As anyone who has taken a train knows, there is that moment when you must disembark, stepping from the car to the platform, traversing the threatening gap between the two. The same concern applies to a multinational organisation trying to bridge the gap between a moving and uncertain regulatory environment and the need to establish a stable and strategic corporate approach to privacy management.
Most multinational enterprises now understand that there are myriad privacy requirements, but it is the next step—“now what do I do?”—that causes most corporate challenges. Companies must translate regulatory requirements into actionable plans that can be implemented across an array of countries, business units and worldwide functions such as human resources. As corporations face this challenge, they often want to know how other multinational enterprises address these issues, vertically from the board level down, and horizontally across business units and diverse geographies.
Comparative Corporate Privacy Management Practices
Two US privacy scholars, Kenneth Bamberger and Deidre Mulligan have conducted pivotal studies examining the role of privacy management in corporations from diverse industries. They conducted empirical research into comparative privacy practices through interviews with chief privacy officers (CPOs), or the senior corporate officer responsible for privacy, of nine companies. The CPO responses, although they represent various companies in multiple industries, evidence considerable coherence on a number of fronts:
- Privacy has moved from a compliance-oriented activity to a risk-assessment process. Corporations are embedding privacy in product design and market entry decisions, as well as in corporate policies.
- Legal developments, though critical for compliance purposes, provide only the baseline for justifying and allocating resources.
- The CPOs agreed that the concern now was about preventing consumer harm and fostering a trustworthy reputation in the eyes of the corporation’s customers.
- Privacy is a strategic core business matter, not only a compliance function. In the words of one interviewee CPO, “[T]he law in privacy … will only get you so far.” Another explained that broader principles have to be developed that can guide privacy decisions consistently in a variety of contexts; privacy must be “strategic, part of the technical strategy and the business strategy.”
- This change in focus—away from purely a concern about compliance toward a concern about preventing consumer harm—makes it critical that privacy management be integrated into corporate decision-making, similar to a consumer product that incorporates safety as an attribute integral to the product.
- Privacy is viewed less as a cost centre and more as a function on the same level as product operability and process effectiveness.
This profound shift informs how these corporations organise the privacy function, including the reporting structure, the involvement of the board and high-level senior management, and the metrics for success.
From a review of these and other corporate best practices, identifiable characteristics are emerging: senior-level privacy leadership, a strategic risk management approach and distributed expertise and accountability. These form a solid foundation for an enterprise-wide program that takes a dynamic, forward-looking privacy approach.
Senior-Level Privacy Leadership
Most corporate mission statements emphasise the importance of delighting the consumer by providing high quality goods and services. Privacy fits into this rubric because it is about consumer trust: honouring consumer expectations and doing the consumer no harm. While legal compliance may be a non-negotiable deliverable, privacy is ultimately about the company’s relationship to its customers. Perceived this way, privacy programs will likely attract senior level commitment.
The Bamberger and Mulligan studies, as well as other presentations on this topic, show that the most effective CPO functions at the top level of firm management. The CPO’s role includes substantial engagement with internal and external stakeholders. In the Bamberger and Mulligan studies, the CPOs described their roles as heavily strategic, as opposed to operational and compliance-oriented. One noted, “my team is not responsible for compliance; they’re responsible for enabling the compliance of the business.”
Strategic and Operational Privacy
A “one size fits all” approach to privacy cannot be applied as risk manifests itself in different ways depending on the organisation and its industry. The part of the organisation that the CPO reports to, the number of privacy specialists reporting to the CPO and the question of who should conduct privacy assessments depend on the maturity level of the organisation’s privacy culture and the attributes of the organisation.
What is common across businesses, however, is a desire to build brand and revenue, reduce risk and demonstrate compliance. Privacy management calls, therefore, for a cross-functional team made up of senior corporate management, business unit management, information security, marketing, corporate communications, human resources, contracting, compliance and legal. In addition, this team needs to include a group of relative newcomers to privacy oversight: the board of directors, the chief executive officer (CEO) and the chief financial officer.
Data security is being taken increasingly seriously by shareholders and the US Government. The US Securities and Exchange Commission has issued nonbinding encouragement to all public companies to disclose in their regulatory filings descriptions of the specific cybersecurity threats they face and the steps they are taking to mitigate these risks. US Senator Rockefeller sent letters recently to the CEOs of the Fortune 500 asking that they reveal details of their cybersecurity programs.
With this backdrop, it becomes clear that privacy decision-making must be distributed throughout the company to senior people. It must be managed by a cross-functional team with clear leadership in the CPO, and take advantage of existing risk management processes that flow throughout the organisation, with appropriate oversight from leadership.
Distributed Expertise and Accountability
In the organisations studied by Bamberger and Mulligan, business unit managers are held accountable for setting and meeting privacy objectives. A network of specially trained advocates in the business units are assigned to identify and address privacy concerns during the design phases of business initiatives, product development and marketing programs.
The CPO and his or her direct reports arm these privacy advocates with specialised training, decision-making tools and regular reporting obligations so they can raise privacy issues as the business units or functions roll out new initiatives, products or strategies. Having someone at the table who is known as “the privacy person” will cause others to consider the privacy ramifications of the initiative from the outset and make privacy part of the corporate mentality.
If the privacy person is not available—or, worse, not readily identifiable—privacy will become a box-checking exercise as the last, robotic corporate stop prior to product or service announcement. By then, it is often too late to minimise the potential of doing harm to the consumer, to maximise positive market impact and to mitigate legal risk. It also can be extraordinarily costly for a business to correct privacy and cybersecurity missteps at the end of the development lifecycle. By seating the privacy advocate at the table from concept through launch, design teams can innovate and thrive as they build the brand and consumer confidence in it.
By incorporating these corporate privacy management practices, a multinational enterprise can step confidently from one platform (a more limited compliance perspective) to another (an enterprise-wide program aligned with core values and having built-in accountability) without running into unnecessary or unanticipated risks. By having such an enterprise-wide program, when privacy or security incidents do occur, they are more likely to be the exception than the rule.
Kenneth Bamberger and Deidre Mulligan’s study, New Governance, Chief Privacy Officers, and the Corporate Management of Information Privacy in the United States: An Initial Inquiry. Law & Policy can be found at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1701087.