is a privacy consultant and Founder/CEO of Red Clover Advisors, one of the few Women’s Business Enterprises focused on privacy.
Remember childhood games of yesteryear, before Roblox, Minecraft and Fortnite took over? Not to sound older than my years, but those games taught us more than we realized.
Red Rover tested playground alliances. Musical chairs taught resource scarcity. Hide and seek developed spatial reasoning and patience. The telephone game was particularly instructive, as it demonstrated how easily information can become distorted when it passes through multiple people.
Corporate data governance has the same problem. When privacy and security teams operate with different priorities, timelines and compliance frameworks, information gets distorted. The result isn’t innocent miscommunication. It’s a multi-million-dollar regulatory exposure.
Why This Coordination Problem Costs Organizations Millions
It’s no secret that data breaches and privacy incidents are costly. The global average breach cost reached $4.88 million in 2024, a 10% increase from $4.45 million in 2023, representing the largest yearly jump since the pandemic. Organizations with severe staffing shortages incurred $1.76 million more in breach costs than those with adequate staffing.
Even still, recent research from the Future of Privacy Forum confirms that while the need for privacy-security collaboration has expanded, teams struggle with coordination failures, such as communication breakdowns and structural differences in how teams operate.
There are four specific coordination failures that create the biggest exposures.
Privacy-Security Gap #1: Data Breach Response
When breaches occur, privacy and security teams spring into action. Privacy teams must meet regulatory notification deadlines, while security teams need time for thorough forensic investigations.
But if they aren’t addressed in pre-established (and well-practiced) table tops, teams scramble to balance requirements, missing regulatory opportunities that could have prevented compliance exposure. What should be a choreographed crisis response becomes competing priorities that don’t satisfy anyone’s objectives.
The integrated solution may be a joint approach, with shared response templates and parallel workflows that satisfy both regulatory deadlines and investigative thoroughness. Security teams should identify which breach details can be provided within the applicable regulatory timeframes versus those that require extended forensic analysis. Privacy teams can use security’s initial findings to file compliant breach notifications, then update reports as the investigation progresses.
Coordinating the two teams contains breaches faster while avoiding regulatory penalties and compliance failures.
Privacy-Security Gap #2: Vendor Risk Assessment
Businesses often face vendor decisions where security and privacy teams independently evaluate different aspects of the same risk. Security teams assess technical controls and certifications, while privacy teams examine contractual obligations and data processing terms.
From a subject-matter perspective, this makes sense. However, from a perspective of “let’s coordinate our efforts for the best privacy and security results possible,” it misses the mark.
Let’s say your procurement team selects a cloud analytics provider with excellent security credentials. SOC 2 Type II certification, robust encryption and penetration testing results that exceed industry standards. But privacy teams discover problematic clauses in the Data Processing Agreement about undefined “advertising optimization partners.”
In other words, without coordination, organizations approve vendors that meet security standards but violate privacy obligations, or reject technically sound vendors due to fixable contractual issues.
A joint approach to this problem may involve combining vendor questionnaires that cover SOC 2 requirements and regulatory obligations, paired with coordinated contract negotiations that address both teams’ needs. Security teams evaluate direct technical safeguards alongside sub-processor security controls during vendor assessments, while privacy teams assess data usage and privacy rights to ensure contractual terms align with technical capabilities. The result is coordinated vendor assessments that eliminate compliance gaps and streamline the approval process.
Privacy-Security Gap #3: Cross-Border Data Transfer
When moving data across international borders, privacy teams handle legal requirements while security teams manage technical safeguards. Both are necessary, but when teams work separately, you get half-solutions.
Let’s say your organization transfers customer data from the European Union to a U.S. cloud provider. Privacy teams ensure compliance with legal requirements, and security encrypts stored data. Everyone thinks compliance is handled…Except that the data isn’t encrypted during transit, and that technical gap just invalidated your entire legal framework. Regulators won’t be sympathetic that it was an operational oversight.
To address this gap, you might utilize unified documentation that covers both legal and technical requirements for regulatory authorities. Privacy teams document the required technical safeguards in transfer assessments (not just the legal obligations), while security teams validate that encryption, access controls and in-transit protections meet the standards cited in those privacy assessments. With this joint solution, you get transfer compliance that actually works from day one.
Privacy-Security Gap #4: AI Governance
AI governance is becoming non-negotiable, but it’s something that—for many, anyway—hasn’t been put into operation. To add to the challenge, AI systems interact with multiple regulatory frameworks, and both privacy and security expertise must be brought to the table.
But teams aren’t always sitting at the same table, and when they address AI compliance separately, solutions may satisfy one requirement but violate another.
Let’s say your marketing team gets an AI customer segmentation tool. Privacy teams approve transparency notices, stating the AI “only uses necessary data for personalization,” while security teams implement broad data access permissions to ensure system functionality without checking what data the AI accesses.
However, if audited, regulators might find that the AI processed more personal data categories than the privacy notices disclosed, a violation that neither team caught because they didn’t coordinate on what data the system used.
For a strong joint approach to AI governance, you’ll need coordinated AI impact assessments and decision making, backed by shared documentation and approval workflows that meet both privacy and security requirements. Privacy teams should center on data minimization, transparency obligations and implementing individual rights, incorporating security-validated technical capabilities. Security teams will cover technical safeguards, access controls and vulnerability assessments, while including bias testing and fairness measures that reinforce privacy compliance. This combination leads to AI governance that spans multiple regulatory frameworks without conflicting requirements, with clear accountability for each team’s core responsibilities.
Coordination failures are expensive—and avoidable. Organizations that bring privacy and security teams together eliminate these blind spots while accelerating business initiatives. The real question is whether or not you can afford to keep operating without addressing these gaps before it’s too late.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
