As the new chief privacy officer (CPO) at TeleSign, a mobile identity company, my primary objectives are to develop and implement a comprehensive internal privacy program, ensure our compliance with privacy and data protection law and, through these efforts, make privacy a key strategic pillar of our business.
I joined TeleSign in September 2014 after nine years at Microsoft: the first two years in technical roles and the following seven years in Microsoft’s Legal and Corporate Affairs group, supporting privacy and data protection issues with a strong focus on Microsoft’s cloud computing services. Leaving Microsoft was a big decision, and heading to a 250-person company came with its own perils.
In this quarterly series, I’ll share with you some of the strategic and tactical decisions along the way as a first-time CPO, as well as some observations on the differences and similarities between privacy programs and roles at a large multinational versus a small tech start-up. I’m hopeful that my experience can benefit other privacy professionals who find themselves in the early phases of developing a privacy program.
First Things First
The first substantive actions of any CPO will likely be to identify and triage any clear gaps in compliance. Luckily for me, the only immediate issue I needed to address at TeleSign was a simple fix and a quick win: registering with the UK Information Commissioner’s Office (ICO). We have a growing office in the UK and, until my arrival, registration was a requirement that had gone unnoticed. It only took a brief review of TeleSign’s data assets and services to have enough information to register, and I knew that I could always amend our registration if I discovered something else down the road. After walking through the short and straightforward questionnaire on the ICO’s website and paying a small fee, I had my first privacy-compliance win.
Assessment and Prioritization
With all obvious compliance issues out of the way, you’re ready to begin what will inevitably be your greatest challenge in starting a privacy program: prioritization. While there are many possible places to start, I chose first to get a baseline understanding of data assets, data flows and contractual commitments.
Where there is no formal privacy process in place, the most straightforward way to develop a baseline assessment is to start speaking to people within the organization. For the first couple of weeks on the job, I spent a lot of time in both one-on-one and group meetings having people walk me through our services and the data flows behind them. That gave me enough information to start asking specific questions about the particular data collected, how the data is used and how it is protected. It was also important for me to understand what contractual commitments had been made to customers with respect to how we process their data. An added benefit to having these discussions with staff was developing a sense for the level of privacy awareness throughout the organization.
From my initial inquiries I learned that the vast majority of the personal information processed by TeleSign is mobile telephone numbers and some metadata about how we’ve interacted with those numbers in providing two-factor authentication services. We also offer some fraud-prevention risk-scoring services for phone numbers, which are similar from a data protection standpoint to services that look to score IP addresses in an effort to identify suspicious activities. We act as both a data controller and processor in different circumstances, and with processing operations in the U.S. and Europe, TeleSign relies primarily upon Safe Harbor for cross-border transfers.
Once I began to understand the baseline of our data assets, contractual commitments, internal processes and overall level of privacy sophistication, it was time to take some initial actions. I wrote out a number of things that I wanted to tackle in no particular order, then ranked them, factoring in the time and cost of the action(s) to be taken and the risk of waiting.
Developing an Internal Privacy Policy
After the base assessment, my first large undertaking was to develop a comprehensive internal privacy policy. This wouldn’t be our customer-facing privacy policy but rather an internal policy for employees documenting the foundational principles for TeleSign’s handling personal information, whether that was employee data, sales and marketing data or data processed on behalf of our customers.
At Microsoft, I had participated in the regular review and updating of its internal privacy policies and standards, but the main substance of those policies had been developed long before my arrival. I didn’t want to start from a blank page, so I reached out to an experienced privacy lawyer and asked her to send me over a template from which I could begin. The basic structure of the template began with the Safe Harbor principles. For TeleSign, a Safe Harbor registrant, it seemed like a logical starting point.
In developing the policy, I strove to avoid legalese and “corporate aspirational speak” and instead focused on explaining the privacy principles and the broad operational commitments that give life to those principles. The policy comprises only seven substantive pages and, over time, it will be supplemented with additional guidelines that are more focused on the specific requirements for staff in different business units, e.g., how to handle contact preferences for the sales and marketing teams, how to integrate Privacy by Design into our engineering processes, etc.
For reference, here’s the table of contents for the policy:
- Introduction (explaining the purpose of the document)
- Principles
- Definitions (defining Personal Information, Sensitive Personal Information, End Users, Privacy versus Data Protection)
- Accountability (establishing who is responsible for compliance, penalties for non-compliance, regular review of internal systems)
- Notice and Transparency (documenting the information that we must make clear to end users and to our business customers regarding the personal information we collect and process)
- Choice and Consent (the circumstances under which we need explicit end user consent for data processing and the choices we must give to end users about our processing of their personal information)
- Collection (restricting collection of personal information to only that which is necessary and further restricting the collection of sensitive personal information)
- Use and Retention (using personal information only for the purposes identified to end users/customers, retaining personal information only so long as there is a legitimate purpose and deleting it once it no longer needs to be retained)
- Disclosure and Onward Transfer (transferring personal information to third parties under specific and limited circumstances and only with specified protections in place)
- Quality and Integrity (taking steps to ensure that personal information we have is up-to-date)
- Access (ensuring that data subjects are provided with a means to raise access requests)
- Security (implementing appropriate security controls to protect personal information in our possession)
- Privacy by Design (implementing the Privacy-by-Design principles into our software development lifecycle, the substance taken directly from the Information & Privacy Commissioner of Ontario, Canada at http://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles/)
- Monitoring, Training, and Enforcement (how we will ensure that the policy is followed internally)
- Policy review and exceptions process (frequency of reviewing and updating the policy and how employees can seek exceptions, as appropriate)
Distributing the New Policy
For an internal policy to be useful, you must distribute it and get people to read and understand it. But before you send it out broadly, you should socialize it among your leadership team to ensure you have their buy-in. After working with our security manager to ensure that privacy policy meshed well with the comprehensive security and information classification policy that he was finalizing, I sent it out to the rest of the executive team to ensure that the leaders of each business unit understood what we were committing to do. A good number of people responded with comments and questions that led to further tweaks to the final draft.
Beyond merely disseminating a new policy, it’s also important to explain its purpose and importance to ensure that it attracts the attention of all employees. In addition, employees must be given some lead time to read and digest a new policy before holding them accountable for complying with it. When I sent out our new policy, our CEO provided some helpful remarks to all employees about the importance of privacy for TeleSign. I sent it in the beginning of December, with an effective date of January 1, 2015, to give people some time to read it and ask questions. The response thus far has been great and has shown that people are reading it and giving some thought to what it will mean in practice.
We’ve Only Just Begun
With a comprehensive internal privacy policy developed, distributed and in effect, we are off to a great start. But there is heavy lifting still to come. Training of all employees to ensure that they understand the policy will be critical, as will be the development of specific privacy guidelines for each business unit to help incorporate privacy compliance into their respective operations.
The difference between merely having a policy on paper and having a policy that is acted upon in the ordinary course of business is substantial, and it is dependent upon the development of a culture of privacy awareness. Culture goes beyond training and requires individual empowerment and ownership over privacy issues. In my next column I’ll write about how we’re creating this culture at TeleSign. If you’d like a sneak peak, please attend the session titled "Privacy for Start-Ups" with me, Susan Lyon-Hintze, CIPP/US, and Barbara Izzo at IAPP’s Global Privacy Summit 2015.
3 Comments
If you want to comment on this post, you need to login.