Baking in Strong Privacy Controls

By John Wagley

01 June 2011

Print Issue: June 2011

As more companies consider establishing privacy programs, they need to understand what the objectives should be and how best to achieve them.

A panel of speakers at the Global Privacy Summit in Washington, D.C., discussed some of the best practices involved in creating and managing such programs. Panel moderator Deirdre Mulligan, director of the Center for Law and Technology at Berkeley, who has been surveying privacy professionals worldwide, found that the most successful programs tend to take a business-oriented, risk-based approach to building privacy programs.

That means starting by assessing overall business needs and vulnerabilities. Additional best practices are to give chief privacy officers ready access to high-level executives and to instill programs with accountability.

The most effective chief privacy officers and other top privacy executives have offices that are located in or near an organization’s C-suite, Mulligan said. A related characteristic of successful programs is that top officers tend to have considerable leeway in developing programs they consider most fitting.

Other panelists at the conference, which was sponsored by the International Association of Privacy Professionals, noted that while many top privacy officers have legal backgrounds, it’s important for organizations to view privacy programs as distinct from traditional legal departments. When organizations see programs as primarily legal, it can be one of “the most limiting factors” in program development, said Kasey Chappelle, global privacy counsel at the Vodafone Group. It is important for privacy officers to take a proactive, strategic approach to accomplishing their aims, she added.

Another panelist, Jeff Green, chief privacy officer at the Royal Bank of Canada (RBC), spoke about RBC’s privacy policies. One of Green’s first decisions as top privacy officer was to focus on IT security, because it looked like the area in which the bank was most likely to experience privacy-related issues.

He and his colleagues spent about a year studying where sensitive data in the organization resided and how it was handled, including existing security controls and processes. They familiarized themselves with relevant data security and privacy laws and regulations. They then worked to create a security framework that included strengthening controls and creating systems of ongoing monitoring.

Another speaker, Peter Cullen, chief privacy strategist at Microsoft, said one of his organization’s challenges is staying abreast of laws worldwide, because the company does business in every country where it is legal to operate. After Cullen joined the company in 2003, he said one of his initial goals was to meet with regulators, privacy advocates, and others around the world to better understand developing privacy regulations and concerns. There’s “an increasing chance a law could be passed somewhere in the world that may have an external impact upon our business,” he said.

Organizations can structure privacy programs in a variety of ways, panelists said. For example, Vodafone divided its program into two main parts: one focused on strategy—that’s the one Chappelle heads up; the other focused on operations. A primary goal of the operations office has been to educate executives within the company’s numerous business units on privacy-related matters, she said. Such executives also regularly report back to the main operations office.

Accountability can be strengthened through program measurements, or metrics, a few panelists said. Vodafone uses a few in-house systems to measure privacy program achievements. The metrics also provide “something we can then show to higher-level executives,” said Chappelle.

One main way Vodafone measures its privacy efforts is by conducting annual assessments to determine how well individual operating units meet the company’s proprietary Privacy Risk Management System (PRMS), according to Amanda Chandler, Vodafone’s global privacy manager, who leads most of the operational side of the company’s privacy program.

The PRMS centers around nine core processes and goals Vodafone considers central in meeting its informational governance objectives, says Chandler, who was not at the conference but spoke to Security Management. The nine categories range from “privacy impact assessments” to “supplier assessments,” and from “data breach incident handling” to the maintenance of a “personal information location register.” The nine areas are also broken down into subcategories and subprocesses.

The assessments, conducted by privacy officers in individual business units, consist of sets of questions aimed at determining how well the units are managing the key PRMS areas. Officers answer each question with a ranking of one through five, with five being the most efficient or effective. Each of the nine categories is also given an overall score. After the assessments, officers discuss ways to improve low-scoring areas with company managers Vodafone calls “board sponsors for privacy.” Officers regularly discuss progress with privacy program executives.

Although officers score the assessments themselves, they generally haven’t overly inflated their scores, says Chandler. One reason is that officers sometimes want to draw attention to areas that might need more resources, she says. Privacy officers can also demonstrate some of their accomplishments when the scores rise over time. When the PRMS, the assessments, and related efforts grow in maturity, Vodafone will use internal auditors to help check the assessments’ veracity across the company, says Chandler.