COMMENT ON THIS ARTICLE
Companies need to proactively develop privacy policies, without waiting to be prodded by governments or their customers, according to the chief privacy officer (CPO) of Sun Microsystems Inc.
"You have to lay down your own rules," said Michelle Dennedy, CPO of Santa Clara, Calif.-based Sun at a ‘CIO Canada Frankly Speaking Breakfast’ event in Toronto.
The event featured a one-on-one with John Pickett, IT World Canada’s vice-president and editorial director, during which Dennedy spoke about the relationship between the chief information officer (CIO) and CPO, and explored various privacy strategies.
Dennedy, who worked as a lawyer before joining Sun, is responsible the development and implementation of her company's data privacy policies and practices.
These polices and practices, Dennedy said, are central to Sun’s compliance with complex and demanding regulations, including Sarbanes-Oxley, the EU Directive, California State Senate Bills and other evolving privacy regulations around the world.
"If you wait for the government to pass privacy legislation, technology and your customers will outpace you," the Sun CPO said, in response to an attendee's observation that the government is sometimes slow in framing privacy legislation.
In an interview after the session, Dennedy talked about how, in the development of new technologies, privacy concerns of potential users are sometimes not addressed.
She cited radio frequency ID (RFID) as an example.
The proliferation of RFID devices, she said, sparked widespread consumer concern about potential privacy violations "because there was no meeting of minds between those who made the devices and those who would use or be affected by them."
The technology was way out in front of any legislation, or any privacy policies, she said. "Privacy groups saw the sky falling, while developers said 'what's the problem, this is just technology, why is there so much emotion over this?'"
Acknowledging that privacy and security policies are sometimes viewed as impediments to business and technology, Dennedy said this perception is not accurate. These policies "might slow the process of getting things done, but when handled well they can actually enhance the experience."
Well thought out policies, she noted, allow companies to determine how best to deal with stakeholder concerns before they arise – and are particularly useful in today’s stringent compliance environment.
For instance, she said, current e-discovery rules favour the storing of corporate e-mails. "If you don't have the information stored, the implication is you are [not] doing it intentionally, to hide something."
Without a role-based data sorting structure, complying with legislation could mean a company has to allocate financial and human resources to sorting, sifting, analyzing and storing even unnecessary information, she said.
In devising policies though, Dennedy conceded that at times CPOs have to "make it up as [they] go along" mainly because privacy is a new frontier "with no prescriptive roadmaps."
She said the need for a dedicated chief privacy officer began to be felt less than 10 years ago. The speed at which technology has been able to effect communication has brought about a realization that the individual’s digital information needs to be protected.
In this journey, she said, the CIO and CPO have to act as equal partners, using their expertise in information and privacy issues respectively, to create business advantages for their company.
"I think we're fairly equal. We have our own support staff, we have separate budgets... independence is a good thing."
She acknowledged that tensions between the two functions exist, but said this was not necessarily a negative thing. "It’s tension that takes the company forward."
Dennedy noted that technology deployments that don’t take into account privacy issues could prevent a company from reaping the full benefit of the rollout.
For instance, she said, technology that allows a company to gather customer data might not be adequately or effectively used because the company has not set up policies about "who is allowed to contact which set of customers."
In devising privacy policies and practices, Dennedy said, CIOs and CPOs, need to figure out together what issues need to be tackled on a priority basis and what needs overlap. This requires consultations with employees affected by the data management. "The creation of privacy policy cannot be dictated from up high. You need to find the people whose jobs are affected."
Dennedy said she has run into some companies that – in the absence of a privacy policy – resort to tacking privacy provisions on their contracts. While spelling out matters clearly in a contract is good, she said developing a privacy policy in this manner is "taking the easy way out."
In addition to working collaboratively, CIO and CPO have to sell their projects to the CEO, Dennedy noted. She said when doing this, outlining the business benefits of projects is always the best approach.
For instance she said to get Jonathan Schwartz, president and CEO of Sun, to buy into her initiatives she "always takes her argument back to the business."
CEO's, she said, are usually under "tremendous pressure" to produce financial results. Dennedy said, she gets better results by demonstrating how privacy policies can benefit the bottom line, rather than talking the consequences of non-compliance.
"The fear of wearing orange overalls is often a good driver, but that's not always a winning strategy. You can't go on selling fear all the time."