By Roy E. Hadley, Jr.
Attorney with Adams and Reese
The news is full of breaches of trust with respect to how companies are mishandling consumer data.
Whether it’s Facebook, Equifax or Yahoo, many examples of a breach or misuse of consumers’ private information have underscored the need for companies to be more careful and thoughtful in the handling of personal data.
Central to this effort is the chief privacy officer (CPO).
As a corporate role, CPOs have been around for some time. In a former life as a CPO, I had many responsibilities, however, not nearly as many as CPOs have now. The exponential increase in the amount of data that companies collect and use has elevated the responsibilities of and the necessity for a CPO.
Compliance
While there are many responsibilities for the CPO, perhaps central to the role is the oversight of the compliance function with respect to consumer information.
First and foremost, the CPO is responsible for and should oversee the adoption and implementation of the company’s privacy policy. This policy details how information is collected, shared and used across the organization. The CPO is responsible for safeguarding consumer data as this information is not only a valuable corporate asset but also entrusted to the company by the consumer.
Additionally, the CPO is responsible for any privacy assessments and audits. CPOs should conduct an initial assessment of the company’s privacy practices and all consumer data the company collects. This assessment should also detail who has access to which information and what they are doing with it as well as how and where the information is stored.
Where information resides can be very important as different countries have widely varying requirements for storing and handling their citizens’ data.
Once an assessment is done, periodic audits of the privacy policy and the company’s use of information should be performed. It is a best practice that a privacy audit be conducted at least once a year due to rapid changes in what information a company collects and how it is used. This audit function should be seen as an ongoing responsibility of the CPO and not just a one-time occurrence.
While the compliance risks associated with the misuse of information are high, as we have seen from many companies lately, the reputational risk can be even more damaging.
Training
CPOs should also oversee training for employees throughout the organization on the handling of consumer data. Employees should understand and be trained on the company’s data privacy policies and standard operating procedures. All levels of the enterprise need this training as decisions about the use of information are often made at the highest levels.
The CPO should also ensure that the company’s corporate partners are well-versed in its information handling and privacy policies.
Security
As companies collect more information on consumers, data security has become increasingly vital to the role of the CPO.
While there are other corporate roles that also oversee data security, such as the chief information officer (CIO) and the chief information security officer (CISO), it is incumbent upon the CPO to specifically ensure consumer data security with the appropriate policies and procedures, and that security protocols for data storage and handling are being followed.
Compliance with Laws and Regulations
Increasingly, CPOs are also tasked with ensuring that companies use the information they collect in a legally permissible manner. CPOs must understand current federal, state and international laws and regulations with respect to the collection and use of data.
We are increasingly seeing the adoption of laws governing how companies can use consumers’ private information. Whether it is GDPR in the EU or individual states’ privacy laws here in the United States, CPOs must be well-versed on these laws and their compliance obligations. As such, the chief privacy officer is often the company’s designated contact for compliance with respect to these laws and regulations.
The chief privacy officer must also understand how the company’s business models dictate the collection and use of consumer information since crucial business decisions are often made based on how this information is used. As such, the CPO must act as a gatekeeper to ensure the proper use and handling of consumer data with respect to business decisions, such as new product development and growth strategy.
CPOs must also understand and guide the company with respect to other compliance laws and regulations, such as Sarbanes-Oxley and HIPAA. Both have very specialized compliance obligations and, depending upon the business, can be very cumbersome with respect to privacy and security.
I note that HIPAA by itself contains very intensive privacy obligations that must be understood and followed by all enterprises that collect or use health information, whether for employees or consumers.
Conclusion
The role of the CPO has expanded greatly in recent years and will continue to expand as companies collect more data and personal information on their customers. The use of consumer information has become and will continue to be central to a corporation’s success.
However, as we have seen, the misuse of this information can land a company in legal and regulatory trouble, as well as damaging a company’s brand due to diminished consumer trust. It can also lead to loss of market share, as well as a diminished market valuation.
As such, for most companies, the CPO is no longer a luxury, but a necessity.
Indeed the current digital revolution sweeping across the globe requires that almost every employee have a certain amount of digital skill at least the basic ones , such as digital messaging , financial transactions such as fund deposit, withdrawal, etc. , To enhance smoother transactions between the employer and employees at any level of professionalism or within every organization . It is therefore very important for every company to make some amount of investment in digital tools such as apps web pages etc. and even going further to integrate all aspects of our lives digitally to ensure privacy, efficiency and optimum performance.
I would also suggest that a CPO not view her/himself and act as a “gatekeeper”, but instead as a “trusted advisor” to the business. This does not mean that sometimes no may be the necessary answer, but how the work is approached with business managers will make a significant difference in how effective the CPO will be.
Comments are closed.