When privacy is job No. 1
From network administrators, who need to lock down computing resources both figuratively and literally, to end users, who should practice safe computing with antivirus software and keep passwords in their heads, everyone has a responsibility to protect a corporation's interests.
Good security is tough to keep in place, but it's simplicity itself compared with the morass of privacy concerns for organizations. Privacy is more than physically securing data--it encompasses design decisions, public policy, and even legal compliance. Few network professionals want to add those concerns to the overwhelming challenges they already face.
For that reason, some companies are creating a new job title: chief privacy officer. The CPO's job is anything but petty; he or she sits at the confluence of numerous business processes and ideally becomes the funnel (not the bottleneck) for all of a company's privacy concerns.
American Express, AT&T, DoubleClick, Excite@Home, General Motors, IBM, Mutual of Omaha Insurance Co., and Verizon are among the organizations that have appointed CPOs in recent months. Dr. Alan Westin, publisher of Privacy & American Business, estimates there are now 200 to 300 CPOs in the United States, including many in the financial and health-care sectors.
Privacy, while always a concern, is becoming even more timely as Microsoft prepares to release Internet Explorer 6. IE 6 contains features that let you prevent your users' browsers from accessing sites without a satisfactory privacy policy, as defined by the World Wide Web Consortium's Platform for Privacy Preferences (P3P) project. That feature is optional, but if you're responsible for your corporate Web site, it behooves you to put it in compliance with P3P to satisfy organizations that care.
Security is part of the CPO's job, and ideally privacy should be a security administrator's concern, but administrators often focus on technical issues to the exclusion of policy issues. That's one of the benefits of having a CPO--it makes privacy someone's explicit job duty. And that's the bottom line: It doesn't matter whether you create a new position called chief privacy officer. What matters is that you have systems in place in your organization for planning privacy into your business and reacting to privacy concerns or breaches.
What's the best background for a CPO? Either an IT professional with strong privacy interests or a technology-savvy legal or public policy wonk. That's public policy, not public relations! Either way, the person who fills the role will have to learn part of the job by doing it. Temperamentally, a CPO has to be a consensus-builder, able to work smoothly with multiple constituencies. No privacy decision is black and white, so CPOs must be prepared to weigh priorities and compromise when necessary.
If you're going to go through the exercise of appointing a CPO, make sure you don't create just a shell of a job. To be effective, a CPO must have authority and management backing to be able to intervene across departments when privacy issues arise.
CPOs should have their allegiances in the right place. Their first loyalty should be to your company's customers and business partners. They need to ensure you have processes in place to prevent data from getting into the hands of anyone that's not supposed to see it. After that, they can keep your company on the right side of the law, improve security, and help grow the business.
Appointing a CPO adds another layer of bureaucracy to your organization, along with its inherent expense. Can you afford one? Well, if a CPO saves you from an embarrassing admission or even a lawsuit, a better question is, can you not afford one?
Does your company have a CPO? If not, who oversees privacy policies? Talk Back below. Lee Schlesinger is executive editor of ZDNet's Business & Technology Channel.