4. Why did your organization appoint a chief privacy officer, when did this occur, and is this a full-time position?
TD Ameritrade has had a full-time chief privacy officer since 2009. Before that, my position was privacy counsel. Over time, we recognized that the role was taking on more and more nonlegal aspects, and my title was updated to reflect that.
5. What factors do you think are key to a privacy officer’s effectiveness? Consider not only education and skill set, but also budget, headcount, level within organization, etc.
A privacy officer has to be resourceful and tenacious. While a legal background and familiarity with security and data management technologies are all useful, in many cases the biggest way we can help an organization is anticipating how clients will react to new plans, whether those are new products or new ways to communicate.
Performing that function means looking beyond the mere laws and regulations to consider actual client feedback about privacy expectations and how those expectations arise out of the existing products and services the company provides. This means reaching out to the various parts of the company to gather that understanding.
6. Who is your biggest ally in your organization and why?
I think there are two big allies, and they are very different.
The first ally is the technology group, particularly the information security organization. That group’s personnel are key to identifying potential issues not only in safeguarding information, but also in identifying new proposed uses of information. They serve as a real resource multiplier for a privacy office that can’t be in all places at all times.
The second, and growing, ally is marketing. As time goes by, there is an increasing recognition that privacy is not merely a compliance issue, but a brand differentiator tied to trust.
7. How do you make the case internally for resources and explain the value of what you do (ROI)?
For any financial services company (and maybe any company, period), trust is fundamental to the relationships we form with our customers. And a foundational component of that trust is respect for our clients’ personal information. Once the connection between privacy and trust is established, the value of privacy becomes fairly intuitive.
8. How do you measure the success of your privacy initiatives?
We look at metrics in several areas: complaints and comments regarding policies; frequency and severity of privacy incidents; and response times and outcomes in the event of a privacy incident.
9. What percentage of your day is spent on: creating policy, providing privacy consulting, conducting training, assessing/auditing compliance, or other responsibilities?
My time is spread fairly evenly between those areas, with consulting inevitably taking the largest portion of time.
10. When there aren’t clear answers, what is your framework for managing risk and charting compliance, and to whom do you turn for advice (others within the organization, outside law firms/consultants, others)?
Is there ever a clear answer? We try to prioritize risks using the best information we have available—which, of course, evolves over time. Talking to partners in the business areas is critical to understanding how mechanisms operate in the real day-to-day world. We use both outside lawyers and other privacy consultants to extend our knowledge in areas that do not commonly arise for us and to benchmark ourselves against others.
11. How do you handle multistate and multicountry privacy law compliance?
Charts. Lots of charts.
More seriously, we attempt to distill down the privacy requirements of the various agencies and jurisdictions to a least common denominator and then identify inconsistencies or outliers that need to be handled separately. In many cases, however, the driving factor in a privacy decision is not regulation, but the expectations of our clients.
12. What challenges and opportunities do technology and electronic media present in your privacy initiatives?
In the early days of the Internet, futurist Bruce Sterling commented about the use of technology to analyze private information: “Being afraid of monolithic organizations especially when they have computers is like being afraid of really big gorillas especially when they are on fire.” The potential for inadvertent harm from the misuse of data is multiplied by technology. Over the past few years, however, more and more tools and techniques have been developed to assist in managing and protecting data.
13. How do you keep up with the ever-changing privacy landscape (laws, technology, policy, etc.)? Which privacy websites, publications, conferences, certifications, and other resources do you find to be valuable?
The International Association of Privacy Professionals conferences are always helpful, as are IAPP’s publications and electronic newsletters. Our trade association also has a committee on privacy and data protection. Beyond that, I try to keep in contact with a network of privacy professionals to learn from peers.
14. What is your approach to training? In particular, what vehicles for training do you offer, and what steps do you take to help foster a privacy-aware environment so that each employee can take an active role in privacy?
We look at training in two ways: mandatory and environmental. Mandatory training is a vital part of our education programs; but to try to get the concepts of privacy and information protection to sink more deeply into the foundations of our corporate culture, we also try to engage our employees with environmental reminders—posters and promotional items, along with nonmandatory education messaging. The object is for our employees to encounter and engage with regular reminders beyond the mandatory training.
15. What have you done to address privacy issues associated with third parties who conduct business on your company’s behalf or in support of your business objectives (e.g., outsourcing, service providers, etc.)?
Our vendor engagement process involves obtaining privacy and data security commitments from our vendors and also reviewing the vendors’ ability to meet those commitments. While a decade ago our requirements and processes often were received with much grumbling, we’ve found that as our vendors encounter more companies with heightened privacy awareness, our requirements are more easily accepted.
16. What do you see as the next big privacy issue/trend? And what are you gearing up for in your own organization?
The first big trend in privacy—at least for financial companies—seemed to be information sharing (privacy notices, opt-outs, etc.). The next trend has been data security. Looking into the future, the hot emerging topics seem to be focused on how companies use (or re-use) data they collect. For example, use of data collected through mobile applications is becoming a hot topic. Why does a game app need to know my geolocation? If a food app needs to collect my location to recommend a nearby restaurant, what else are they going to do with that information (even if they don’t sell it to another party)?
17. What keeps you up at night when it comes to privacy? And why?
My biggest concern is failing to anticipate how a new product, service, or feature will be perceived from a privacy perspective. We try to look at everything from a client perspective, but there are countless examples of companies launching products or features that were intended to provide something useful to their customers, only to end up being castigated (and sometimes fined) for privacy issues the companies clearly didn’t see beforehand.
This article previously appeared in CPO Corner by Ruth Hill Bro, February 2012, Issue 22. Copyright 2012 The American Bar Association. Reprinted by permission.