Do You Need A Chief Privacy Offjcer? Steven C. Bennett If you face privacy issues on a regular basis, then you probably need a CPO. RECENT STATUTORY and regulatory developments in the United States and overseas (especially Europe) have created near-paranoia about privacy in certain corporate circles. Headline-grabbing stories of actions by the Feder- al Trade Commission, state regulators, and consumer ad- Steven C. Bennett vocates have also demonstrated that a company’s custom- is a partner in the New York offjces of Jones er and employee relationships, and perhaps its economic Day and teaches a course in Privacy Law at health, may depend in large measure upon whether the Hunter College. The views expressed are solely those of the author, and should not be company is following “best practices” regarding data pri- attributed to the author’s fjrm or its clients. vacy and security. Part of the response, for many large corporations, has been the creation of a new position within the corporate structure: that of the Chief Privacy Offjcer (“CPO”). Ma - jor companies, like American Express, AT&T, IBM, and many others in the Fortune 500, have announced within the past few years the development of a CPO position. There is little question that establishment of a CPO func- tion within a corporation is desirable; but is it necessary in every instance? What of small, or medium-sized busi- nesses, which may not be able to afford to hire a full-time CPO? This article briefmy explores whether you really need a CPO. The Practical Lawyer | 17
18 | The Practical Lawyer February 2007 DEFINING THE CPO ROLE • Before you can and business needs, may be bound to fail. And a determine whether you need a CPO, it is worth- privacy policy that is not understood, or a policy while to review the role of the CPO in the modern that is not viewed as benefjcial to the corporate American business. The function can vary greatly mission, may not be effectively implemented. between corporations, but in broad terms, the role of the CPO is to help: ALTERNATIVES • In many corporate organiza- tions, CPO tasks require the full-time attention of • Create and revise policies regarding privacy at least one person. There are alternatives, how- and security for confjdential information; ever. Among them: • Train employees and staff regarding the company’s privacy policies; • Ensure enforcement of the policies; • Privacy Committee . A corporation might create a • Audit and document compliance with the poli- committee, consisting of representatives from cies; and the departments that have particular inter- • Respond to new legislative and regulatory est in privacy and data security matters, and directives. those that should have input into any privacy policies. The challenge for such a committee What becomes immediately apparent, on re- is to ensure that the many, sometimes dispa- view of these elements of the CPO role, is that rate, voices within a corporation are heard, a CPO must have several different skills. A CPO and harmonized. Senior leadership within the must have some knowledge of relevant privacy company ultimately must take charge of fjnal - and data security laws (many CPOs are lawyers). A izing and implementing the recommendations CPO must also have technical knowledge, and the of the committee to avoid the “analysis pa- ability to identify how a company manages infor- ralysis” that can sometimes develop in group mation, through the cycle of intake/creation, use settings. It may be desirable to appoint a chair and distribution, and storage and disposal. And a of the committee, who will serve, in practical CPO must have management skills, as the process terms, as a part-time CPO; of creating, implementing, and revising privacy • Outside consultants . Law fjrms, accounting fjrms policies is essentially one long (actually, never-end- and (increasingly) data privacy and security ing) corporate project. consultants have much to offer corporations. Even a brief review of the elements of the CPO Such consultants can suggest model policies, role confjrms that CPOs cannot possibly perform and can conduct helpful training and orienta- their tasks alone. They must draw on knowledge, tion for corporate managers and employees. skills, and experience scattered throughout the Such consultants, moreover, may be engaged corporation: general counsel, information technol- to conduct periodic audits of a company’s pri- ogy, human resources, risk control, marketing, and vacy practices, and report recommendations many other departments often must be involved. for improvement (perhaps to the corporation’s Creation of viable privacy and security policies, privacy committee); moreover, requires a CPO to listen carefully to the • Professional organizations . In the past few years, needs expressed by various components of the cor- several organizations have been created that poration. A privacy policy created by fjat, which is are dedicated to the study and development not responsive to the corporation’s actual practices of “best practices” with regard to privacy
Chief Privacy Offjcer | 19 and data security. Among these is Privacy & practices after technological and managerial American Business, which conducts frequent structures have become entrenched; workshops and seminars on privacy issues. • Plan for change. Businesses expand; new op- The Better Business Bureau (“BBB”), more- erations commence; technology changes. A over, recently announced development of a company with a framework for dealing with national initiative to help small businesses pro- privacy issues can more effjciently adapt to tect customer and employee data. The BBB growth and change. Indeed, the development has developed a “toolkit” to inform smaller of such a framework should help the corpo- businesses about the essentials of good privacy ration embrace change, as an opportunity practices, outlining essential steps in a variety to implement new best practices, when they of areas. become available; The approaches listed above are not mutually • Prepare for crisis. Headline-grabbing stories of exclusive. A business might well combine several investigations, lawsuits, and consumer (and of these (and other) approaches. For example, at employee) complaints about privacy and data the outset of a privacy initiative, a corporation security breaches can adversely affect even might gather information from professional orga- the mightiest corporations. So much more are nizations, and invite consultants to provide train- smaller businesses at risk. The establishment ing and insight to aid the formation of a privacy of good privacy and data security practices, committee. Once the committee is operating ef- backed by a commitment of resources, and fectively, however, the consultants might serve in a assignment of responsibility for implementing more limited capacity, providing updates on new such practices, may be some of the best insur- privacy and data security regulations, and offering ance the company can buy. Such practices tips on new technology and practices. The assess- and structures may prevent some of the worst ment of the committee and consultants may, more- crises that have affected American businesses. over, eventually warrant the hiring of a CPO for And, if a crisis hits, a company with defen- the company. The choice of a CPO, at that point, sible policies and a clear commitment to best should be much better informed and attuned to practices can claim the moral and legal high the particular needs of the corporation as a result ground, in ways that may defuse or at least of the groundwork the committee and consultants minimize the crisis. have already done. CONCLUSION • Data privacy and security laws ADVANTAGES • Even if a company cannot are complex and ever-changing. And in one form employ a full-time CPO, the approaches outlined or another, they affect virtually all American busi- above offer several advantages: nesses. Whether a company should hire a full-time • Establish “best practices” early. Small businesses, CPO is an inquiry that requires a careful assess- and those expanding into new areas, have ment of the cost involved and the likely risks and unique opportunities to establish privacy and benefjts. Establishing a CPO position can be ex - data security best practices from the outset of pensive; but there is no question that the liabilities operations. Integrating such practices into the for privacy violations can be staggering, not only business early on may be cheaper, and much in fjnancial terms—but in terms of a company’s more effective, than attempting to impose such reputation.
Recommend
More recommend
