Who leads the privacy incident response plan according to SE-2 Privacy Incident Response?

Privacy incidents are managed best by the person who owns the agency’s privacy program and has authority over how personal data is protected and processed. The Senior Agency Official for Privacy, or Chief Privacy Officer, leads the incident response because they oversee privacy governance, risk management, and compliance with privacy laws. They coordinate the response, decide on when and how to notify, and work with IT and legal as needed to protect individuals’ information and meet regulatory requirements. The CIO focuses on IT operations and security controls but does not own privacy risk management. General Counsel provides legal advice but does not lead the operational response. OMB sets policy at a higher level, not the day-to-day incident coordination. So the SAOP/CPO is the correct leader for the privacy incident response plan.