What makes a model privacy program?
By Jedidiah Bracy, CIPP
As data protection and privacy concerns continue to expand throughout the world, more and more organizations are finding they need to implement new or improve outdated privacy programs. Instead of “reinventing the wheel,” privacy professionals can look toward other model programs and learn key elements to ensure an effective program. The Privacy Advisor recently caught up with several privacy experts to discover some important components that can help engender a successful program.
Privacy professionals have their hands full when implementing a privacy program. It’s difficult and often thankless work that requires extensive knowledge, savvy and creativity. In addition to ensuring an organization is compliant with the appropriate regulations, privacy professionals need to create a mission statement and policy framework, train employees and make it operational. No small task, by any means. However, simply creating a privacy framework is not the end of the process—in a sense, it’s just the beginning.
“If we want to talk about a successful program, I think we have to look for connections to other parts of the organization,” says Sagi Leizerov, CIPP.
Leizerov, executive director of advisory services at Ernst & Young, says that a privacy office can have all of the necessary program elements in place—procedures, controls, managed third parties—but in order to truly make a program effective, a privacy department needs to establish two essential connections: one between the program and the organization’s key stakeholders and a second within the business where information is being managed. He says that a privacy team can have experience and in-depth knowledge, but if leadership does not buy into the program, or if employees are not practicing the program’s policies, then the program will fail.
“Very often, executives want feedback from outside sources like board members, clients or the media,” Leizerov says. These outside sources often drive meaningful change within an organization.
As vice president of customer services and chief privacy officer of 2011 HP-IAPP Privacy Innovation Award winner, Ontario Telemedicine Network, Norine Menzies-Primeau, CIPP/C, has an essential position to affect change within her organization. She reports to both the CEO and the board of trustees.
“I can be the watchdog,” she says. “If we don’t have privacy, we have nothing. It’s a fundamental business thing…Once I got it set up strategically, then stakeholders rallied around it. It saved us money in labor and made good business sense.”
Menzies-Primeau notes that, along with having influence with the organization’s stakeholders, a team approach to meeting the program’s privacy goals is paramount. “Privacy was always seen as a barrier” by other parts of the organization, so it’s important, she says, to build trust with these departments.
Menzies-Primeau says that she teaches her staff about compromise and exercising a “softer approach” when dealing with other departments. If the other departments feel they are a partner in the process, then the program’s initiatives won’t be seen as such an intrusive barrier.
A concrete example of the power of trust among departments is seen through an experience Menzies-Primeau had while analyzing the organization’s breach reports. Initially she noticed there were only three reported breaches. With hundreds of thousands of faxes, she had trouble believing there had been so few.
In response, she went back to the organization’s employees, telling them, “You have to trust us, so you need to report breaches.”
The effect became immediately clear. “We were paralyzed with breach reports, but that’s how we started turning things around—we built trust.”
Menzies-Primeau says the best advice she received came from another CPO who said, “You have to be comfortable being uncomfortable.” She says she tried to reinforce that mantra with her staff. “Know that an incident will happen. Do the best you can and defend your position,” she says.
As founder and partner of the Ponemon Institute, Larry Ponemon, CIPP, has conducted extensive benchmarking of companies’ privacy practices.
“We’ve learned, in general, organizations that are doing it right spend considerable time and effort training their employees about privacy,” he says, adding that when there are errors, “A lot of times, it’s good people making mistakes. We see this over and over again. Organizations need to spend real time and resources on educating people.”
In addition to educating staff across the organization, Ponemon says it’s important to monitor and make sure the work environment is compliant. He points out that monitoring whether employees are following policies helps demonstrate the effectiveness of a program. Additionally, organizations should take advantage of technology to monitor and understand data.
“Technology is important,” Ponemon says. “It just takes one rogue employee to make huge mistakes.” He recommends that companies use encryption and data protection technology.
Ponemon also encourages measuring the program’s accomplishments—“objectively assessing your performance” —by using metrics. He recommends checking to see if goals are being met. For example, a privacy officer could decide that 80 percent of the company’s employees should be appropriately trained in privacy. He suggests companies measure the program’s effectiveness by giving occasional quizzes and implementing a grade level that proves policies are known and will be followed.
CIPP certification is another objective method of ensuring employees are “on the same page” and share a common body of knowledge, according to Ponemon.
Kirsten Bock, international coordinator at the Independent Centre for Privacy Protection (ULD)—the privacy regulator for the German state of Schelswig-Holstein—and head of the EuroPriSe seal program, agrees.
“To create a model privacy program, it is important to define protection goals that a company will strive to achieve as well as measures to evaluate the progress and achievements…Clear and defined processes are a key organizational value contributing to a model privacy program,” Bock says. “These need to be accompanied by customer and employee respect.”
Bock sees a connection between privacy protection and business management. “Data protection is a horizontal issue and has cross-sectional character. It is relevant for all aspects of process management. The core issue here is to create transparency and thus controllability for processes,” she says. “If you have this in mind, data protection can be a huge contribution to good management practices.”
Bock also notes that “data protection today is closely linked to IT and thus has to deal with the rapid developments in technologies.”
The idea of embedding privacy into the foundations of data protection and product development is something that many privacy professionals—including Ponemon and Menzies-Primeau—agree upon.
“Good companies are saying, ‘before we sell it,’ let’s build privacy into the technology we’re developing,” Ponemon says, adding that it’s not always an easy thing to do but if done right “it makes business sense.”
Menzies-Primeau says that, since technology is driving industry, it’s important for the privacy department to have a conduit of communication with the IT department. One of the biggest challenges to embedding privacy, she says, is getting technology teams to understand the goals of the privacy department. She notes that business analysts are people who can “speak both languages.” By understanding the technology, analysts can then put it in business terms and vice versa.
“Understand the language and orientation of different departments,” Menzies-Primeau says, “because the organization needs to have conduits to bridge that gap.”
Embedding privacy also goes beyond product development. It reaches toward a larger view of business management and employee awareness. Strong privacy practices contribute to reputation and brand recognition.
Electronic Frontier Foundation Activism Director Rainey Reitman mentions the “growing movement to ‘compete on privacy’—whereby companies provide value to their customers by providing stronger privacy protections than their competitors.” Reitman says the movement could “prove beneficial to companies and users alike.”
Ponemon, meanwhile, sums up what guiding principle a strong privacy program should follow.
“It’s not just about compliance. It’s really about adhering to a higher understanding.”
He likens the new privacy paradigm to the level of business ethics, saying, “Privacy is a personal issue—the data is about who you are—people don’t want companies not taking that seriously.”