Privacy Leadership: What it TakesToday's Threats Require a New Breed of Privacy Officer
Yet, he also recognizes that incidents such as these are now shaping the privacy profession, evolving the role from data protection into data governance. This new role also requires a new focus on integrating privacy with information security and legal requirements in how an organization uses data. When he started in the profession 10 years ago, Herath focused on developing high-level policies based on the Gramm-Leach-Bliley Act. Today, he needs to understand his organization's use of personal information by increasingly participating with individual business units in the implementation of a data governance process including data access, storage and use. And he needs to accept that no amount of preparation or policy makes an organization breach-proof.
"A breach can befall you regardless of how good your privacy policies and data governance are," Herath says. "So, I focus on playing an instrumental role in handling and preparing for such incidents effectively."
'When Things Go Wrong'"Just securing the data is no longer enough," says Trevor Hughes, head of the International Association of Privacy Professionals. "Privacy professionals, in addition, need to prepare for what happens when things go wrong."
In his role, Hughes increasingly sees organizations using privacy professionals to interact with consumers, regulators, congressmen and attorneys to ensure that their post-breach response plans are effective.
Additionally, he finds that emerging technologies such as mobile devices and social media are clearly exceeding the current system of laws, regulations and systems, thereby creating instability in how privacy is addressed within organizations.
"Extreme deployment of technology has made privacy controls no longer particular to either the location of information or group of individuals," says Frank Smith, chief information officer and senior VP at Booz Allen Hamilton. "It comes down to making the concept of privacy clearly understood and adopted by a population for whom privacy is not necessarily a primary function, but they need to think about it."
Today's ChallengesManaging privacy has clearly transitioned from information held within the organization to information held by individuals.
"Privacy's focus is increasingly on transparency now," Herath says. "This is fundamentally creating new challenges for professionals in their approach toward privacy and data protection."
For instance, the new generation of workers blurs the lines of personal and professional communication in their use of social media, and the type of information that is collected by these sites is often not in the control of an organization. Moreover, it can be used to cause reputational or fraudulent damages.
"We are dealing with a generation of people that value information sharing much higher than having relationships with their own families," Smith says. The chief privacy officer therefore struggles with "the ability to get the concept of privacy in a culture that holds different views on what information can and cannot be shared about self and others."
Historically, enforcement of privacy legislation was inconsistent or nonexistent, officers say. Today, governments worldwide are getting on board with breach notification requirements and additional privacy regulations that directly address protecting personal information and enforcement of tougher penalties against organizations for failing to secure this information.
Recently, Mexico - a significant outsourcing destination - joined 50 other countries in adopting a broad privacy regulation: The new Federal Law on the Protection of Personal Data Held by Private Parties focuses on the private sector and will likely impact many large U.S.-based companies operating in Mexico, as the law impacts collecting, processing, using and disclosing personally identifiable information both within and outside Mexico.
"It is incredibly difficult to navigate a safe path through all this," Hughes says. "This is really a job for someone who can assess hundreds of different variables and distill them into the best and safest possible way for an organization to move forward."
The turbulent and complex global regulatory environment is further pushing privacy professionals to specialize in law in order to cope with all these changes more effectively.
The Value of LawAs legal issues drive privacy and data security, an increasing number of privacy officers are embracing legal degrees and becoming attorneys.
"A decade ago, there were a handful of privacy officers who were lawyers - the majority were policy makers," says Lisa Sotto, a privacy attorney and managing partner of Hunton & Williams New York office. "Today I see a reversal in their roles."
Sotto points out that in the past privacy officers were hired to meet ethical obligations of an organization, as legal requirements were not stringent. Today, however, privacy officers need to understand legal considerations and operate within a complex global regime.
For Paulo Zeni, senior corporate privacy counsel and an attorney at Symantec Corporation, having a law degree gives her an edge in this profession by helping her understand the compliance requirements - especially those that apply to different jurisdictions globally. For instance, there are different policies globally for encrypting data and systems, and in such cases it's the lawyer's background that helps frame more effective strategies around privacy.
"A legal degree for privacy officers is key in creation of trust with vendors, customers and senior management," Zeni says. "It provides them comfort in dealing with contractual and legal elements and is immensely useful in partnering with legal advisers that address the jurisdiction around the world."
Herath, also an attorney, finds that a privacy officer's response in the event of a breach or incident is far better handled when the leader has legal expertise.
"What is or isn't a breach is very technical under law, "Herath says. "A lawyer's background is helpful for handling both the public relations and the political side in the event of such incidents."
New SkillsBeyond a legal background, aspiring privacy officers must develop new skills to effectively hold growing career opportunities in privacy related functions, including legal, audit, compliance, information security, fraud prevention and disaster recovery. Among the new skills:
- Interpersonal - The concept of privacy by design is being implemented by certain government and private organizations, where privacy professionals are called upon by different business units to embed privacy into new technologies and business practices from the beginning as part of the system or product development life cycle. Privacy officers here need to be more conversant in translating their privacy requirements into business terms, Zeni says. "Ability to support the product development teams across different business units is an added layer of responsibility to the CPO role requiring strong communication skills."
- Contractual - Privacy professionals need to increasingly focus on contractual elements and negotiation skills with third-party engagements, especially as organizations decide to move data to cloud services. "We ensure we sign vendors who have an understanding of the security and privacy implications of the exchange of information they are participating in," Smith says. Privacy officers need to develop policies and contractual terms that address the risks associated with sensitive data and regulatory requirements, including where the data can or cannot be transferred, what data retention policy is followed and where the data will be stored.
- Analytical - One needs analytical skills to monitor individuals who are authorized to access and use sensitive information, as they are increasingly found at the center of high-profile incidents. Besides, investing in data loss prevention tools, professionals need to learn the effective monitoring and analysis of personal information residing in databases, repositories and an organization's network to prevent effective losses.
"Our challenges change about 360 days a year," Smith says. "So privacy management is essentially demonstrating due diligence to ensure you can create that trust to protect the data."