By Roy E. Hadley, Jr.
Attorney with Adams and Reese
The news is full of breaches of trust with respect to how companies are mishandling consumer data.
Whether it’s Facebook, Equifax or Yahoo, many examples of a breach or misuse of consumers’ private information have underscored the need for companies to be more careful and thoughtful in the handling of personal data.
Central to this effort is the chief privacy officer (CPO).
As a corporate role, CPOs have been around for some time. In a former life as a CPO, I had many responsibilities, however, not nearly as many as CPOs have now. The exponential increase in the amount of data that companies collect and use has elevated the responsibilities of and the necessity for a CPO.
While there are many responsibilities for the CPO, perhaps central to the role is the oversight of the compliance function with respect to consumer information.
Additionally, the CPO is responsible for any privacy assessments and audits. CPOs should conduct an initial assessment of the company’s privacy practices and all consumer data the company collects. This assessment should also detail who has access to which information and what they are doing with it as well as how and where the information is stored.
Where information resides can be very important as different countries have widely varying requirements for storing and handling their citizens’ data.
While the compliance risks associated with the misuse of information are high, as we have seen from many companies lately, the reputational risk can be even more damaging.
CPOs should also oversee training for employees throughout the organization on the handling of consumer data. Employees should understand and be trained on the company’s data privacy policies and standard operating procedures. All levels of the enterprise need this training as decisions about the use of information are often made at the highest levels.
The CPO should also ensure that the company’s corporate partners are well-versed in its information handling and privacy policies.
As companies collect more information on consumers, data security has become increasingly vital to the role of the CPO.
While there are other corporate roles that also oversee data security, such as the chief information officer (CIO) and the chief information security officer (CISO), it is incumbent upon the CPO to specifically ensure consumer data security with the appropriate policies and procedures, and that security protocols for data storage and handling are being followed.
Compliance with Laws and Regulations
Increasingly, CPOs are also tasked with ensuring that companies use the information they collect in a legally permissible manner. CPOs must understand current federal, state and international laws and regulations with respect to the collection and use of data.
We are increasingly seeing the adoption of laws governing how companies can use consumers’ private information. Whether it is GDPR in the EU or individual states’ privacy laws here in the United States, CPOs must be well-versed on these laws and their compliance obligations. As such, the chief privacy officer is often the company’s designated contact for compliance with respect to these laws and regulations.
The chief privacy officer must also understand how the company’s business models dictate the collection and use of consumer information since crucial business decisions are often made based on how this information is used. As such, the CPO must act as a gatekeeper to ensure the proper use and handling of consumer data with respect to business decisions, such as new product development and growth strategy.
CPOs must also understand and guide the company with respect to other compliance laws and regulations, such as Sarbanes-Oxley and HIPAA. Both have very specialized compliance obligations and, depending upon the business, can be very cumbersome with respect to privacy and security.
I note that HIPAA by itself contains very intensive privacy obligations that must be understood and followed by all enterprises that collect or use health information, whether for employees or consumers.
The role of the CPO has expanded greatly in recent years and will continue to expand as companies collect more data and personal information on their customers. The use of consumer information has become and will continue to be central to a corporation’s success.
However, as we have seen, the misuse of this information can land a company in legal and regulatory trouble, as well as damaging a company’s brand due to diminished consumer trust. It can also lead to loss of market share, as well as a diminished market valuation.
As such, for most companies, the CPO is no longer a luxury, but a necessity.
Roy E. Hadley, Jr. is an attorney with Adams and Reese (Atlanta) who serves as independent counsel to companies, governments, and boards on cyber matters, helping them understand and mitigate legal risks and exposures to protect themselves and those they serve. He has previously served in the corporate roles of general counsel and chief privacy officer, as well as special counsel to the president of the American Bar Association and special assistant attorney general for the state of Georgia. He may be reached at Roy.Hadley@arlaw.com