At the Core
* Examines the role of the CPO
* Discusses CPOs' duties within an organization
First it was the chief information officer (CIO), then the chief knowledge officer (CKO). Now, it is the chief privacy officer (CPO)--often called the "information officer" in the public sector.
No one seems to have heard of a CPO until Shelley Harms became CPO at Verizon Communications in 1994. Today, however, CPOs are increasingly common in sectors like finance, health care, credit, insurance, consulting, airlines, automotive, telecommunication, and, of course, dot-cams.
Growing sensitivity to privacy aspects of customer and employee information has given rise to the creation of a position to focus corporate attention on right and wrong approaches to the use of personal information. In fact, many firms are realizing that privacy is good business, and they are looking to the CPO to help create effective marketing strategies that do not infringe on customers' right to privacy.
A well-known incident illustrates the need for CPOs. DoubleClick Inc., a New York advertising firm, received complaints about taking Web users' names and quietly matching them to a marketing profile database. Interest in this matter by the Federal Trade Commission (FTC) and the attorney general in several states led to the dot-cam appointing a CPO, Jules Polonetsky.
Those holding CPO positions need significant familiarity with information, ethics, law, and technology. CPOs will need to know the difference between bits of data and significant information, between the "merely" unethical and the likely illegal. They must also create respect within many organizational units (e.g., marketing) where sensitivity to profits may have, in the past, outweighed any concerns about protecting customer information. Clearly, the CPO's power to stop or delay a bottom-line sensitive initiative will win them few friends. Given the pressures they must work under, CPOs will definitely earn their six-figure salaries.
The Role of the CPO
Typically, the CPO has several duties; perhaps the most important is monitoring information systems to ensure the safety of the organization's information, as well as the privacy of the company's customers, employees, vendors, and suppliers.
CPO responsibilities may also include training staff on privacy issues, managing privacy disputes within and external to the company, making sure that policies and procedures are privacy-sensitive, and interacting with governmental agencies. A significant role, of course, is keeping board members aware of the business value of privacy.
While it may be the last thing most people in a company want, a new product or service may be put on hold by the CPO if its privacy flaws are likely to bring a deluge of bad publicity or litigation. In such cases, the CPO must accept responsibility for offering a successful marketing method that also ensures shielding the customer's privacy--no mean feat given that customers demand a high level of personal service and, at the same time, significant restrictions on the use of personal data.
How can service be maximized but privacy risks eliminated? Problems must be identified before they become problems. How is that done? Ray Everett-Church, an early CPO appointee and co-author of Internet Privacy for Dummies, suggests, "Follow the data, follow the data." Following the data may, among other things, mean closely monitoring the use of electronic "cookies" placed on Internet users' computers by Web sites. (Editor's Note: Also see article by Cunningham, page 52).
There are as many as 80 privacy laws currently before the U.S. Congress. Similar legislation has already been enacted in some Commonwealth countries. New statutes are aimed at financial, medical, and children's issues. A key focus in this legislation is the anger of the public--and now legislators--about the misuse of their personal information by companies that sell or trade such information to other companies. …