Upload File

do you need a chief privacy officer? - jones day · 18 | the practical lawyer february 2007...

  • Home
  • Documents
  • Do You Need A Chief Privacy Officer? - Jones Day · 18 | The Practical Lawyer February 2007 DEFINING THE CPO ROLE • Before you can determine whether you need a CPO, it is worth-while
4
The Practical Lawyer | 17 Steven C. Bennett If you face privacy issues on a regular basis, then you probably need a CPO. RECENT STATUTORY and regulatory developments in the United States and overseas (especially Europe) have created near-paranoia about privacy in certain corporate circles. Headline-grabbing stories of actions by the Feder- al Trade Commission, state regulators, and consumer ad- vocates have also demonstrated that a company’s custom- er and employee relationships, and perhaps its economic health, may depend in large measure upon whether the company is following “best practices” regarding data pri- vacy and security. Part of the response, for many large corporations, has been the creation of a new position within the corporate structure: that of the Chief Privacy Officer (“CPO”). Ma- jor companies, like American Express, AT&T, IBM, and many others in the Fortune 500, have announced within the past few years the development of a CPO position. There is little question that establishment of a CPO func- tion within a corporation is desirable; but is it necessary in every instance? What of small, or medium-sized busi- nesses, which may not be able to afford to hire a full-time CPO? This article briefly explores whether you really need a CPO. Steven C. Bennett is a partner in the New York offices of Jones Day and teaches a course in Privacy Law at Hunter College. The views expressed are solely those of the author, and should not be attributed to the author’s firm or its clients. Do You Need A Chief Privacy Officer?

Upload: vannga

Post on 27-Apr-2018

217 views

Category:

Documents


3 download

Report

TRANSCRIPT

Page 1: Do You Need A Chief Privacy Officer? - Jones Day · 18 | The Practical Lawyer February 2007 DEFINING THE CPO ROLE • Before you can determine whether you need a CPO, it is worth-while

The Practical Lawyer | 17

Steven C. Bennett

If you face privacy issues on a regular basis, then you probably need a CPO.

RECENT STATUTORY and regulatory developments in the United States and overseas (especially Europe) have created near-paranoia about privacy in certain corporate circles. Headline-grabbing stories of actions by the Feder-al Trade Commission, state regulators, and consumer ad-vocates have also demonstrated that a company’s custom-er and employee relationships, and perhaps its economic health, may depend in large measure upon whether the company is following “best practices” regarding data pri-vacy and security. Part of the response, for many large corporations, has been the creation of a new position within the corporate structure: that of the Chief Privacy Officer (“CPO”). Ma-jor companies, like American Express, AT&T, IBM, and many others in the Fortune 500, have announced within the past few years the development of a CPO position. There is little question that establishment of a CPO func-tion within a corporation is desirable; but is it necessary in every instance? What of small, or medium-sized busi-nesses, which may not be able to afford to hire a full-time CPO? This article briefly explores whether you really need a CPO.

Steven C. Bennett is a partner in the New York offices of Jones Day and teaches a course in Privacy Law at Hunter College. The views expressed are solely those of the author, and should not be attributed to the author’s firm or its clients.

Do You Need A Chief Privacy Officer?

Page 2: Do You Need A Chief Privacy Officer? - Jones Day · 18 | The Practical Lawyer February 2007 DEFINING THE CPO ROLE • Before you can determine whether you need a CPO, it is worth-while

18 | The Practical Lawyer February 2007

DEFINING THE CPO ROLE • Before you can determine whether you need a CPO, it is worth-while to review the role of the CPO in the modern American business. The function can vary greatly between corporations, but in broad terms, the role of the CPO is to help:

• Create and revise policies regarding privacy and security for confidential information;

• Train employees and staff regarding the company’s privacy policies;

• Ensure enforcement of the policies;• Audit and document compliance with the poli-

cies; and • Respond to new legislative and regulatory

directives.

What becomes immediately apparent, on re-view of these elements of the CPO role, is that a CPO must have several different skills. A CPO must have some knowledge of relevant privacy and data security laws (many CPOs are lawyers). A CPO must also have technical knowledge, and the ability to identify how a company manages infor-mation, through the cycle of intake/creation, use and distribution, and storage and disposal. And a CPO must have management skills, as the process of creating, implementing, and revising privacy policies is essentially one long (actually, never-end-ing) corporate project. Even a brief review of the elements of the CPO role confirms that CPOs cannot possibly perform their tasks alone. They must draw on knowledge, skills, and experience scattered throughout the corporation: general counsel, information technol-ogy, human resources, risk control, marketing, and many other departments often must be involved. Creation of viable privacy and security policies, moreover, requires a CPO to listen carefully to the needs expressed by various components of the cor-poration. A privacy policy created by fiat, which is not responsive to the corporation’s actual practices

and business needs, may be bound to fail. And a privacy policy that is not understood, or a policy that is not viewed as beneficial to the corporate mission, may not be effectively implemented.

ALTERNATIVES • In many corporate organiza-tions, CPO tasks require the full-time attention of at least one person. There are alternatives, how-ever. Among them:

• Privacy Committee. A corporation might create a committee, consisting of representatives from the departments that have particular inter-est in privacy and data security matters, and those that should have input into any privacy policies. The challenge for such a committee is to ensure that the many, sometimes dispa-rate, voices within a corporation are heard, and harmonized. Senior leadership within the company ultimately must take charge of final-izing and implementing the recommendations of the committee to avoid the “analysis pa-ralysis” that can sometimes develop in group settings. It may be desirable to appoint a chair of the committee, who will serve, in practical terms, as a part-time CPO;

• Outside consultants. Law firms, accounting firms and (increasingly) data privacy and security consultants have much to offer corporations. Such consultants can suggest model policies, and can conduct helpful training and orienta-tion for corporate managers and employees. Such consultants, moreover, may be engaged to conduct periodic audits of a company’s pri-vacy practices, and report recommendations for improvement (perhaps to the corporation’s privacy committee);

• Professional organizations. In the past few years, several organizations have been created that are dedicated to the study and development of “best practices” with regard to privacy

Page 3: Do You Need A Chief Privacy Officer? - Jones Day · 18 | The Practical Lawyer February 2007 DEFINING THE CPO ROLE • Before you can determine whether you need a CPO, it is worth-while

Chief Privacy Officer | 19

and data security. Among these is Privacy & American Business, which conducts frequent workshops and seminars on privacy issues. The Better Business Bureau (“BBB”), more-over, recently announced development of a national initiative to help small businesses pro-tect customer and employee data. The BBB has developed a “toolkit” to inform smaller businesses about the essentials of good privacy practices, outlining essential steps in a variety of areas.

The approaches listed above are not mutually exclusive. A business might well combine several of these (and other) approaches. For example, at the outset of a privacy initiative, a corporation might gather information from professional orga-nizations, and invite consultants to provide train-ing and insight to aid the formation of a privacy committee. Once the committee is operating ef-fectively, however, the consultants might serve in a more limited capacity, providing updates on new privacy and data security regulations, and offering tips on new technology and practices. The assess-ment of the committee and consultants may, more-over, eventually warrant the hiring of a CPO for the company. The choice of a CPO, at that point, should be much better informed and attuned to the particular needs of the corporation as a result of the groundwork the committee and consultants have already done.

ADVANTAGES • Even if a company cannot employ a full-time CPO, the approaches outlined above offer several advantages:• Establish “best practices” early. Small businesses,

and those expanding into new areas, have unique opportunities to establish privacy and data security best practices from the outset of operations. Integrating such practices into the business early on may be cheaper, and much more effective, than attempting to impose such

practices after technological and managerial structures have become entrenched;

• Plan for change. Businesses expand; new op-erations commence; technology changes. A company with a framework for dealing with privacy issues can more efficiently adapt to growth and change. Indeed, the development of such a framework should help the corpo-ration embrace change, as an opportunity to implement new best practices, when they become available;

• Prepare for crisis. Headline-grabbing stories of investigations, lawsuits, and consumer (and employee) complaints about privacy and data security breaches can adversely affect even the mightiest corporations. So much more are smaller businesses at risk. The establishment of good privacy and data security practices, backed by a commitment of resources, and assignment of responsibility for implementing such practices, may be some of the best insur-ance the company can buy. Such practices and structures may prevent some of the worst crises that have affected American businesses. And, if a crisis hits, a company with defen-sible policies and a clear commitment to best practices can claim the moral and legal high ground, in ways that may defuse or at least minimize the crisis.

CONCLUSION • Data privacy and security laws are complex and ever-changing. And in one form or another, they affect virtually all American busi-nesses. Whether a company should hire a full-time CPO is an inquiry that requires a careful assess-ment of the cost involved and the likely risks and benefits. Establishing a CPO position can be ex-pensive; but there is no question that the liabilities for privacy violations can be staggering, not only in financial terms—but in terms of a company’s reputation.

Page 4: Do You Need A Chief Privacy Officer? - Jones Day · 18 | The Practical Lawyer February 2007 DEFINING THE CPO ROLE • Before you can determine whether you need a CPO, it is worth-while

20 | The Practical Lawyer February 2007

PRACTICE CHECKLIST FOR

Do You Need A Chief Privacy Officer?

Privacy and security matters are becoming ever-more urgent to businesses. Depending on the kinds of information that a business uses, it can be a very good idea to have a Chief Privacy Officer (“CPO”).

• A CPO can:__ Create and revise policies regarding privacy and security for confidential information;__ Train employees and staff regarding the privacy policies;__ Ensure enforcement of the policies;__ Audit and document compliance with the policies; and __ Respond to new legislative and regulatory directives.

• If a company cannot afford to create a CPO position, there are alternatives, including:__ The creation of a privacy committee, with representatives from the departments that have particular interest in privacy and data security matters, and those that should have input into any privacy policies;__ Outside consultants that can suggest model policies, conduct training and orientation, supervise or conduct periodic audits of a company’s privacy practices, and recommend improvements; __ Professional organizations are dedicated to the study and development of “best practices” with regard to privacy and data security, such as Privacy & American Business and The Better Business Bureau.

With many years of experience in handling personal injury cases, author Ronald Beitman is uniquely qualified to give practical guidance on getting and preserving physical evidence. In this new book from ALI-ABA, he explains why formal discovery should be the last resort in discovering physical evidence—not the first.

find out what they didn’t teach you in law school

Getting Your Hands On The Evidence

By Ronald S. Beitman

2005 • hardbound • 240 pp. • future supplements billed separately and may be returned without obligation • Order Code BK38 • $89 plus $6 shipping and handling

To order, please use the form in this brochure or go to our website: www.ali-aba.org/aliaba/BK38.aspCourse registrants get a discount.An appendix, including several adaptable forms, can be downloaded from the ALI-ABA website.

For more information and a FREE SAMPLE CHAPTER, visit the ALI-ABA website at www.ali-aba.org/aliaba/BK38.asp


You don't need a holiday...you need Cape Town!

ANNEXURE-C - · PDF fileANNEXURE-C PART II -DRILLL ... 1 CPO 1795 Sreekumar .s.V 2 CPO 3270 Raji.s 3 CPO 3360 M.Mahesh 4 CPO 4377 Swapna .T 5 CPO 4402 Sheela .C 6 CPO 4453 ... LOI

The Used/CPO Car Insights Report, brought to you · PDF fileThe Used/CPO Car Insights Report, brought to you by the AutoTrader.com Trend Engine, provides analysis of used and certified

Annexure A General HC WrittenTest 2015 Part I Paper I SL ... CPO 4533 PRAVEEN RB 45 CPO 4534 JAGAN MOHAN 46 CPO 4559 RAJESH.S.KUMAR 47 CPO 4561 SUNIL.G 48 CPO 4566 JAYACHANDRAN.L.S

Ekspor Cpo

Cpo Andreea

SO YOU STARTED A CPO?

CPO Test Supervisor Guide - Testrac.com Ltd · 2020-04-30 · Test Supervisor Responsibilities • As a PHTA CPO test supervisor, you assume important responsibilities. The directions

Survival. Think… You need shelter You need food and water You need protection You need to signal for help Problem You have been in a shipwreck. You are

CPO & BIOdiesel

Cpo Presentation

The Data You Need—When You Need It

Pengolahan CPO

CPO Bappebti

When you need to innovate, you need collaboration ......When you need to innovate, you need collaboration... Twinspace and Collaboration in eTwinning projects Maria Melessanaki Ambassador

05 CPO ES€¦  · Web viewv° cpo. 5. v° cpo

files.meetup.comfiles.meetup.com/1550277/alll you need is love0001.pdf · All you need is love. you need. Chorus All you Dsus4 need love. All you need is Outro Am love, love. Repeat

CPO portefolio2

Cpo Narkotika

Manston CPO - Working draft of the CPO indemnity agreement

Proiect CPO

CPO Perspective

Proses Cpo

04 CPO IT€¦ · Web view04 CPO IT

Industri Cpo

The tools you need, wherever you need them · The tools you need, wherever you need them D-18884-2010 DRÄGER SUPPLY UNITS

Do You Need A Chief Privacy Officer? · The Practical Lawyer | 17 Steven C. Bennett If you face privacy issues on a regular basis, then you probably need a CPO. RECENT STATUTORY and

Dont let me go single page...Dont I need you, I need you, I need you, I need you, r me need you, need you, I need you, I I need let Rit. Don't Let Me Go Title Dont let me go single

Power where you need it, when you need it

Maximizing your Trade Show Experience What you need How you need it When you need it

Female CPO

NETRALISASI CPO

CPO UNIVERSITY

CPO Update

cpo family