Practical Privacy

What Makes a Good Privacy Officer?

By K Royal, CIPP/US, CIPP/E

Recently, as I was speaking to a talented group of law students, I was asked the above question. This has also been a related theme underlying some of the recent posts on the IAPP Privacy List. I’m not sure if this list is what those who want to enter the privacy field should cultivate in themselves, what current privacy officers are like or what we should be aiming for as a profession.

To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers. In essence, I could stop this blog entry now—that is what we are and should be: compliance officers, salespeople, CEOs, managers and let’s include janitors as well. In fact, let’s look at it that way: What job skills does one need to be an effective privacy officer? If we were to brew the perfect privacy officer, what career fields would we throw into the kettle?

Compliance Officers: In effect, this is what we are. We have a law, rule or regulation that we need to follow. We make sure the company follows this certain law, rule or regulation. We are a cost center. We do not make a profit for the company. We do, however, save the company lots of money. Please do funnel those horrible headlines past your executive committee to show them what you are worth.

A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism.

Sales: We sell. We sell compliance. We sell the need to do the right thing, even if there is no law, rule or regulation stating what we should do. We sell Privacy by Design. We sell having us in the opening bid of a project. We sell our benefit to the company. We identify the needs, the underlying support, the future benefit and our allies as well as our antagonists. We bring our persuasive skills to the table and close the deal.  

CEOs: I borrowed material for this one from Stephen D. Simpson’s “Top Qualities of an Effective CEO.” A good privacy officer runs the department like a successful CEO. S/he needs vision, execution, organization, candor with compassion and pragmatism. S/he needs to be in the right markets at the right time, to drive hard bargains—but not too hard—and to manage for the future, not the mirror. If we as privacy officers are not in the right market at the right time, we miss the privacy boat. We get stranded on the privacy island or get voted off it.

Managers: I borrowed this one from Jacob Morgan’s “5 Must-Have Qualities of the Modern Manager.” As privacy officers, we must be good managers. We need to follow from the front and make sure our employees succeed—when we yell jump, jump with them. We must understand technology—especially in our digital world. We must lead by example, embrace vulnerability and believe in the collective intelligence. Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Social Workers: Social workers serve an incredibly valuable role in our society—often dealing with vulnerable populations. To be an effective social worker, one needs empathy, dependability, patience and a slew of efficient, effective and inexpensive resources. S/he must be creative and open-minded yet willing to take on the challenges, including the drudgery of paperwork. Know when to walk quietly, carry a big stick and know when to run in the other direction—calmly and with authority.

Rarely do people comply with a mandate because it is a mandate. Foster understanding in order to foster compliance.

Investigators: Investigating is a natural fit for our job as we frequently are investigating complaints and breaches. But what traits do we need as investigators? We need to be perceptive, stubborn, questioning and detail-oriented. We need to keep good notes and be able to connect seemingly unconnected events and facts. We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Inventors: “Necessity is the mother of invention.” But it takes someone who is willing to think beyond preset boundaries and create something new. Perhaps it’s an easier way of doing something, or it involves making a program more streamlined and efficient—a little tweak that makes something much easier than it once was. Some privacy officers create a program from nothing, and others have nothing with which to run the program. Regardless, we all hope to see a return on investment.

Mechanics: Mechanics run the gamut of the shady-tree mechanic to the luxury jet mechanic, and so do privacy officers. Some have elite background and training, while others learned the trade organically and grew up with it. Neither one is better than the other. They’re just varied in credentials and background. But like me taking my car into the shop and duplicating the dinging it does when I take a left turn, colleagues don’t always know something is wrong with their data practices. It just sounds wrong. Privacy officers are left to identify what is broken, trusted to fix it and expected to keep the cost down—oh, and have it ready for pickup this afternoon with a full body detail and the tires done.

We need to be inquisitive and not hesitate to ask the hard questions—out loud—sometimes just to hear how ridiculous they are.

Airline attendants: Let’s be friendly, attractive and provide excellent service while keeping everyone safe. Smiling, yet firm. And yes, you have heard this a hundred times before: The plane may be different; the law is not. Just do what you need to do, correctly, when required, and we will make sure you get where you need to be. Oh, and don’t sit in the exit row unless you are willing to help everyone else. Coffee, anyone?

Janitors: Same garbage, different day. But if we weren’t here to clean it up, the world would be in a rough place.

This list is limited to 10 because 10 seems to be the magical number for such considerations, but I bet there are lots of others. What career field would you choose to compare to being a privacy officer? Picture yourself explaining your job to a bunch of six-year-olds … What do you say?

More from K Royal

About the Author

K Royal, CIPP/US, CIPP/E, is privacy counsel at Align Technology and has over 20 years of professional experience in the legal and health-related fields. Royal has a particular interest in the relationship between health and technology—such as telesurgery, bioethics and privacy. As an attorney, she has been recognized as a Forty-under-40 honoree for Phoenix, as an educational leader through the YWCA and as one of the top pro bono attorneys in Arizona. Royal is currently an in-house global privacy counsel and finishing her PhD in public affairs.

See all posts by K Royal

Comments

  • February 20, 2014
    Lanita Collette
    replied:

    Does the perfect privacy officer have a law degree?

    • February 20, 2014
      K
      replied:

      Hi Lanita. No, the perfect privacy officer might not have a law degree. I do, as does many I know, but I also know some really good ones who do not. One thing I have noticed is that not all attorneys are good in a privacy or compliance role. It requires a little more or different *something* that not all attorneys have. It’s the same as saying not all attorneys are good litigators. There is just a certain mindset or personality that is required. Knowledge can be learned/acquired. That personality or mindset, probably not so much.

  • February 20, 2014
    Lee
    replied:

    I was right with you until the airline attendant and one little word ‘attractive’ - strike this, and you have a perfect description, no law degree required. :-)

    • February 20, 2014
      K
      replied:

      Hi Lee,

      You don’t know how much I agonized over that one little word, especially given that it used to be a requirement and no longer is due to discrimination claims. I left it in to see if anyone else would pick up on it and disagree. Thank you for doing so! - and thank you for the compliment.

  • February 20, 2014
    Name Ester Horowitz, Compliance Inc
    replied:

    I disagree with the statement that compliance is a cost center. If you really are a CEO mindset then you know how to use compliance to effective profitability not just save the company a ton of money in liabilities. I teach this all the time

  • February 20, 2014
    K
    replied:

    Ester,

    You are so right. I, too, argue that compliance with laws permits companies to sell their widgets - therefore, we are not a burden, we are an enabler. Like HR, we contribute indirectly to profit (and their contribution is much more direct than ours). Unfortunately, this is an argument that will likely never end.

  • February 20, 2014
    Name Pat Nelson
    replied:

    “Attractiveness” in this case doesn’t necessarily mean physical beauty in any way, it could mean something as simple as not leaving the house looking like a hot mess.  If a person can’t pull themselves together professionally in front of the mirror, how will a company trust them to pull their compliance issues together professionally. 

    • February 20, 2014
      K
      replied:

      Pat,

      I LOVE that view! Thank you for eloquently interpreting something I could not define myself.

    • February 20, 2014
      Chass Brown
      replied:

      Very good point. A very wise manager once told me to never leave the house without having your “leadership” on: face, hair and dress. Your credibility is 55% based on your LOOKS. You do not have to look like Gisele but you do need to be professional and dress the part you want to play.

      • February 20, 2014
        K
        replied:

        Chass, you make a good point. I always heard “dress for two positions up” or “let them see what you’d look like in the role you want” - which is exactly what you are saying. I know someone who refuses to brush their teeth, wash their hair, or tend to other basic hygiene because he feels that people should respect him for his abilities not his looks. But no one wants to even try to get past the looks. Like Pat said above, if you can’t pull yourself together, can you be trusted to pull together a department?

  • February 20, 2014
    Cindy Compert
    replied:

    I would also add ‘Technology Geek’ to the mix- the ability to understand the organization’s use of data at a technology level (high level) and what solutions are available to mitigate privacy concerns. If not directly an attribute of the privacy officer, then certainly a resource that can provide that perspective.

  • February 20, 2014
    K
    replied:

    Cindy,

    Absolutely! We have to have some understanding of it, if not love, right? Although, I will confess, my IT people hate hearing me use the wrong terminology that I sometimes do it just to see them wince.

  • February 21, 2014
    Tim
    replied:

    Interesting list, but I think you left out a very important skill. Teachers. As a whole, we function as teachers. Given that you ask how we would describe our roles when speaking to a bunch of six-year-olds, I find that teaching comes to mind more readily than some of your examples, albeit your examples are excellent.

    • February 21, 2014
      K
      replied:

      Thank you, Tim. We are teachers. And sometimes I think it would be easier to teach six-year-olds than some of the adults I have worked with.

  • February 21, 2014
    Eric Chung
    replied:

    Thank you for the wonderful article K!
    Adding a often-heard role of a “fireman”, fighting fire with the coolest of mind, and evocating fire prevention with the hottest of heart!

  • February 21, 2014
    K
    replied:

    Hi Eric,

    What a wonderful analogy! I did not even consider that profession, but it is so akin to what we do. How often do we lament that we are so busy putting out fires that we cannot get our day jobs done? And our day jobs should not be putting out fires, we would prefer to identify drought areas and do fire prevention.

    And thank you for the compliment. This was a fun and meaningful exercise to go through. It really did help identify necessary skills - and perhaps some that can go on the performance review or resume’.

  • February 21, 2014
    Kate
    replied:

    I don’t think “attractive” necessarily means in the physical sense. We do need to be someone people want to see and consult - not hide from. Smiling but firm - that’s practically my motto!

  • February 21, 2014
    K
    replied:

    Hi Kate,

    You bring up something that is so prevalent in our world - people need to put a friendly face to our name. They need to be able to know that they can come to us with a concern and we won’t shoot the messenger (at least without due process and consideration). We do need to be someone people want to see and consult. I love your motto!

  • February 21, 2014
    Rene'
    replied:

    Great article, quite creative and entertaining. You can tell by the people who comment that as privacy officers, we find it difficult to fully explain the scope of our roles. Sometimes, we ourselves, cannot put term to it. The article also captures the independent nature of our roles. We are not typical attorneys (for those who are attorneys), nor are we the typical compliance officer, who seems to reside many times with HR or regulatory. We are unique and you captured that well. For myself, I would add EMT or first responder, because we are often called in for an emergency and sometimes we can save the project and sometimes we pronounce its demise. But we must be ready to roll on an instant’s notice with our knowledge sometimes the only tool at our disposal. I looked at your other articles as well and imagine the consternation your fresh perspective must bring to your co-workers, especially the other attorne

  • March 04, 2014
    Scott Goss
    replied:

    I suggest adding brand manager and psychic to your list. A mere compliance mindset will only partially cover the privacy challenges facing modern companies.  Compliance is the floor, but a successful CPO must go beyond the law and address risks to his/her company’s reputation and trust that consumers and the public put into their products and services.  A successful CPO must also be a bit of a psychic to anticipate where the law, industry best practices, and consumer sentiment is heading to help guide their company’s next generation of products and services.

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!