A day in the life of a CPO

Canada could use more people like Dr. Steven Lucas.

As one of the pioneering chief privacy officers (CPO) in the U.S., Lucas is looking to further the profession.

After enjoying previous privacy gigs with several reputable companies including Persona and Excite, Lucas was recently anointed the CPO of Richardson, Tex.-based Privacy Council Inc. – a global privacy solutions provider for Fortune 500 companies and leading Internet entities.

Because trust is at the forefront of the consumer mindset, enterprises realized success is built on relationships with the customer base, Lucas explained. That lesson was a cakewalk for some and a rude awakening for others.

“Customers are not going to build up a relationship with a company if they feel it can’t be trusted,” he said. “But it’s the Exxon Valdez of issues (for a company). Look at Geocities, they lost 50 per cent of their market value for violating federal data use practices.”

Despite boasting a Ph.D. in computer science from Stanford University, a BSc in electrical engineering from the Citadel, a J. D. from American University of Law, and an MBA from New Hampshire College, Lucas said his role as a CPO extends as far back in his professional career as he can recall.

“The general counsel of companies had assumed the responsibility initially, and they likely thought it was a matter of keeping one’s pulse on what was happening in Washington,” he said. “But it’s a full-time responsibility.

“It’s not just about watching out for legislative issues, it’s being involved in every facet of a company. Be it the technology, marketing, production, company policies, or public relations.”

Texas’ Privacy Council recently inked a deal with the Cox School of Business at Southern Methodist University (SMU) in Dallas to offer a CPO training program.

Lucas said the management program offers executives an intensive three-day seminar detailing practical management issues, privacy laws and regulations, and technology and resources required by today’s CPO. The course costs US$1,995 per attendee.

Anticipating CPO course offerings to become commonplace at the community college level, Lucas added companies and individuals alike need to view the CPO as a facilitator.

“A requirement of the CPO is to build effective bridges with other pieces of an organization, I’m not just there to say ‘no,'” he explained. “Our role is to take the marketing and business plans and help create a plan that adheres to all privacy practices.”

But not all aspiring administrators can boast the 18-year experience in privacy law, e-commerce, public policy, computer security, database marketing and database technology that Lucas can lay claim to. Hence the CPO course.

“Some people don’t have all the skills in all areas,” he remarked. “This course will help them define the role of the CPO and teach them how to speak to the media, how to create privacy policies and accepted data use practices.”

Phillipa Lawson, general counsel for the Ottawa-based Public Interest Advocacy Centre (PIAC), said the rise of the CPO is a good development for all.

“I think it’s important from both an employee’s and a consumer’s perspective that one person is designated as responsible for privacy-related issues,” she said. “It’s a good development.”

On Jan. 1, the federal government mandated that all Canadian enterprises must have a CPO, but there are no guidelines and no established training courses – from either government or industry – to teach an aspiring individual the privacy ropes.

“That is something that needs to be addressed here,” said IDC Canada researcher Kevin Restivo. “It’s a new piece of legislation, thus it’ll take time for general compliance.

“Aside from major corporations who already appear to have a handle on it, the consensus seems to be to leave the role to either the president of the company or general counsel.”