Perks of Employing a Chief Privacy Officer
At a recent conference, a German CEO introduced his company’s Datenschutzbeauftragter to audience present, leaving at least half the crowd puzzled, wondering what the man had just said. The look on those confused faces amused the man, who reiterated jovially—“Meet our Chief Privacy Officer.” The translation should have put all the confusion to rest, but astonishingly a section of the crowd still looked lost. Their single collective thought – “Who would be a Privacy Officer?”
To answer the question, it is vital to know what privacy really means to an enterprise. Privacy or Data Privacy—to be more precise—is the relationship between collection and distribution of data; and the legal and political issues that surround them. It is an aspect of IT that deals with the capability to determine whether or not to share the data or parts of the data with third parties.
When we say third parties, it is usually the government or law enforcement agencies that request for information. How would organizations respond to such requests? How would they know what data to share and when to do it? This is where a Chief Privacy Officer or CPO comes in. CPOs are generally senior level or C-level executives within the organization, shouldered with the responsibility of developing and implementing policies that protect employee and customer data from unauthorized access. Their job description also includes frequent communication with employees, customers, and others regarding how much the company values privacy.
It is important to take into account what specialists say about privacy to actually grasp the depth and significance privacy is to an organization. In the words of world renowned security adviser, Roger A. Grimes, “Privacy problems are embedded in nearly every component of computer security. So much so, I propose updating the well-known security triad of CIA (Confidentiality, Integrity, and Availability) to CIPA, with a pillar dedicated to privacy. Sure, it can probably fit nicely under confidentiality, but wedding it to better-known encryption issues doesn’t give it enough visibility.”
So now the next question arises–How to identify the person most suitable for the post? There are a set of qualities that help organizations in recognizing the person who fits the bill. Since CPOs are specialists in privacy, focus on future, awareness of all possible risks, empathy and excellent communication capabilities should all be traits of the person considered. If the organization is successful in finding such a person among their ranks, it’s well and good. But if there isn’t anyone with the desired capability, it is always advisable to hire a privacy advocate. These are individuals and groups who have emerged from the civil society with their main priority being data privacy.
Staunch privacy advocates help the companies in understanding both employee and customer data confidentiality. They are experts in government and regulatory laws in the states or countries in which the organizations branches are setup. One of their main objectives is to educate other C-level officers regarding the importance of the data privacy and how it can be achieved. Creating documentation and policy, training materials, tests; and rectify violations are also a part of their job profile.
They explain what data can be collected and when, where, and how long it can be stored. CPO’s prefer specific data to personalized data since it makes categorization or segregation simpler on a broader scale. They also help keep the data better protected and later erased when they are no longer required. CPO has a major say in the data retention and deletion policies of the organization.
One other notable duty of a CPO is to help the firm in automatically deleting old emails and data stores at a predetermined time. A continuous email trail is a huge risk for any company. For example, let us go all the way back to 2014 when Sony was hacked. The company lost more than 100 terabytes of data that included many unreleased movies. But that wasn’t the worst of it. Highly confidential information was exposed, including Social Security numbers and addresses of thousands of current and past employees, as well as Hollywood stars. It was after this disaster that Sony decided to appoint a CPO for each of its sub-divisions. Sony can be considered lucky in a way that they have become more aware of data privacy. The sad part is multitudes of firms are still ignorant and are learning it the hard way, everyday. It is only in fairly recent times that the CPO’s importance has been understood and largely acknowledged.
Based on the discussions above, it is fair to say that regardless of the size of a firm, the position of CPO is one which should be regarded very seriously. As the famous quote goes, “There is a storm coming!” and the CPOs are the safe keepers who can face this storm head-on.