Privacy Advisor

This month on the Privacy List

July 1, 2011

By Angelique Carson, CIPP

Where does an emerging privacy office belong within a company? In the legal department? IT? Internal compliance? 

That was the question put to privacy professionals recently on the IAPP’s Privacy List, one that generated much insight and opinion among peers.

One member recommended gauging the company’s “capability maturity.” How familiar is the company with privacy theories and concepts? Is privacy viewed as a “tick box on a compliance program” or as matured as a driver for revenue?

“Not all of our organizations are ready, or willing, to make the jump from one end of the continuum to the other,” he said, suggesting that the pro focus on creating an office structured around compliance at the onset. “You have to learn to walk before you run,” he said.

Another pro suggested placing the privacy office in a position that easily interacts with all of the company’s departments and framing it more broadly, as “information governance,” charged with strategically determining how both PII and non-PII are used and how some data can be used as revenue drivers. In this way, data collection can help to shape strategies about serving customers’ needs now and in the future, predicting technology and culture shifts and informing senior management.

“I think it is very shortsighted to look at the CPO role as one of compliance only,” the pro said. “It’s about thinking and acting strategically at the highest levels.”

“It’s all about culture,” another member offered, “and changing culture if the organization is not there yet.”

Privacy pros also exchanged reactions to the EU’s new cookie law, which came into effect May 26 and requires companies to give users clear and understandable information about the ways data collected on them via cookies is used. A pro based in Europe weighed in that “Inaction is not an option…reliance on browser settings is not a solution” and “working out how to get consent without driving visitors to your website insane is going to be a major challenge.”

Another pro, however, reasoned that UK Information Commissioner Christopher Graham, for example, has said he will not take enforcement action against noncompliant companies for one year, so, “certainly no need to panic in the short term at least.”

On another topic, a subscriber asked the list whether it’s appropriate for a company to use a customer’s personal contact information in order to respond to “Tweets” about the company.

One pro responded that recently he informally surveyed 20-somethings on that very topic and they responded universally “that being contacted by a company outside of the media they used raised the ‘ewwww’ factor and was ‘creepy,’” he said.

Another pro suggested looking at the company’s privacy policy before taking action.

“Does it disclose that one of the channels through which you will be collecting customers’ personal information will be Twitter? Does it disclose you may be using collected information to respond to outside postings? Beyond the very real customer discomfort with being ‘monitored’ on Twitter and contacted through another means, you need to ensure your disclosure matches your practice.”

For more on the topic of where to place a privacy office within an organization, see the recent Privacy Advisor article where two New York University Professors say that recent large-scale breaches should cause enterprise management to locate the privacy office directly underneath the CEO, or see the recently published IAPP book Building a Privacy Program: A Practitioner’s Guide, where seasoned privacy experts discuss potential locations.

To participate in Privacy List discussions, or to view list archives, visit the IAPP Web site. The Privacy List is a free service for IAPP members only.