What is a Chief Privacy Officer's Role?Published: January 12, 2005 in Knowledge@Emory
The relatively new position of chief privacy officer (CPO) is fast becoming an expected and important addition to the senior leadership at major Fortune 500 companies. Consumer concern over the use of personal shopping information, medical data and financial information, as well as government legislation on the issue, has pushed privacy matters to the forefront, making the CPO a critical player in the shaping of company policy.
According to Andrea Hershatter, a senior lecturer in organization and management, as well as the associate dean and director of the BBA Program at Emory University’s Goizueta Business School, the role of the CPO shouldn’t be confused with that of a chief security officer (CSO). While the CSO follows through on the specifics of data security on a computer network, the chief privacy officer is instead interested in customer relationship management. She notes, “Data collection makes it possible to market to each consumer in a highly personalized and individualized way.” The technology available today also allows for large-scale mining and reselling of that same information. “The question for the CPO is how to best turn customer data into a valuable, although largely non-transferable asset for the company without alienating the customer or infringing upon their right to privacy.”
While most consumers find spamming and the reselling of their shopping preferences to be abuses of trust, Hershatter notes that a targeted and valued interaction with a customer can often garner a positive response. For example, she cites the favorable reaction to Amazon.com’s targeted email and website appeals. Many customers react favorable to sporadically receiving an email or a website recommendation that informs them, based on their past buying history, of a new book or CD release that they might enjoy. “If, however, Amazon.com made that database available to each of their online partners, their carefully developed relationship with consumers would quickly deteriorate.” Consequently, shaping the relevant company policies, and drawing the proverbial line in the sand over the correct usage of customer data, is fast becoming a key role for U.S. businesses.
Hershatter adds that as new options for marketing become available—for instance, sending a coupon onto a mobile phone when a customer walks past the product in the store—carefully gauging your consumers’ preference for this type of invasive technique is critical. “The CPO stands at the heart of these issues,” she says. As well, getting shoppers to specifically “opt in,” or give their consent to data collection on their shopping behaviors, is now essential for companies to get an edge. “This notion of exchanging data in return for desired free goods or services is an important trend for the future, but it also raises many privacy issues.” 12SNAP, a U.K.-based interactive mobile marketing company, is actually getting customers to call in over their mobile phones to receive marketing messages, usually in the form of games, discounts, or other entertainment options from 12SNAP’s corporate clients. “However,” say Hershatter, “many of their customers are under 18, and it is unclear whether the same mechanisms that encourage consumers of this age to share personal data will work with older target markets.”
Of course, as technology changes, so to does the regulatory landscape. Evolving government legislation will continue to respond to the dynamic environment, making the job of the CPO even more demanding. Privacy advocates at such groups as the ACLU and the Electronic Privacy Information Center argue that federal legislation is too lenient on the matter, while most business leaders would prefer to see the changes be much more industry-driven. Today, the Freedom of Information Act and the Privacy Act of 1974 set the tone for data collection and disclosure of individual information by governmental agencies. The international community, by way of the Organization for Economic Cooperation and Development, also coalesced around the issue in the late 1970s and early 1980s, agreeing on a set of best practices known as the 1980 guidelines on the protection of privacy and trans-border flows of personal data. Of course, as companies become even more global, the difficulty of enforcing violations of personal privacy for a U.S. customer, when that privacy is breached abroad, could become an increasing area of concern for the corporate CPO.
For the moment, federal legislation and government enforcement of consumer privacy appears to be on the rise. Legislation on the protection of patient medical records (The Health Insurance Portability and Accountability Act of 1996, or HIPAA) and on the use of consumer financial and banking transactions (The Fair Credit Reporting Act of 1970, amended in 1996, as well as the Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act) address specific arenas of data collection. But there are a host of other industry specific laws on the books, and the Federal Trade Commission (FTC) has the ability to use enforcement action against companies. In the past, the FTC has pursued actions against Microsoft, Eli Lilly & Company, Toysmart.com and GeoCities for misrepresenting how they used customer information. Passive data collection, by way of online “cookies” and other spamming techniques came about with the popularization of the Internet and e-commerce, spurring anti-spam legislation in 2003.
Considering the complex regulatory environment, it’s no wonder that many of today’s CPOs have a legal background, and often also hold the post of chief counsel for their firm. According to Christopher M. Kelly, chief privacy officer and general counsel for Spoke Software, a provider of professional networking applications, information technology and e-commerce companies were ahead of the learning curve when it came to understanding the need for a chief privacy officer. Maybe it was because of their technological savvy, or maybe it was a reaction to the high profile news stories on spamming, but tech firms, for better or worse, have helped to establish the benchmarks for the role of CPO. Whatever the driving force, medical, financial and retail firms are beginning to adopt the strategic role of CPO in their senior management ranks.
Even with all of the regulations on the books, Kelly notes that nothing speaks louder than disgruntled customers or clients, many of who can vote with their wallets. He adds, “At Spoke, we are a relationship management company at the heart of it, and a social network company, and so we deal with a company’s contact information. That’s their key value, and so we have to ensure we take privacy seriously. Ultimately, users own their own data.” But, he notes that the role of the CPO is moving beyond that of compliance. The chief privacy officer is also fast becoming the public face for the company---the one communicating the firm’s philosophy to customers, suppliers, vendors and policy makers at large.
Just how quickly other industries get on the CPO bandwagon remains to be seen. However, the larger the company, the more likely they are to have a CPO. Benn Konsynski, professor of decision and information analysis at Goizueta, adds that for other firms outside of retail, medical and tech, the role of the chief privacy officer is taking a littler longer to gain favor. “Many have backtracked because of money concerns,” he says. Others face the dilemma of figuring out just how the position fits into the corporate hierarchy. Says Konsynski, “These are difficult issues---privacy and security---making the right decision over rights and authority. Is the chief privacy officer representing the interests of the client or the customer, or is this person merely an agent of the company or moving beyond the boundaries of the company. Who do they advocate for? Some are emerging as agents of information access, setting policies around it, and others are establishing company ethics, standards and awareness.”
Margaret P. Eisenhauer, head of the privacy practice for the law firm of Hunton & Williams, notes that the way the CPO role is integrated into the firm as a whole dictates the effectiveness of the position. “There are many ways to do it. Some of the CPOs out there are truly executives in the upper levels of management, people like Sandy Hughes at Procter & Gamble and Jennifer Barrett at Acxiom, who are extremely visible. These are professional people working at larger corporations, integrated into the company as a whole, and they have access to senior management, funding and staff.” There is also another type of CPO, says Eisenhauer, the one who primarily handles implementation of “internally facing processes, such as those needed to comply with Gramm-Leach-Bliley or HIPAA. These privacy professionals are not necessarily involved in the development of externally facing privacy messages.” Smaller firms might have privacy compliance issues handled on a part-time basis by an employee also holding another title. Eisenhauer generally recommends that companies devote a full-time person to the issues of privacy regulation, policy and compliance, if at all possible.
Ellen Zimiles, principal financial services industry leader for KPMG Forensic, agrees that a CPO on staff is a necessary addition to the executive board. She believes that the issues surrounding data collection and privacy can become quite complex, particularly for large global organizations. For example, she notes that even when a credit card company now deals with a drugstore chain through day-to-day ATM or debit card transactions made by customers, if a discount store card is used in the purchase of medicine, there is data collection at that point. Then HIPAA compliance issues come into play, even though the credit card company and the drugstore aren’t medical facilities themselves, or may not have even thought of these sorts of privacy considerations. States can regulate privacy as well, and so the CPO needs to be aware of local considerations that may be even more stringent than federal laws and regulations. “The CPO also has to figure out the standards globally and adapt them to the locales abroad.”
Additionally, changing legislation is serving to complicate the role of the CPO. Zimiles notes that data collection allowed by the U.S. Patriot Act, for instance, could result in violations of prior privacy regulations. “After 9/11, privacy went out the window for a bit. It was anything in the name of safety and security, and now people are finally coming back to reason.” Often, the chief privacy officer must balance competing issues, such as privacy concerns and financial data information collection needed to defeat money laundering or terrorism efforts. The CPO not only needs to make sure their privacy concerns are addressed in-house, but that they are also addressed by their suppliers, vendors and clients with whom they may share their sensitive information.
Eisenhauer adds, “Having a lawyer in the role is great, but legal compliance is only one aspect of it all. Honestly, legal compliance is the responsibility of everyone in the organization. And privacy is the same sort of thing. The concerns around it should cut across the entire organization.” While she advises companies to retain a CPO, being a lawyer is less important than having the appropriate skills set to do the job. “The CPO should understand legal compliance, as everyone is highly regulated today. He or she must be an excellent communicator and coach. Being a cop in this role is simply no good, and it won’t work in an organization. Everyone in the company must have ownership of the issue. The CPO also has to be someone with vision, thinking ahead to the next issue to arise. Security is about access and manipulation, but privacy is really about the appropriate use of information.
The CPO must deal with four key risks on the job, says Eisenhauer, which she identifies as “legal compliance, reputation, investment, and reticence.” Legal compliance goes back to the issues of federal and state law, regulation and enforcement actions. But as far as reputation, Eisenhauer notes that often businesses can follow the strictest interpretation of the law, and still customers may find their marketing actions to be invasive. “The holy grail for a privacy officer is to make sure you have the trust.” The CPO must walk a fine line in this instance, carefully assessing the concerns and needs of its particular customer base. Eisenhauer also notes that firms need to understand the actual investment (man-hours and financial investment) involved in procedures and systems to ensure that an appropriate return on that investment is possible---even when done in a way that provides an appropriate level of privacy.
In addressing the issue of reticence, Eisenhauer observes that it is generally common practice for organizations to be careful when using customer information. But in today’s competitive world, companies must use information to provide personalization and to understand their markets. She notes that being overly cautious can lead to missed opportunities, and that company leaders should not be too reserved in their approach to balancing privacy needs with the need to market.
“Top-down leadership communication on how to both protect privacy and generate real value is critical to a company’s success,” Eisenhauer explains. “You want to have the right product in the right place for the right person. Everyone wants personalization at the right price. While privacy is important, businesses must also deliver the personalization that the customer demands. There needs to be the proper balance between legal requirements, the company’s customer objectives and the customer’s preferences.”