There are numerous challenges involved in creating and running a strong privacy program. Some challenges can be alleviated, however, if the top privacy officer is given a role high up in the organization’s structure.
That’s according to Peter Sand, director of privacy technology at the Department of Homeland Security (DHS). Sand spoke on a panel along with several other privacy and compliance directors at the recent AFCEA Homeland Security conference in Washington.
There are two main components to a successful privacy program, said Sand. One is the program itself and the other is where “the program sits within an organization.” Many organizations “tuck privacy into an IT department” or some other area when it should be higher up in an organization's structure.
Although Sand says he understands why organizations would place privacy programs in their IT department, as technology can be important in the privacy field, working at a higher “leadership level” provides benefits including access to top managers.
“That’s crucial when you want to have a frank discussion with people,” he said.
DHS’s privacy program consists of several main components, Sand said. One is compliance, an area in which his office puts “the most attention and resources.” Responsibilities include “figuring out what the rules ought to be.” Another main component is education and outreach, he said. “Once you figure out what the rules are you educate…your internal people” as well as “external people who are interested.”
Another job function centers around technology, he said, an area in which “a lot of the exciting stuff actually happens.” Responsibilities frequently include looking at compliance and technology. His office has developed privacy impact assessments to evaluate technological solutions, he said.
The position also involves “writing up and publicizing” the rules “after they’ve been decided on.” One aim is to make the rules more institutionalized, he said.
Other panelists also described some of their experiences as well as some of the challenges they face in their organizations.