A business can’t run without money. Businesses of all sizes rely on effective forecasting and expense management by all budget-holders in the organization in order to plan and deliver financial results. Chief financial officers and their finance departments oversee these processes, manage their company’s financial risks and report results to their CEOs and boards of directors. They not only rely on projections from sales leaders, but they also depend on accurate expense management by their organizations’ administrative and marketing teams.
Similarly, today’s businesses can’t run without data, including a lot of data about customers, employees and other stakeholders. By analogy, shouldn’t businesses today rely on effective data use planning and privacy program management by all leaders in the organization in order to plan and deliver effective privacy program performance? While chief privacy officers (CPOs) and their privacy departments can oversee these processes, manage their company’s privacy and data protection risks and report results to their executive management and boards of directors, can they possibly do so accurately and reliably without strong collaboration across all functions within their corporations?
While the IAPP’s Benchmarking Privacy Management and Investments of the Fortune 1000 report shows that Fortune 1000 companies are investing significant resources in privacy management, I believe the results demonstrate a need for organizations to take a more strategic view of the role of privacy within the corporation. The discipline of privacy is multifaceted—involving ethical, legal, sociocultural, policy and technological components, which clearly support the need for strong privacy department collaboration with IT, information security and legal—and, in my view, ethics and compliance, public policy and corporate responsibility. Those partnerships are essential for program design and rapid response to the ongoing changes in technology, law and policy.
I am suggesting that since privacy is by its nature a progressive issue, CPOs may need to widen the aperture through which they view their programs in order to anticipate the emerging privacy risks and opportunities on the road ahead.
However, it’s one thing to design a good program. It’s quite another to implement it effectively and sustainably. Effective and sustainable implementation needs business leaders across the entire corporation to be accountable for the effective implementation of the program and the practice of privacy within the organizations they lead. And, collaboration with these leaders should be critically important to CPOs.
While it might be possible today to manage privacy compliance of a few websites, mobile apps or with a few sector-specific privacy laws in one market without broad collaboration of all business functions, CPOs that oversee privacy for companies that operate in many markets, whether in a single region or across regions, will be significantly challenged in gaining line of site to the corporation’s privacy risks in the absence of such collaboration. The explosive growth of big data analytics and mobile technologies will only exacerbate this challenge for CPOs.
With the proliferation of privacy laws in more than 100 countries and territories over the past decade, it’s not at all surprising that mature privacy programs are prioritizing regulatory and legal compliance. It’s possible, though, that concerns about compliance with such an overwhelming set of existing legal and regulatory requirements may result in a narrowly focused lens on the pressing issues of today. I am suggesting that since privacy is by its nature a progressive issue, CPOs may need to widen the aperture through which they view their programs in order to anticipate the emerging privacy risks and opportunities on the road ahead.
Concurrent with the rapid enactment of new laws over the past decade, authorities representing Asia Pacific Economic Cooperation member economies, including the U.S., as well as member states of the EU, separately have developed multilateral privacy frameworks for cross-border data transfer that promote a comprehensive approach to privacy program management. Organizations that have sought APEC Cross-Border Privacy Rules (CBPR) certification or EU Binding Corporate Rules (BCR) approval know they cannot meet the accountability expectations of those frameworks without the partnership and support of leaders in every corner of their organizations. While some may view the organizational benefits of CPBR certification or BCR approval as solely linked to the transactional burdens they can reduce for organizations seeking to move data across country borders, perhaps the greater benefits lie in their potential to drive broad corporate accountability for effective privacy program management.
Editor's Note:
The opinions expressed in this blog are solely those of the author. Nothing herein is intended to represent the views of Merck & Co., Inc.