As more companies consider establishing privacy programs, they need to understand what the objectives should be and how best to achieve them.
A panel of speakers at the Global Privacy Summit in Washington, D.C., discussed some of the best practices involved in creating and managing such programs. Panel moderator Deirdre Mulligan, director of the Center for Law and Technology at Berkeley, who has been surveying privacy professionals worldwide, found that the most successful programs tend to take a business-oriented, risk-based approach to building privacy programs.
That means starting by assessing overall business needs and vulnerabilities. Additional best practices are to give chief privacy officers ready access to high-level executives and to instill programs with accountability.
The most effective chief privacy officers and other top privacy executives have offices that are located in or near an organization’s C-suite, Mulligan said. A related characteristic of successful programs is that top officers tend to have considerable leeway in developing programs they consider most fitting.
Other panelists at the conference, which was sponsored by the International Association of Privacy Professionals, noted that while many top privacy officers have legal backgrounds, it’s important for organizations to view privacy programs as distinct from traditional legal departments. When organizations see programs as primarily legal, it can be one of “the most limiting factors” in program development, said Kasey Chappelle, global privacy counsel at the Vodafone Group. It is important for privacy officers to take a proactive, strategic approach to accomplishing their aims, she added.
Another panelist, Jeff Green, chief privacy officer at the Royal Bank of Canada (RBC), spoke about RBC’s privacy policies. One of Green’s first decisions as top privacy officer was to focus on IT security, because it looked like the area in which the bank was most likely to experience privacy-related issues.
He and his colleagues spent about a year studying where sensitive data in the organization resided and how it was handled, including existing security controls and processes. They familiarized themselves with relevant data security and privacy laws and regulations. They then worked to create a security framework that included strengthening controls and creating systems of ongoing monitoring.
Another speaker, Peter Cullen, chief privacy strategist at Microsoft, said one of his organization’s challenges is staying abreast of laws worldwide, because the company does business in every country where it is legal to operate. After Cullen joined the company in 2003, he said one of his initial goals was to meet with regulators, privacy advocates, and others around the world to better understand developing privacy regulations and concerns. There’s “an increasing chance a law could be passed somewhere in the world that may have an external impact upon our business,” he said.
Organizations can structure privacy programs in a variety of ways, panelists said. For example, Vodafone divided its program into two main parts: one focused on strategy—that’s the one Chappelle heads up; the other focused on operations. A primary goal of the operations office has been to educate executives within the company’s numerous business units on privacy-related matters, she said. Such executives also regularly report back to the main operations office.