IAPP-GDPR Web Banners-300x250-FINAL

As data protection and privacy concerns continue to expand throughout the world, more and more organizations are finding they need to implement new or improve outdated privacy programs. Instead of “reinventing the wheel,” privacy professionals can look toward other model programs and learn key elements to ensure an effective program. The Privacy Advisor recently caught up with several privacy experts to discover some important components that can help engender a successful program.

Generating connectivity
Privacy professionals have their hands full when implementing a privacy program. It’s difficult and often thankless work that requires extensive knowledge, savvy and creativity. In addition to ensuring an organization is compliant with the appropriate regulations, privacy professionals need to create a mission statement and policy framework, train employees and make it operational. No small task, by any means. However, simply creating a privacy framework is not the end of the process—in a sense, it’s just the beginning.

“If we want to talk about a successful program, I think we have to look for connections to other parts of the organization,” says Sagi Leizerov, CIPP.

Leizerov, executive director of advisory services at Ernst & Young, says that a privacy office can have all of the necessary program elements in place—procedures, controls, managed third parties—but in order to truly make a program effective, a privacy department needs to establish two essential connections: one between the program and the organization’s key stakeholders and a second within the business where information is being managed. He says that a privacy team can have experience and in-depth knowledge, but if leadership does not buy into the program, or if employees are not practicing the program’s policies, then the program will fail.

“Very often, executives want feedback from outside sources like board members, clients or the media,” Leizerov says. These outside sources often drive meaningful change within an organization.

As vice president of customer services and chief privacy officer of 2011 HP-IAPP Privacy Innovation Award winner, Ontario Telemedicine Network, Norine Menzies-Primeau, CIPP/C, has an essential position to affect change within her organization. She reports to both the CEO and the board of trustees.

“I can be the watchdog,” she says. “If we don’t have privacy, we have nothing. It’s a fundamental business thing…Once I got it set up strategically, then stakeholders rallied around it. It saved us money in labor and made good business sense.”

Building trust
Menzies-Primeau notes that, along with having influence with the organization’s stakeholders, a team approach to meeting the program’s privacy goals is paramount. “Privacy was always seen as a barrier” by other parts of the organization, so it’s important, she says, to build trust with these departments.

Menzies-Primeau says that she teaches her staff about compromise and exercising a “softer approach” when dealing with other departments. If the other departments feel they are a partner in the process, then the program’s initiatives won’t be seen as such an intrusive barrier.

A concrete example of the power of trust among departments is seen through an experience Menzies-Primeau had while analyzing the organization’s breach reports. Initially she noticed there were only three reported breaches. With hundreds of thousands of faxes, she had trouble believing there had been so few.

In response, she went back to the organization’s employees, telling them, “You have to trust us, so you need to report breaches.”

The effect became immediately clear. “We were paralyzed with breach reports, but that’s how we started turning things around—we built trust.”

Menzies-Primeau says the best advice she received came from another CPO who said, “You have to be comfortable being uncomfortable.” She says she tried to reinforce that mantra with her staff. “Know that an incident will happen. Do the best you can and defend your position,” she says.

As founder and partner of the Ponemon Institute, Larry Ponemon, CIPP, has conducted extensive benchmarking of companies’ privacy practices.

“We’ve learned, in general, organizations that are doing it right spend considerable time and effort training their employees about privacy,” he says, adding that when there are errors, “A lot of times, it’s good people making mistakes. We see this over and over again. Organizations need to spend real time and resources on educating people.”

Measuring accomplishments
In addition to educating staff across the organization, Ponemon says it’s important to monitor and make sure the work environment is compliant. He points out that monitoring whether employees are following policies helps demonstrate the effectiveness of a program. Additionally, organizations should take advantage of technology to monitor and understand data.

“Technology is important,” Ponemon says. “It just takes one rogue employee to make huge mistakes.” He recommends that companies use encryption and data protection technology.

Ponemon also encourages measuring the program’s accomplishments—“objectively assessing your performance” —by using metrics. He recommends checking to see if goals are being met. For example, a privacy officer could decide that 80 percent of the company’s employees should be appropriately trained in privacy. He suggests companies measure the program’s effectiveness by giving occasional quizzes and implementing a grade level that proves policies are known and will be followed.

CIPP certification is another objective method of ensuring employees are “on the same page” and share a common body of knowledge, according to Ponemon.

Kirsten Bock, international coordinator at the Independent Centre for Privacy Protection (ULD)—the privacy regulator for the German state of Schelswig-Holstein—and head of the EuroPriSe seal program, agrees.

“To create a model privacy program, it is important to define protection goals that a company will strive to achieve as well as measures to evaluate the progress and achievements…Clear and defined processes are a key organizational value contributing to a model privacy program,” Bock says. “These need to be accompanied by customer and employee respect.”

Bock sees a connection between privacy protection and business management. “Data protection is a horizontal issue and has cross-sectional character. It is relevant for all aspects of process management. The core issue here is to create transparency and thus controllability for processes,” she says. “If you have this in mind, data protection can be a huge contribution to good management practices.”

Bock also notes that “data protection today is closely linked to IT and thus has to deal with the rapid developments in technologies.”

Embedding Privacy
The idea of embedding privacy into the foundations of data protection and product development is something that many privacy professionals—including Ponemon and Menzies-Primeau—agree upon.

“Good companies are saying, ‘before we sell it,’ let’s build privacy into the technology we’re developing,” Ponemon says, adding that it’s not always an easy thing to do but if done right “it makes business sense.”

Menzies-Primeau says that, since technology is driving industry, it’s important for the privacy department to have a conduit of communication with the IT department. One of the biggest challenges to embedding privacy, she says, is getting technology teams to understand the goals of the privacy department. She notes that business analysts are people who can “speak both languages.” By understanding the technology, analysts can then put it in business terms and vice versa.

“Understand the language and orientation of different departments,” Menzies-Primeau says, “because the organization needs to have conduits to bridge that gap.”

Embedding privacy also goes beyond product development. It reaches toward a larger view of business management and employee awareness. Strong privacy practices contribute to reputation and brand recognition.

Electronic Frontier Foundation Activism Director Rainey Reitman mentions the “growing movement to ‘compete on privacy’—whereby companies provide value to their customers by providing stronger privacy protections than their competitors.” Reitman says the movement could “prove beneficial to companies and users alike.”

Ponemon, meanwhile, sums up what guiding principle a strong privacy program should follow.

“It’s not just about compliance. It’s really about adhering to a higher understanding.”

He likens the new privacy paradigm to the level of business ethics, saying, “Privacy is a personal issue—the data is about who you are—people don’t want companies not taking that seriously.”

Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»