When Harriet Pearson was appointed by IBM in November 2000 to be its first chief privacy officer, it was a headline-making event. While a few smaller companies had created an official CPO role a year or two earlier, Pearson’s appointment was one of the first instances of a major corporation making online privacy a priority.
Pearson, now a partner at the Washington, D.C., law firm Hogan Lovells, recalls that in her early days at IBM, the biggest concern about online privacy for corporations was compliance with HIPAA health care and other privacy regulations. The approach was, “Do you wait for regulators or self-regulate?” as she puts it. By the mid-2000s, the focus shifted to social media and productivity.
These days, she says, “It’s all about the data.”
Pearson is referring to companies’ concerns about what she calls “informational privacy,” which includes the depersonalization of data for use in website traffic analysis, social media and other applications.
Meanwhile, the privacy profession has grown exponentially.
The International Association of Privacy Professionals (IAPP), the privacy industry’s largest professional group, currently has more than 12,000 members, an increase of nearly 3,000 just since the beginning of 2012.
“As the issue of privacy has expanded, so have our activities,” says J. Trevor Hughes, president and chief executive of the 13-year-old organization, which holds a Global Privacy Summit and has an awards programs for leading organizations in the field. “Now, all companies that handle data have a chief privacy officer and staffs that deal with that data to mitigate risk and maximize value.”
The legal risks of an ever-expanding cybersphere suggest that the demand for chief privacy officers at companies will continue to grow. In its recently released annual survey of chief legal officers, the Association for Corporate Counsel found that around three-quarters of legal professionals polled viewed both “information privacy” and “data breaches and protection” as very important issues over the next 12 months.
The proliferation of the chief privacy officer title at American companies may also reflect the way online privacy has evolved as an issue in the United States, as different from other areas. For example, the U.S. and European Union have demonstrated different approaches to the issue of consumer data privacy—EU policymakers have sought to strengthen privacy rules considered a human right, while the U.S. has relied on entities such as ecommerce websites to publish their own privacy policies.
“In Europe, it was all about compliance; in the U.S., it was about leadership and strategy,” says Pearson, who is building a privacy-focused practice at Hogan Lovells.
But that dynamic may be changing. Recent actions in the U.S., including the Obama administration’s proposed privacy bill of rights in March 2011 and the Federal Trade Commission’s December 2012 update to the COPPA laws and its investigation of data brokers, suggests a possible shift.
Hughes says he believes that as the regulatory environment around privacy progresses, the corporate model for privacy management also is maturing. “Most companies are not hiring a privacy team,” he says. “In an information economy, every employee needs to know a little bit about privacy.” As a result, many companies are doing more to promote privacy awareness through internal training.
The rapid proliferation of new technologies means that businesses are using data in ways that continue to grow and change. “Ten years ago,” says Hughes, “we were not talking about smartphones.”
Privacy by Design
An experienced privacy professional can help a company create a policy of “privacy by design,” which involves incorporating privacy protection into new products from the earliest stages of planning.
One example is deep packet inspection (DPI), a data filtering protocol used by enterprise for network management, setting internal security policies, and data mining, among other functions. “There are no laws or guidelines [regarding DPI],” says Hughes. But a company well-educated in privacy protection can develop its own policies from the ground up by working directly with ISPs, he says.
Harriet Pearson is pleased with how the responsibilities of the chief privacy officer have expanded over the last decade, but, concomitantly, she would like to see the CPO role elevated in the corporate hierarchy.
“Because of big data analysis, you’re getting a new set of questions,” says Pearson. “The current role [of chief privacy officer] is going to evolve. If it evolves successfully, it will become a much more strategic one.”
Alec Foege, a contributing editor at Data Informed, is a writer and independent research professional based in Connecticut, and author of the book The Tinkerers: The Amateurs, DIYers, and Inventors Who Make America Great. He can be reached at firstname.lastname@example.org. Follow him on Twitter at @alecfoege.
Correction, February 10, 2013: The original version of this article was updated to correct the spelling of Harriet Pearson’s first name and to clarify her status when she became chief privacy officer at IBM. She was appointed to the post in 2000 while she was already working at the company.