Privacy industry veteran Rob Gratchner, CIPP/US, has worked in the field long enough to recognize that there are some significant changes underway. He’s seen a shift from privacy-as-an-afterthought to privacy-as-a-selling-point; he’s watched the proliferation of self-regulatory efforts, and he’s gained a pretty good understanding of the importance of getting senior management on your side in the name of getting your job done.

In this Q&A, Gratchner talks about his new job as Siemens data privacy officer, things he’s learned along the way and what he sees coming around the privacy-landscape bend.

The Privacy Advisor: Congratulations on the new job. Before moving to Siemens in June, you’d worked at Intel, Microsoft, and you’ve started your own consulting firm. Why did you make the move to Siemens? What appealed to you about the job?

Gratchner: The Siemens opportunity had a lot going for it. It provided a great professional opportunity for growth and development as a privacy professional. In addition, I wanted to leverage my past experience for just one company versus working for many clients. I also like working in a team environment and Siemens has a dynamic and great team. Siemens is committed to privacy and building a strong privacy program. This provided me an opportunity to build that program in the U.S.

The Privacy Advisor: What’s your favorite part of the job so far?

Gratchner: I have the opportunity to view the company from a holistic perspective. I have the opportunity to understand not just the products and services side but the company as a whole. I have the ability to interact with many different people inside and outside the company. Siemens is such a diverse company with a myriad of interesting products and services, from trains, power-generation and wind turbines to medical equipment and smart grid technology; it is a really fascinating place.

The Privacy Advisor: How did you become involved in privacy?

Gratchner: My professional and academic background is in finance and accounting. Back in the late '90s, I worked in Intel’s internal audit group and was asked to conduct a comprehensive privacy review. The privacy field in the U.S. was starting to emerge, and I found it fascinating. Following the review, Intel created a privacy team and I was asked if I would like to be part of the new team. I’ve been focused on the field of privacy since 2001 and have worked with some really innovative companies; first at Intel, later at Microsoft and most recently had my own consulting firm. Now at Siemens, I have the tremendous opportunity to head up its U.S. privacy program.

The Privacy Advisor: It’s interesting that you started with a consumer focus; often I hear people got their start in employee privacy. Having been in the industry since the 2000s, how have things changed for you?

Gratchner: I have seen some really interesting developments in privacy over the last 10 years. Privacy is moving away from being compliance-driven to being a competitive advantage for companies. Consumers are benefiting from these changes by seeing features and services that are privacy-friendly, and companies are being more transparent in their data-handling practices.

When I first started in privacy, just before a product or service launch we would review it for compliance against our privacy policies. Now, companies are moving toward a Privacy-by-Design approach, integrating technologies that support privacy. Working for technology companies, products and services are continuously evolving. I have been very active in the online behavioral marketing and advertising space, which has been a hot topic for regulators and the press in both the U.S. and Europe. With the rapid development and use of online advertising technologies, regulators have been interested in proposing legislation to restrict the use of some technologies.

During the past few years, I have seen the growth and influence of self-regulatory bodies, which has developed some really great collaborative efforts. When I was chairman of the Network Advertising Initiative, we worked very hard to develop a self-regulatory program around online advertising and compliance.

The Privacy Advisor: In the advertising space, as we see the capabilities for collecting granular information keep increasing, what do you think of the proposed approaches?

Gratchner: I think many of these business models are great for the end-user as long as they respect user choice and provide adequate notice. The online advertising space has worked hard to develop best practices around notice and choice. The industry developed the AdChoices icon, which appears on almost every online ad. The icon provides a mechanism for consumers to obtain more information on online advertising and options to opt out of future personalized advertising. In addition, many companies have taken the opportunity to improve their privacy policies to be more transparent on their data collection and handling practices.

Is there room for more consumer notification? I think so, but there has been some good work by many companies.

The Privacy Advisor: What’s the most challenging part of your job as a privacy professional?

Gratchner: Product designers, engineers and marketing professionals usually want to do the right thing around privacy, but they view it as a compliance issue. It’s changing their mindset that the privacy function is more than just a compliance requirement that needs to checked off their to-do list. Privacy can provide real benefits to a company. There is a real win for business and consumers if we do things right from the beginning: consumer appreciation and competitive advantage, for example.

The Privacy Advisor: Considering privacy implications earlier is helpful, not only from the consumer perspective but also as an organization, anticipating internal needs to ensure proper notification, for example. Any best practices that you would like to share?

Gratchner: The importance of getting senior management involved and getting support for privacy. I found having senior management communicate this message to the employee base is very helpful. If a senior manager could communicate their support of privacy through town hall meetings or email notifications, then it will make the privacy officer’s job that much easier. Also, don’t underestimate the importance of privacy training. Privacy training should be mandatory for any groups that access consumer data or develop features or services that collect personal data. While you don’t need to make everyone a privacy expert with your training, you do want to provide sufficient information about basic privacy concepts, how to identify a privacy issue, where to get help and the importance of privacy to your company.

The Privacy Advisor: What privacy resources do you use to keep up with all of the changing laws and requirements?

Gratchner: Obviously the IAPP has great tools and resources. Also, attending various conferences and events to speak with experts in the privacy field. It is important to build a network, so you can learn best practices and share ideas. There are some really good services and websites that provide insight into emerging privacy laws and summarize those into digestible bites. Being married to a privacy attorney, who I happened to meet at an IAPP conference, is also beneficial. As you can imagine, we have “interesting” dinner conversations around privacy. We are constantly discussing ideas, proposed privacy laws, best practices or sharing our peer network.

The Privacy Advisor: That’s fantastic! So singles can find love at an IAPP conference?

Gratchner: Actually, I know at least three or four couples that have met that way. I was very lucky meeting my wife, regardless of the location. You can imagine our dinner conversations around privacy.

The Privacy Advisor: What do you see for the future of privacy?

Gratchner: While the fundamentals are not going to be changing, technology is evolving at a rapid pace. New data is being gathered in so many new and unique ways. However, the laws continue to lag, so companies are going to be asking their privacy expert for guidance on how this data can be used responsibly. Privacy professionals will still need to ask questions around the notices and choices that are given to end users by their companies. However, it is important that they keep up to date on the latest technology which are being used by their companies. Also, I am starting to see companies use privacy as a competitive advantage in some of their products and services. End users are starting to be aware of privacy issues in the press, particularly with the frequency of data breaches in the news. My hope is that one day privacy is integrated into the fabric of a company’s culture so privacy is a shared responsibility

The Privacy Advisor: Big data, a very enticing resource for some, a worry for others?

Gratchner: Big data provides great opportunity for companies to provide better products and services for their customers and end users. However, the data has to be used in a responsible and respectful manner.

The Privacy Advisor: We can’t rely on the right to be forgotten for everything …

Gratchner: Exactly. European government agencies are asking companies to provide mechanisms or processes for their citizens to be deleted from companies’ databases. While a very interesting concept, it is a very difficult task for companies to accomplish, particularly for smaller companies that do not have the resources to accomplish it. It is important to keep educating consumers and regulators on all the work being done in the privacy space to improve the notice and choices given to end users. While there will always be privacy issues, my hope is that by being transparent and building trust, it will help deter impracticable legislation. We need to better market our privacy work to users, legislators and the press and show more than our slipups but also all the great work being done.

The Privacy Advisor: What areas of data privacy have you been focused on?

Gratchner: At Siemens, we have been focusing on numerous data privacy topics but primarily the focus has been ensuring the personal data of employees, personal data of customers and suppliers—not only in our internal and external applications—and data privacy in our products.