In an ideal world, privacy professionals would be involved in their organization's request-for-proposal process, but many times they are on the outside looking in. More often than not, contracts and deals are reached and agreed to, and by the time the document gets to the privacy pro, the question is: "We agreed to do what?"
MGM Studios Vice President of Information and Technology and Corporate Legal Christopher Kunke, CIPP/US, has seen deals where a company agreed to store video clips of little girls standing in front of their houses, potentially opening themselves up to violations of the Children's Online Privacy Protection Act, and a scenario creepy enough to make several attendees gasp when they heard it. Another scenario involved an HR department that wanted to use facial-recognition technology to determine whether a prospect was enthused about the job by analyzing their facial expressions in response to questions and details about the position. American Fidelity Assurance Company Privacy Officer Jill Cusack, CIPP/US, CIPM, FIP, recalled one instance where a company wanted to take copies of driver's licenses and transport the duplicates to another location.
These anecdotes were part of a breakout session that took place during the IAPP Privacy. Security. Risk. conference in Austin, Texas, recently. Kunke and Cusack were joined by First Fidelity Bank Vice President of Technology Jonathan Hinkle for a session called, "Beyond the BAA: Addressing Unconventional Privacy Concerns in Contracts."
There are many problems with the current processes for contracts and other agreements. The presenters cited a 2016 survey from the Corporate Executive Board Leadership Council where 42 percent of respondents said contract review functions were of low to moderate value to a business. With contract reviews treated more as a hindrance than a benefit, privacy will likely not receive as much consideration.
"At the end of the day, there’s a lot of stuff in our worlds that we don’t find out about," Cusack said. "Many entities do not have a formal or required privacy subject-matter expert review baked into every vendor contract review."
The rapid-fire nature of certain agreements may leave privacy professionals at the very end of the review process, giving them little time to explain the importance of privacy considerations.
"When a deal is done and someone hands it to you, they sometimes say, 'We are going to market to this tomorrow morning,' and the deal is done before considering compliance," Kunke said. "That is a problem because expectations build, and very senior people are involved, and they have bought into the idea, and if there’s a fundamental problem with it, then you have a real issue because you have committed to the vendor that you are going to buy it, and you told your boss and they told their boss and so on."
These problems may seem overwhelming, but the presenters offered ways to ensure privacy is considered when deals are on the table.
Education was one of the suggested methods privacy professionals use to avoid business agreement pitfalls. Cusack explained she requires lawyers and paralegals to study privacy laws, especially for those industries they have not worked in previously. Cusack said this paid off for her when one of her lawyers came to her after her company's marketing department wanted to tack on a message about changing passwords to an email about new tax rules.
"Our tax lawyer was aware enough about privacy that she came to me and said, 'marketing wants to give people their usernames and is offering our password conventions, and she was worried someone could access accounts," Cusack said. "She wanted to run it by me before she put her official signature on it."
Kunke emphasized the importance of establishing relationships with every department in your organization, as well as having a deep understanding of each department's inner workings. Having this information can help privacy professionals when they need to educate fellow employees.
"I think you can’t just say '[I am] a lawyer, my job is just to read agreements and pick them apart,'" Kunke said. "It’s more important that you understand what is going on and learn the goals. I think it is incumbent. I think you just have to insert yourself, and I’ve never had anyone tell me to butt out."
By educating staff and establishing their positions, privacy professionals are in a better spot to collaborate with different departments in order to get privacy a seat at the table for all business decisions. Hinkle said all those elements will allow privacy professionals to lessen their workload. It is impossible for privacy professionals to your finger in every pie, Hinkle explained, and taking those steps will empower other staff members to do complete work without running into trouble.
If you want to comment on this post, you need to login.