The following questions probably sound familiar to you: Why should an organization have a privacy program? What is the business value that a privacy program provides? Doesn’t the security department already handle this?
If you haven’t heard these or something like them yet, you likely will as you continue your career as a privacy professional. Frequently, we as privacy professionals talk about being a trusted advisor to our business partners. The CPO's perspective is key to convincing leadership that privacy can make a significant contribution to business goals, whether they are operational goals or involved with the likes of compliance oversight, cost reduction measures, business continuity, enhancing the sales process or reputational protection. However, we as privacy professionals need to understand the business goals and challenges faced by our organizations as a whole and our business partners individually in order to be successful in illustrating the true value of a strong privacy program.
Responding to management with a return-on-investment calculation can be a long and difficult discussion. Often, the underlying assumptions for the calculations are not easily agreed upon, leaving everyone involved frustrated and dissatisfied. Discussions centered on regulatory compliance often leave a significant amount of the benefits of a privacy program undiscussed. And focusing on avoiding the misuse of personal information is also limiting.
To help you answer some of the above questions should management ask you to, I reached out to a number of chief privacy officers (CPOs) for insights, and a few themes surfaced.
Unifying business goals and compliance
A frequent refrain from privacy pro is that they have a need to be “multi-lingual,” understanding the needs of each and every department within the organization. In this way privacy can be a unifying force.
Kelly Noll, senior vice president, chief ethics and compliance officer and chief privacy officer at Allstate, explains it this way: “Whereas it is important to work with strategic partners in infosecurity and legal to address the need to secure the PII and ensure its use is legally compliant, the CPO adds value by understanding how PII fits into the company’s values and supports its long-term vision and goals. When faced with a decision, a CPO understands the impact on the company’s reputation and business processes. Simply put, a CPO and his/her office should be able to bring a business perspective to the growing need to protect privacy in today’s changing business climate.”
Business continuity
Jeanette Fitzgerald, Epsilon Data Management’s executive vice president, general counsel and CPO explains, “There are also costs, both direct and indirect, involved when a privacy program is not valued or followed by a company or its employees. At the highest level, violations of a privacy program put a company's reputation at risk, which can have a negative effect on consumer trust, brand loyalty and, if the company is publicly held, with financial analysts and the market. Violations can also incur FTC actions, which require costly audits and consent decrees that can run for 20 years. And across a company, these issues can lead to business disruptions and lost productivity, which have an impact on the business and its clients.”
Alexis Goltra, Oracle’s chief privacy officer and assistant general counsel, takes this a step further. Goltra sees the privacy program at Oracles as “a critical component of both our internal operations and the sales of our products and services, which is something that boards are increasingly appreciating and investing in as a result.”
As a product company, the privacy program being involved with the development process at Oracle is vital, Goltra said. The business disruptions due to a privacy event is seen as also having a direct impact on Oracle’s customers’ businesses. The privacy program is “responsible for ensuring that our products and services, when used by our customers, enable our customers to remain in compliance with their legal obligations. If we can’t do that, then our customers won’t use our products and services and it will have a detrimental impact on our sales.”
Driving growth
For some organizations, privacy is a core component of business. Telesign, for example, provides mobile identity solutions to help its clients prevent registration fraud and secure end-user accounts. Their board and CEO recognized the value of privacy early on, appointing Stephen Bolinger, CIPM, CIPP/E, CIPP/G, CIPP/US, as its CPO.
The privacy program at Telesign has enabled them to grow their business. As Bolinger explains, “Incorporating privacy compliance into our day-to-day business helps us gain and keep our customers’ trust by making sure that the way in which we collect, use and protect their data is consistent with their expectations and with privacy laws throughout the world. It also helps us to reinforce our reputation for trustworthiness, which is a key differentiator for us in our space and continues to attract new customers to TeleSign.”
Dan Burks, CIPP/US, CPO at US Bank, has a similar view. He noted that he often will “remind my peer executives and our board that while our ‘privacy risk’ is moderate and stable enterprise-wide due to our conservative privacy culture (like most banks) and the robust controls currently in place (like most banks), we need to remain vigilant to ensure we do not deviate from our current operating model as we continue to grow as an organization and we need to continue to augment our conservative culture and control the environment by monitoring business changes and external factors and initiatives to stay a step ahead.”
Business differentiator
Allen Brandt, CIPM, CIPP/E, CIPP/US, CPO at Amplify Education, a company with products and services to help educators improve the way they integrate technology and use data in the classroom, also sees privacy as a way to set his organization apart from his competitors. As Brandt explains, “Having a program in place that can answer customer concerns up front, being able to show that employees with access to the customers’ data are being regularly trained, speeds up the sales cycle, as it answers, up front, some of the concerns.”
Overall business value
Scott Shipman, CIPP/US, general counsel & CPO at Sensity Systems, perhaps summarizes it best. He views business value, at its highest level, as a combination of both revenue generation and cost reduction. “The revenue generation components of a privacy program are brand and reputational superiority, privacy by design products and services, privacy advisory services for customers [and] regulatory best practices,” he said, all of which lead to business development opportunities, while “the cost reduction components of a privacy program are risk mitigation, brand and reputational integrity, disaster recovery, incident response management, security breach preparedness, regulatory compliance and mitigation.”
Leverage personal experience
Shauna Van Dongen, CIPP/US, CPO at Providence Health & Services, says, “One of the benefits of working in healthcare privacy is that every single one of our executives and board members is a patient somewhere. They can relate to what it would be like to have their private information exposed. Telling privacy stories, positive and negative, about what is happening both within Providence and around the country has proven to be an effective way of helping leadership and employees understand the importance of protecting confidential information.”
Almost everyone has had some amount of personal information exposed. You can leverage this shared experience to personalize the value that a privacy program provides.
Van Dongen also acknowledges the rich history of her organization, and that a strong privacy program upholds her company’s “core values of respect, compassion, justice, excellence and stewardship." She said, it’s “our mission to be good data stewards of the information entrusted to us by our patients, partners and employees.”
Or, as of my clients, a director of the office of privacy at a financial services firm, put it: “No privacy, no trust; no trust, no business.”
photo credit: DSC_0315.JPG via photopin (license)