The Emergence of the Chief Privacy Officer - Page 2

Oct 15, 2000

- Staff

ompanies do have stringent opt-in policies regarding confirmed permission to send e-mail and the like. "The real issue is what kind of information you are gathering, how you're gathering it, and what kind of control the consumer has over how that it's used," Polonetsky says. "The key is in making consumers aware of what the terms are." CPOs see their role as doing just that.

In Westin's opinion, almost any company can benefit from hiring a CPO. The companies taking the lead, however, tend to be in industries such as financial services for which federal privacy laws are already on the books and compliance is an important issue. American Express Corp., Dun & Bradstreet, Inc., Nationwide Mutual Insurance Co., PricewaterhouseCoopers, Citigroup Inc., and Mutual of Omaha Insurance Co. all have CPOs and are founding members of the Association of Corporate Privacy Officers (ACPO), the professional organization established by Westin. The organization held its second meeting in Washington, D.C., last month to address the challenges and emerging role of the CPO.

The position is in its infancy and continues to evolve. In general, according to the ACPO Web site, the CPO is responsible for coordinating all corporate activities with privacy implications, as well as monitoring all of a company's products, services, and systems to assure meaningful privacy practices.

For Russo, that means acting as a liaison to security officers at every agency and school in the state. She is also drafting a statewide privacy policy that will be reviewed by agency officials and sent to the attorney general for approval.

For Polonetsky, the role of CPO requires him to juggle numerous responsibilities. In addition to ensuring that his company lives up to its own privacy commitments, he must review and monitor the privacy policies of partners and act as an ombudsman to consumers, government, and the press.

The ACPO has set out guidelines for drafting appropriate CPO responsibilities and lists sample tasks on its Web site. The CPO may do the following tasks:

  • Conduct privacy risk assessments and internal privacy audits
  • Serve as a key privacy advisor
  • Recommend and carry out employee privacy training and education
  • Manage a privacy-dispute and verification process
  • Speak on behalf of the company to the media and government bodies
  • Report to executive officers on how the company is dealing with privacy issues
  • Identify areas where the company can improve.

As companies increasingly handle consumer information and make promises about how that information is handled, Polonetsky says, they need to develop their own compliance systems. "Companies that don't live up to their commitments face liability, embarrassment, or even legal action," he says.

Following the European Lead

In terms of privacy issues, the United States lags far behind Europe, where privacy laws have been on the books for years in some cases.

"In Europe, we have the notion that your private data, including your address and photo, belong to you," says German-born Joachim Hunze, IT director for Mapa-Spontex, a household products company based in Paris.

In France, for example, the Commission on Information Technology and Freedom (Commission Nationale de L'Informatique et des Libertis) is charged with writing regulations and

Page 2 of 5


0 Comments (click to add your comment)
Comment and Contribute

Your comment has been submitted and is pending approval.



 (click to add your comment)

Comment and Contribute

Your name/nickname

Your email


(Maximum characters: 1200). You have characters left.