Rise and Fall of the Privacy Officer

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Over the course of the last decade, privacy has become an increasingly integral part of the design and deployment of many consumer-facing services.

This is because the risks of a privacy breach have never been higher. The cost to corporate and brand-name goodwill from a privacy breach can be devastating, even if you are not in an industry where privacy issues are highly regulated.

Some companies have occasionally struggled to meet the challenges posed by consumers who, on one hand, demand highly-personalized services and, on the other hand, take great offense at practices that could be perceived as intrusive. In response, businesses have worked to integrate privacy considerations into their business processes.

Part of that phenomenon is the creation of the privacy officer position.

When I was appointed to be a corporate Chief Privacy Officer (CPO) in 1999, my research indicated that my role was a first of its kind: a senior executive position tasked with minding the store on all things privacy related. Ever since then, I have evangelized the importance of that position as a critical component of protecting a company's reputation, managing risk, and serving as an outward sign to consumers that privacy is a serious matter.

A few years later, Forrester Research looked more carefully at the Privacy Officer phenomenon and joined the chorus calling for more of them.

Forrester issued a report in 2001 declaring that the privacy officer was the key to effective management of liability from privacy issues. They called on companies to appoint a chief privacy officer with a broad view of the entire company's activities and the authority to stop practices that could compromise the firm's privacy position.

The logic was simple: Companies need an executive who is empowered to assemble an accurate and comprehensive picture of their existing information practices, encompassing a top-to-bottom assessment that reaches across divisions and business partnerships.

Once a company has charted its current information flows and areas of exposure, only then can they develop on a company-wide privacy policy, and plan an implementation processes to maintain and enforce that policy.

In my own privacy officer evangelism, I frequently draw upon the analogy of the chief security officer (CSO) as a model for the trajectory of the CPO role.

For example, in the early days of information technology, the first security officers were simply cranky members of the fledgling IT group who were occasionally dismissed as simply being unduly paranoid or perhaps even obstructionist. But as technology became more and more of an integral part of the corporate existence, that lone voice in the basement computer room turned into an IT guy (or gal) tasked with formal responsibility for security issues. This role soon grew, along with the IT infrastructure into progressively senior levels until it reached what we think of today as the modern CSO.

Discussing the parallels between the CSO and CPO roles with my colleague Vincent Schiavone, founder of ePrivacy Group and a long-time fixture in the computer security field, he agrees that the evolution of those two positions do have some things in common. But he adds, ''Of course, if consumer privacy had been part of the CSO's portfolio from the outset, and the consumer had been treated as one of the customers of the security infrastructure, the role of the privacy professional might be a lot smaller.''

In that instant, I knew the future of the CPO was in doubt.

I've noticed that many of the new tools and technologies for enhancing security can tremendously improve the lives of consumers. This suggests to me that, in some respects, the CPO may be on a different trajectory -- one that may have led to the executive suite very quickly, but threatens to flame out almost as quickly.

Indeed, my fear is that today's cutting-edge privacy professionals may well go the way of jobs like wagon wheelwrights and street-lamp lighters.

There are many new applications for tracking customer permission, for controlling data access across far-flung organizations, and new services for tracing and auditing data practices and data usage. These technologies are filling many of the privacy gaps that have been discovered in a hodge-podge of new gizmos and widgets that companies have cobbled together to build their consumer-facing services.

Watching those tools being widely deployed, I have wondered to myself exactly how the CPO was supposed to manage them.

For example, as holes get filled in the infrastructure, is a CPO really needed for oversight of those particular holes? Put another way, if these new applications serve as a type of a patch to known vulnerabilities, isn't that job something already being done by the CSO and his or her team?

I believe it is.

I'm not ready to give up on the CPO just yet. For example, there remain many privacy-related considerations that must necessarily fall outside the scope of a CSO. For example, current advertising and marketing practices, changing consumer attitudes, changing considerations from lawmakers that raise questions about the ethics of certain practices. All of these are vital considerations that fall outside the typical considerations of CSOs but are today's CPO's stock in trade.

Yet as many privacy concerns are addressed at more fundamental and systemic levels, and as privacy management becomes built into the corporate infrastructure, I believe the CPO will have to further evolve to avoid passing into obscurity like our forefathers who once lit the gas lamps on street corners.

Ray Everett-Church is a principal with ePrivacy Group, a privacy and anti-spam consultancy. He is a founder of CAUCE, an anti-spam advocacy group, and he is co-author of ''Internet Privacy for Dummies.''