What should smaller organizations do?  The CPO function could reside in the legal department.  However if there is a risk management function, it would probably be a better fit for the strategic, privacy risk management program responsibilities to reside there.  In this case, of course, the interpretation of privacy laws would be left to the legal department or outside expert privacy law counsel.  If there must be a converged CSO role, it should retain independence.  In most cases, it should probably not report solely to the CIO who could have a conflict of interest with the transparency of findings and thus could influence what is reported from an accountability perspective.  Obviously, this would be to the great detriment of the organization.  It could be a dual reporting role to the CFO or General Counsel.  However understanding this risk, a CEO could place this responsibility with a seasoned CIO who is a direct report member of the senior management team while, as CEO, maintaining appropriate oversight of the program.  

Due to the bottom-line implications, preventing privacy breaches should be in the top 10 objectives of any customer information-centric organization.  Placing responsibility any lower in the organization would not be recommended.