Regulations coming out of Washington and Brussels are forcing companies to think more seriously about privacy. In response, companies are appointing chief privacy officers and other high-level privacy professionals.
The duties of the chief privacy officer (CPO) are nothing new. What is new is that the responsibility for such duties are formally tied to a person holding the CPO title. Companies don't have to use the CPO moniker. Some companies create "privacy professional" positions, said Ray Everett-Church, CPO of Philadelphia-based ePrivacyGroup.com, a privacy consulting firm that often advises CPOs.
CPOs don't necessarily have to be technologists, but they should have a basic understanding of technology. Their forte should be in the creation and execution of policy. A CPO also needs some experience with public relations because CPOs are the public point people for a company's privacy initiatives. In other words, they function as the human face that is responsible for protecting the customer data that is collected and stored by companies.
There may be a temptation to combine security and privacy duties under one position. However, the CPO position has a different posture than the chief security officer (CSO) job. CPOs tend to be more outward facing because they act as the customers' and employees' advocate within the company, while CSOs look more inward, working on tasks such as protecting corporate assets,
The job descriptions of the CPO and similar positions vary, but the duties associated with these jobs generally fall into three areas.
First, the CPO has to create and maintain the company's privacy policies for both internal employee data and for customer information.
One of the reasons Tom Warga was named CPO of New York Life was because the company wanted him to come up with a blanket privacy statement that cuts across all its lines of business. The company didn't want a customer who bought a mutual fund and an annuity to get two privacy statements that contradict each other, Warga said. "It was a question of our brand image," he said.
The second main CPO duty, according to Everett-Church, is keeping track of how the business works so privacy plans are both realistic and effective. A certain level of independence is critical, Everett-Church said. If CPOs are tied too closely to a particular business unit, then they won't be as effective when influencing company-wide policy. "In other words, they shouldn't be relegated to the bowels of the marketing team," Everett-Church said.
Greg Warner, CPO of Siemens Medical Solutions and Health Services Corp. of Malvern, Pa., sees his background as corporate counsel (he reports to the general counsel) as advantageous. He didn't come up through the ranks of a particular product group or division. "I am independent of any product chain of command," he said.
Like Warner, Warga didn't come from the product ranks. In addition to being CPO, he is also the general auditor. He reports to the auditing board, but the company's CEO is his immediate supervisor. His background is an advantage; he has learned "all operations of the company," he said. "I know who to go to and how the businesses are run."
Making sure privacy rules are enforced and are in compliance with government regulations is the CPO's third major duty, Everett-Church said. CPOs have to monitor company activities to make sure things don't conflict with internal privacy rules and regulations.
Warner conducts risk assessments of processes that involve sensitive data. For example, Siemens sells medical software. Company employees need to be aware of privacy concerns when doing software maintenance on customers' systems, because a database may have access to patient information, he said.
On the other hand, CPOs shouldn't gain the reputation for saying "no" to every request. "They will stop coming to them and stop including them in the processes," Everett-Church said. "CPOs have to find ways to say 'yes' to things."
In Warner's case, he instituted a secure file transport system to transmit sensitive data. (There are legitimate reasons for moving such data electronically, but it must be done securely.) But there are also mechanisms in place to make sure sensitive data isn't sent by e-mail.
Yet requests sometimes go too far. Warga isn't afraid to say "no" to proposals that would infringe on customers' privacy. For example, he was asked once if the company could buy customer data from other companies to complement the data New York Life already has, a practice often used by direct mail companies. "I said 'no way, we can't do that,' " Warga said, adding that the company would need to get permission from customers before doing so.
- Listen to the on-demand webcast The roles of the CPO and CSO at your convenience.
- Learn more about CPOs in the SearchSecurity.com news exclusive Companies creating more chief privacy officer jobs.
- For more information on policies, peruse SearchSecurity.com's library of Policies Tips.
This was first published in February 2003