CPO Corner: Interviews with Leading Chief Privacy Officers

Vol. 8 No. 3

Ruth Hill Bro chairs the Section’s Membership and Diversity Committee and served as the 2008–2009 Section Chair. She can be reached at ruth.bro@comcast.net.


1. What career path led you to your current position (and are you a lawyer)?

One thing I have noted over the years in working on privacy is that there are many paths to becoming a privacy professional. My path to privacy was via a business degree in my home country of New Zealand followed by time in the manufacturing and services sectors working on quality assurance and risk management. In 1999, while working in a global consulting organization in the United Kingdom, an opportunity arose to move to the United States and provide privacy consulting services. I took that opportunity, which ultimately led me to my current position at Microsoft.

2. What is the name of your department, and where is it positioned within the organization (do you report to the GC, CEO, CIO, etc.)?

Privacy at Microsoft is positioned within a corporate group named Trustworthy Computing (TwC), which reports to Microsoft’s Chief Research and Strategy Officer.  Trustworthy Computing began in 2002 as a company-wide effort to increase the security, privacy, and reliability of the computing experience for all. Trustworthy Computing is now a company tenet and has an impact across the technology industry.

3. How many people in your organization are tasked with some aspect of privacy compliance, and what are their job functions? Consider direct reports and budgetary responsibility, as well as those outside your group.

The privacy effort at Microsoft is fortunate to have the strong support of its senior business leaders in allocating resources for managing privacy, and we now have more than 40 full-time privacy professionals. About half of these people are within TwC, and the others are distributed across our product and service divisions, our largest subsidiaries, and our Legal and Corporate Affairs group. In addition to these full-time privacy professionals, we have an estimated 400 more with formal privacy responsibilities as a part of their role.

4. Why did your organization appoint a chief privacy officer, when did this occur, and is this a full-time position?

I am Microsoft’s third Chief Privacy Officer. The first was appointed in 2000, at a time when Microsoft was embracing the Internet and increasingly coming into contact with personal information. It was clear that upholding customer privacy expectations was going to be crucial for long-term business success, so the company established a privacy office and appointed the first CPO. The building blocks for our comprehensive privacy program were put in place in those early years, and the program has grown and matured significantly over the past 11 years.

5. What factors do you think are key to a privacy officer’s effectiveness? Consider not only education and skill set, but also budget, headcount, level within organization, etc.

I believe that success in this role begins with strong executive support. If the senior business leaders understand that privacy is a high business priority, the CPO has a positive environment in which to be successful. From there, I believe it helps to develop a strong understanding of the business strategy and strive to become a trusted advisor to the business units. You may need to stand up and say “no” on occasion, but I think you will be more successful in the long run if you can find yourself more often saying something like “I understand what you are trying to achieve, and here is a way that we can meet that goal and also protect privacy.”

6. Who is your biggest ally in your organization and why?

My biggest allies are the privacy professionals distributed throughout the company.  They are the ones who drive our privacy-by-design approach on a day-to-day basis. One individual cannot be involved in every business decision relating to the collection or use of personal information. The internal privacy community members are positioned to guide those decisions in a way that respects people’s privacy.  They are the heroes of our privacy program.

7. How do you make the case internally for resources and explain the value of what you do (ROI)?

Microsoft’s senior leaders understand that privacy is a core component of customer trust. Demonstrating compliance needs can help achieve a certain level of investment, but explaining the link to customer value can go a long way to securing greater investment.

8. How do you measure the success of your privacy initiatives?

In measuring success in privacy, it makes sense to assess the maturity of the program elements as well as the outcomes for our customers. Some key questions include: Do we have up-to-date and clearly communicated privacy policies, standards, and guidance? Do we have a comprehensive network of well-trained privacy professionals across the company? Do we have broad awareness of our privacy policies and processes among employees and vendors? Do customers recognize that we not only protect their information but also enable them to control its use?

9. What percentage of your day is spent on: creating policy, providing privacy consulting, conducting training, assessing/auditing compliance, or other responsibilities?

While every day is different, I would say I spend approximately equal amounts of time on privacy strategy and policy development, team management, consultation with our business groups, evaluating the effectiveness of our governance program, and privacy technology advancement. I also spend a significant amount of time engaging externally with a range of stakeholders, including regulators, consumer advocates, academics, industry counterparts, and customers.

10. When there aren’t clear answers, what is your framework for managing risk and charting compliance, and to whom do you turn for advice (others within the organization, outside law firms/consultants, others)?

Internally, I can bounce ideas off a range of seasoned privacy professionals. I am also lucky to have a strong partnership with our highly experienced privacy attorneys—some of whom began specializing in privacy before Microsoft’s privacy program was established. We engage extensively outside the company with regulators, privacy advocates, academics, and others to seek input as well as advance public policy. We also engage the help of consultants and law firms.

11. How do you handle multistate and multicountry privacy law compliance?

Because we deliver our products and services globally, it is important for us to have privacy policies that are highly standardized globally. Therefore, we set our policies at a level that will best enable compliance with privacy laws on a global basis. Yet the law provides only one basis for establishing our policies; we also consider customer expectations of privacy, which are often higher than the minimum legal standard.

12. What challenges and opportunities do technology and electronic media present in your privacy initiatives?

As a large technology company delivering a diverse range of products and services, we need to keep up with technology developments. New technologies and business models constantly pose new questions for privacy that need to be addressed. We are involved in online advertising, location-based services, online gaming, electronic health records, Internet search, social networking, cloud computing, and many other fast-developing areas.  Technology also provides opportunities
to empower individuals and organizations with capabilities to better manage privacy.  The development and delivery of privacy-enhancing technologies is also a core part of our privacy-by-design approach.

13. How do you keep up with the ever-changing privacy landscape (laws, technology, policy, etc.)? Which privacy websites, publications, conferences, certifications, and other resources do you find to be valuable?

Our network of privacy professionals around the world, through their engagement with external stakeholders, provides a good source of developments in the privacy landscape. We also participate actively in International Association of Privacy Professionals (IAPP) conferences and other educational, networking, and certification opportunities they provide. We look to legal publications and other conferences as additional sources of information.

14. What is your approach to training? In particular, what vehicles for training do you offer, and what steps do you take to help foster a privacy-aware environment so that each employee can take an active role in privacy?

We have many tiers of privacy training. Privacy is often included as a section in Microsoft’s annual Standards of Business Conduct training. We have broad awareness training designed for all employees as well as customized privacy training for different role types, including privacy managers, data handlers, software developers, etc. We also strive to integrate privacy checkpoints within existing business processes rather than create new processes; this has proven to be effective in making privacy a part of the way we operate our business.

15. What have you done to address privacy issues associated with third parties who conduct business on your company’s behalf or in support of your business objectives (e.g., outsourcing, service providers, etc.)?

We have designed and implemented a vendor privacy program that clearly outlines our privacy requirements for our vendors that handle personal information. One of the requirements, for example, is that their employees receive privacy training.

16. What do you see as the next big privacy issue/trend? And what are you gearing up for in your own organization?

As we look forward, it is clear that there will be a wide range of Internet-connected devices providing data-driven services. Also, we have likely only seen the very beginning of the value that can be provided to society by analyzing large data sets. As we move to a world of the “Internet of Things” and “Big Data,” we will need to adapt the application of core privacy principles to ensure that society gets the benefits while individual privacy is protected.

17. What keeps you up at night when it comes to privacy? And why?

My sleep disturbances usually have something to do with one of our two children or the family cat. That’s not to say that in my professional life things always go as planned or that there are no areas for concern resulting from the pace of technology change. But I am fortunate to work with a strong, capable team dedicated to our privacy mission.


This article previously appeared in CPO Corner by Ruth Hill Bro, http://www.americanbar.org/content/dam/aba/administrative/science_technology/cpo_corner_brendon_lynch_nov_2011.authcheckdam.pdf, November 2011, Issue 21. Copyright 2011 The American Bar Association. Reprinted by permission.


  • About The SciTech Lawyer

  • Subscriptions

  • Contact Us

  • More Information