Privacy Advisor

Notes from the Executive Director

May 1, 2009
Beyond compliance


With all of the good work accomplished in the data privacy field each day, it is easy to sometimes forget how far there is to go. A funny thing happened recently to remind me that, despite all the progress of this profession, our work is not done.

Like many organizations, the IAPP monitors the Web for use of its name. Earlier this month our name popped up in the privacy policy of a national nonprofit organization with whom the IAPP has never been affiliated. A brief inspection of the policy revealed its origins—the policy of an organization with which the IAPP has been affiliated.

A closer look revealed that this organization had copied wholesale the privacy policy of an unrelated entity and, presumably, used the find-replace function to insert its name where the original organization’s name had been—product names, affiliations, and industry-specific citations remained.

The effort in the marketplace to drop policies onto every Web site has been successful. But we cannot disconnect the posting of a policy from the active management of a privacy program. This copy-and-paste policy approach, while quick, undercuts the valuable and intellectually strenuous work of developing sound, thoughtful privacy policies that help establish trust in the marketplace.

In a speech earlier this month, EU Consumer Protection Commissioner Meglena Kuneva cited the need for a heightened level of Internet trust and privacy awareness to help Europeans feel comfortable engaging in e-commerce. She said: “Confidence and trust is the new currency in Europe.” Her words could not be more timely.

Ours is not a cookie-cutter profession. The convoluted nature of and tempestuous legal environment surrounding data privacy requires hands-on, highly tailored solutions. Each day technological advances drive new innovations in goods and services that require more thought, more effort on the part of those of us dedicated to privacy work. There’s a heck of a lot more to that than a click-and-drop privacy policy.

I hope the aforementioned organization enlists the expertise of a privacy professional soon. And I hope to see many of you next month at the IAPP Practical Privacy Series in Silicon Valley, where Heartland Payment Systems Chairman and CEO Bob Carr will discuss his company’s data breach, and what Heartland is doing to help others prevent data breaches.


J. Trevor Hughes, CIPP
Executive Director, IAPP