138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page i
Executive’s Guide to Privacy Management
This page intentionally left blank.
138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page iii
Executive’s Guide to Privacy Management
Michael Erbschloe
McGraw-Hill New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto
abc
McGraw-Hill
Copyright © 2001 by Michael Erbschloe. All rights reserved. Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 0-07-138236-4
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at
[email protected] or (212) 904-4069.
TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS”. McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0071382364
138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page v
To my mother
This page intentionally left blank.
138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page vii
Contents
Preface ix Acknowledgments xi Introduction xiii 1 Developing a Risk Perspective on Privacy Management 1 2 The Business Case for Risk Reduction 9 3 What Privacy Means 19 4 Moving Ahead in Privacy Management 29
vii
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_FM_Erbschloe
7/5/01
11:54 AM
viii
Page viii
Contents
5 The C Level Emissaries 39 6 Maintaining Momentum in Privacy Management 49 7 Finalizing and Implementing Privacy Policies 57
138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page ix
Preface
E
xecutives face seven major challenges in ensuring that their organization is taking appropriate steps to manage information privacy. This book informs and coaches upper managers on how to address these challenges. This includes establishing a privacy task force, overseeing the process of developing policies and plans to manage privacy, and how to function in the capacity of a high-level emissary to further the privacy management efforts of the organization. The development of a sound privacy management policy can be a long and tedious task, and executives can play significant roles in every step of the process. It is important to recognize that almost all of the work to develop and implement privacy policies and plans will actually be performed by middle-level managers. The role of upper-level managers is, however, still very important. ix
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_FM_Erbschloe
7/5/01
11:54 AM
x
Page x
Preface
Executives are responsible for overseeing the work of the middle management team and helping to keep the project on schedule and properly focused. Executives can also play a key role in motivating the privacy plan development team. Upper-level managers are also key spokespeople for any organization and will play important roles in communicating privacy policies to boards of directors, investors, and the general public. This book complements NET Privacy: A Guide to Implementing an Ironclad eBusiness Privacy Plan by myself and John Vacca (McGraw-Hill, New York, 2001), which provides a step-by-step approach to developing privacy policies and implementing privacy management plans. NET Privacy speaks to everyone in an organization that should be involved in policy development and plan implementation, while this book is specifically tailored to meet the needs of upper-level managers.
138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page xi
Acknowledgments
A
very special thanks to my editor, Michelle Williams, whose continued interest and support made this book possible. I would like to express thanks to my research assistants, Catie Huneke and Deby Ellerbrook, and all of my comrades at Computer Economics for their encouragement.
xi
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
This page intentionally left blank.
138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page xiii
Introduction
P
rivacy has become a hot button of the information age. Politicians are debating new laws. Countries and economic blocks are taking positions on privacy management and are attempting to leverage privacy issues for political and economic gain. Advocacy groups are taking extreme positions and lobbying to influence how privacy is regulated. This mix of emotion, politics, and economics has resulted in more chaos than order. Organizations that collect and maintain information about their customers, clients, or markets are caught in the middle of this chaos. Executives face seven major challenges in managing privacy in their organization. Executives must have a high level of understanding of the privacy issues that affect their organizations. They must be able to lead the development of privacy policies and procedures and be able to articulate these policies to boards of directors, investors, business partners, the general public, and xiii
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_FM_Erbschloe
7/5/01
11:54 AM
xiv
Page xiv
Introduction
the media on behalf of the enterprise. This book shows executives how to move their organization forward in managing privacy and how to leverage their privacy management efforts into positive public relations results. The first executive challenge is to determine what level of risk their organization should accept in how information privacy is managed. This includes information about their customers as well as information they may have access to about the customers of their business partners or those of a business alliance in which the organization participates. The process of choosing a risk level is examined in Chapter 1. The second executive challenge is to formulate a business case for reducing risks. This includes cost and benefits of protecting privacy and how to avoid the potential negative economic impact of inadequate privacy protection. The executive needs to look at the whole organization as well as external relationships with customers and suppliers in order to have a thorough view of privacy protection needs and how the organization can capitalize on its privacy protection efforts. The process of formulating a business case for privacy protection is covered in Chapter 2. The third executive challenge is to lead the organization’s efforts in privacy management and convey a basic understanding of privacy-related laws. Once an executive understands the basics of privacy laws, he or she will be able to guide the organization through the privacy management challenges of the twenty-first century. The legal and social basis of the definition of privacy along with the foundation of privacy laws and how these laws will impact organizational requirements for protecting privacy in the future are covered in Chapter 3. The fourth executive challenge in privacy management is to launch a formal privacy management process in the organization. The first step in developing a privacy plan is to create an organization structure in which to conduct work—a privacy task force. The privacy task force is composed of representatives from all departments in an enterprise. Leadership of the task force must be determined, and an agenda for action needs to be set. The privacy task force will require several months to compile the data needed to determine what
138236-4_FM_Erbschloe
7/5/01
11:54 AM
Page xv
Introduction
xv
information must be protected and to formulate policies and procedures to ensure that privacy is maintained. The process of building an enterprisewide privacy management program is broken down into four major phases. The first phase is organizing the privacy task force and conducting the necessary research to develop an appropriate privacy plan. The second phase is the process of conducting a privacy-needs audit. The third phase is the development of privacy policies and plans. The fourth phase is implementing the plan. Each of the phases and the role that executives serve in each phase are discussed in Chapter 4. The fifth executive challenge is to convey the organization’s position on privacy management. Executive-level managers play a role in the privacy management process that no other person can perform—they serve as high-level emissaries to boards of directors, investors, business partners, the general public, and the media on behalf of the enterprise. This means that executives must understand and be able to readily articulate the privacy philosophy and policies of the organization. Executives represent their organizations in a way that no other employee possibly can, which means that they must have a clear understanding of how privacy protection can impact their organization and be able to communicate policies to a wide variety of audiences. Chapter 5 covers the range and depth of knowledge that executives must have about the privacy management approach of an organization. The sixth executive challenge in privacy management is to maintain appropriate momentum in developing privacy policies and privacy management procedures in their organization. The importance and methods for maintaining momentum of the privacy planning process and the role of upper management in keeping the privacy project moving are discussed in Chapter 6. The seventh executive challenge in privacy management is to ensure that their organization addresses privacy management needs on an ongoing and long-term basis. Finalizing privacy policies and plans and moving into the implementation phase are discussed in depth in Chapter 7. This includes the significance of upper management participation during
138236-4_FM_Erbschloe
7/5/01
11:54 AM
xvi
Page xvi
Introduction
the implementation process and the importance of executive endorsement of privacy policies and what executives must do to support the privacy management process in the long term. An in-depth guide to developing and implementing a privacy plan is provided in the companion book NET Privacy: A Guide to Implementing an Ironclad eBusiness Privacy Plan. Executives should encourage all middle managers and members of their privacy task force to use NET Privacy to help guide them through the development and maintenance of enterprise privacy plans.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 1
1
Developing a Risk Perspective on Privacy Management
T
he global nature of the Internet and ecommerce is fueling the debate over the protection of privacy. As a result, privacy is a growing political, social, and business issue, and government policy makers and regulators around the world are focusing considerable attention on privacy issues. Privacy protection is a management issue that cannot be ignored. Executives need to be able to cut through political and social rhetoric and decide what level of risk their organization can afford in dealing with information privacy. The first executive challenge is to determine what level of risk their organization should accept in how information privacy is managed. It is important for executives to focus on the business costs and benefits associated with risks in order to determine the best privacy management approach for their organization. Executives should take the following action 1
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_Erbschloe
7/5/01
2
11:55 AM
Page 2
Executive’s Guide to Privacy Management
steps to evaluate the risks related to privacy management in their organization: • Assess the range of risks associated with privacy management practices in their organization. • Select a risk level that best fits the business style of their organizations. • Develop a course of action for privacy management that is appropriate for business goals.
The Risk Continuum Risk associated with privacy management in any organization can run from very low to extremely high, depending on the type of business environment in which an organization operates. Executives need to evaluate risks from two perspectives. First, an assessment should be made of the risk level associated with a specific business environment. This includes an analysis of the regulatory approach of governments toward information privacy in an industry sector and social perceptions of privacy needs relative to specific business activities in an industry sector. Second, an assessment should be made of the position that an organization is taking toward privacy management relative to other organizations in the same industry sector. For many organizations, the risk position is determined by government regulations that cover an industry or a specific type of information. In educational and healthcare organizations, for example, there are existing regulations that limit the use and disclosure of the personal information of clients, patients, and customers. These organizations have little choice in the way they approach privacy management. If information privacy in a sector is heavily regulated or specified by law, then an organization needs to ensure that they are in compliance with applicable laws and regulations. If an organization conducts business in an industry sector where privacy is not heavily regulated, then executives have
138236-4_Erbschloe
7/5/01
11:55 AM
Page 3
Developing a Risk Perspective on Privacy Management
3
a range of choices in their privacy management approach. In these environments, privacy management risks may still run high depending on social perceptions and pending government regulations. It is also possible that privacy management is not much of an issue for a specific organization because of the nature of its operations. When there is a lack of clear regulation on information privacy, executives should look at their competitors to determine the state of privacy management in their sector. Review annual reports, look at privacy statements on competitors’ Web sites, and test shop their competitors to collect information about their privacy management practices.
Privacy Management in Highly Regulated Environments The first issue for executives to address is the state of regulatory and legal requirements in their industry sector. If there is a high level of regulation in a sector, then executives should take steps to ensure that their organization is in compliance. To begin, establish a study team to assess the organization’s level of compliance and make recommendations for actions that need to be taken to improve compliance levels. The processes covered in this book are designed to help executives make sure that a properly crafted privacy management policy and plan are in place in their organization. Even when executives feel comfortable that their organization is complying with all applicable laws, establishing a privacy task force and formalizing privacy policies can still have considerable benefit. First, it shows that an organization is conducting due diligence by evaluating privacy management needs and approaches to achieve the highest level of compliance possible for their industry. Second, because privacy is such a political hot button, such efforts show that organizations are sincere and are acting in good faith to protect the privacy of customers or clients. This can be translated into good public relations value.
138236-4_Erbschloe
7/5/01
4
11:55 AM
Page 4
Executive’s Guide to Privacy Management
Privacy Management in Less Regulated Environments In environments where privacy is less regulated, or perhaps not currently regulated at all, executives can exercise a wider variety of approaches to privacy management. There are three primary approaches to dealing with privacy management in less regulated environments. First is the passive approach in which executives take no action and wait for laws to change or for a complaint to be made by an individual, an advocacy group, or a government organization. At the point when complaints are filed or regulatory or legal action is threatened, then the organization can initiate risk reduction by following the guidelines covered in this book. The advantage of this approach is that no funds are expended until an actual threat is recognized and no changes to business practices are required in the organization. The disadvantage of this approach is that there is a global movement to more tightly regulate privacy and many organizations are preparing for new laws. Those organizations that are working ahead face fewer risks as new laws are enacted because they will be able to respond faster to changes in privacy management requirements. Second is an assess-and-wait approach where an organization assesses its business practices and, if there are no obvious privacy management problems, does nothing to change the way privacy is managed until new laws or regulations are in place. The action steps covered in the following chapters will help guide executives through the process of assessment preparation for developing and implementing a privacy policy and appropriate privacy protection procedures. This approach involves less risk than the passive approach because an organization would be prepared to move more quickly to implement tighter privacy management procedures should it become necessary. The advantage of taking an assess-and-wait approach is that it prepares an organization to change its approach toward privacy management, but the costs of implementing new pro-
138236-4_Erbschloe
7/5/01
11:55 AM
Page 5
Developing a Risk Perspective on Privacy Management
5
cedures are delayed. Meanwhile an organization can continue to exploit its information assets in any way that is financially advantageous. A primary disadvantage of this approach is that as laws change, an organization will still need several months to finalize privacy policies and implement new procedures. A second disadvantage of this approach is that an organization will not have shown maximum due diligence in establishing privacy management procedures in the event that there is litigation over the way information privacy was handled. Third, an organization can move ahead in establishing a privacy task force, conduct a needs audit, and develop a complete privacy management plan and implement resulting privacy management procedures. The action steps in this book guide executives through the entire process of developing and implementing privacy plans. The disadvantage of this approach is that funds will be expended before it is absolutely necessary. The main advantage to this approach is that it prepares an organization to deal with any type of privacy laws that may emerge. This is possible because the structure and processes necessary to manage information privacy are already in place, and policies can be easily modified and new procedures more quickly implemented. A second advantage is that a complete privacy management program provides positive public relations value that can be turned into an asset in attracting new customers or establishing new business alliances.
Selecting a Course of Action Privacy management requirements in a highly regulated environment leave managers little choice in how to deal with privacy. It is up to executive managers as to which approach they should take in dealing with privacy in less regulated environments. However, executives in both types of environment share potential risks to their position and perhaps even to their compensation if privacy management policies and procedures are inadequate and a privacy scandal or litigation arises. Some
138236-4_Erbschloe
7/5/01
6
11:55 AM
Page 6
Executive’s Guide to Privacy Management
action on the part of all executives, especially chief executive officers and chief operating officers, is advisable. To provide balance when trying to select a course of action, executives can appoint a committee to advise them on strategies. Such an advisory committee can be made up of representatives from key departments including customer service, sales, marketing, and the central information technology department. A group of five or so middle managers representing different perspectives within the organization should be sufficient. The advisory committee can read this book to help them get an overview of privacy issues, law, and the process of developing a privacy plan. They should also review current trends in the industry sector or sectors in which their organization conducts business. This work should not require more than forty hours of effort total for each of the representatives on this advisory committee. The advisory committee should report back to the executive who initiated the research. There is no need for a lengthy written report. A two- to four-page memo addressing the committee’s key concerns will suffice. Executives can use the input of the committee to help them determine a course of action. It is also helpful for the executive to get input from legal counsel as to the current legal requirements and trends. The executive advisory committee on privacy management should answer the following questions for upper management: • What are the committee’s opinions of the state of privacy management in the organization? • Have there been privacy management problems in the past? • If the organization is in a highly regulated environment, have regulators or inspectors found any problems in the way the organization is managing privacy? • If the organization is in a less regulated environment, what are the opinions of the committee on how competitors are handling privacy management? • What are the committee’s opinions of how privacy laws may impact the organization in the future?
138236-4_Erbschloe
7/5/01
11:55 AM
Page 7
Developing a Risk Perspective on Privacy Management
7
• Does the committee feel that the organization should establish a privacy task force, implement a structured analysis of privacy needs, and adopt a formal privacy policy? • Why does the committee feel that further action needs to be taken or need not be taken in privacy management? Another point to consider when deciding a course of action is what is involved in developing a privacy policy and plan. The entire process of developing privacy plans is covered in this book, as is the role of the executive in making sure that privacy planning is successful. NET Privacy: A Guide to Implementing an Ironclad eBusiness Privacy Plan by the author and John Vacca (McGraw-Hill, New York, 2001) provides an in-depth guide and shows step by step how to work through the development of a sound privacy management approach. NET Privacy and this book will give the executive and the advisory committee on privacy a thorough understanding of the challenges that the organization faces.
The Executive Challenge Some executives may want to decide to delay the process as long as possible. However, on reading through the material in this book and NET Privacy: A Guide to Implementing an Ironclad eBusiness Privacy Plan, many executives may find that tackling privacy management is not all that intimidating after all and will plan to move ahead, albeit at their own pace. The most important step for executives to take is to start coming to grips with the issue of privacy management. Regardless of the approach an executive or an executive management team takes in dealing with privacy, it is essential that they monitor developments in privacy law and regulation and stay abreast of privacy-related social trends that may impact their organization. Chapter 2 covers building a business case for risk reduction in privacy management.
This page intentionally left blank.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 9
2
The Business Case for Risk Reduction
W
hen working to reduce the potential risk in the privacy management arena, it is important for executives to focus on the business costs and benefits associated with developing and implementing privacy management plans and procedures. Reducing risk in privacy management is a time-consuming effort that could take several months to achieve. The second executive challenge in managing privacy is to formulate a business case for reducing risks. Executives need to develop and mobilize resources within the organization and motivate employees to reduce risk through sound business arguments rather than philosophical debate. Executives should take the following action steps to formulate a business case for privacy protection in their organization: • Develop an understanding as to why privacy management is important to their organization and their overall business environment. 9
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_Erbschloe
7/5/01
10
11:55 AM
Page 10
Executive’s Guide to Privacy Management
• Determine how their organization can achieve a return on investment for developing and implementing privacy protection policies and procedures. • Assess the public relations and marketing value of privacy protection for their organization and how a reputation for ethical privacy management can be used as a tool in developing and maintaining a positive public image of their organization. • Evaluate the importance of privacy protection when establishing or participating in business alliances that can provide their organization with competitive advantage. • Establish a privacy philosophy for executives to communicate to the employees, customers, business partners, and investors of their organization.
Why Privacy Is Important Laws that govern the privacy of personal and corporate information have evolved over the last century. Most countries where computers are widely used have some type of privacy regulations in place that cover data stored and processed on computer systems. The European Union (EU) has required all of its members to adhere to safe harbor principles in the protection of personal data privacy. (Safe harbor principles are explained in Chapter 3.) The United States has many laws in place that protect the privacy of personal data in health, banking, financial services, and educational organizations. In addition, regulations are in effect in the United States to protect the privacy of children under thirteen years old. In the United States, as in many countries, many new laws are being considered at the state and national levels to address privacy protection. As privacy laws evolve, there will be increasing pressure on all organizations to comply with these new and complex laws. This is especially true for organizations that operate in more than one country or that conduct cross-border transactions over the Internet. The global reach of the Internet has added to the complexity of
138236-4_Erbschloe
7/5/01
11:55 AM
Page 11
The Business Case for Risk Reduction
11
privacy management as well as created the need for companies to address privacy management requirements. Beyond the growing legal requirements associated with privacy management, there are also a number of business requirements that executives must deal with in order to form alliances and, in some cases, even conduct business in many industry sectors. Hewlett-Packard, for example, announced in February 2001 that it intended to become safe harbor compliant. This means that in order to conduct business with Hewlett-Packard, companies will be under pressure to comply with safe harbor principles. Other companies are also implementing policies that impact their business partners and service providers. IBM has a formal policy that requires Web sites to post privacy policies and meet certain standards before IBM will advertise on the Web site. Companies that are based in European countries face stiffer privacy laws. These companies require their business partners to comply with high standards for privacy protection. As more companies expand their global operations, they will require business partners to comply with the same sets of laws that they are governed by when doing business. The global nature of business and the corresponding privacy laws that regulate business practices will put increasing pressure on managers to develop and implement appropriate privacy policies and plans. In addition to legal requirements and business processes, there is growing demand from consumer groups for improved privacy protection. This means that there is an important public relations aspect to privacy management. Consumer groups, lobbying organizations, and private interest groups are going to keep the pressure up as they work to improve privacy. Advocacy groups will use the political process to influence policy makers to change privacy protection laws. These groups can and will use individual cases and incidents as examples to support their cause. Pressures from these groups must be responded to with solutions that are grounded in a realistic cost-benefit analysis. Resisting the movement toward improved privacy protection may be appealing on a philosophical level, but such resistance could
138236-4_Erbschloe
7/5/01
12
11:55 AM
Page 12
Executive’s Guide to Privacy Management
create problems. It is best to avoid the potential backlash as well as the bad press that could accompany negative responses from advocacy groups or regulators. It is important for executives to consider all of these factors when establishing a corporate philosophy toward privacy management. The negative political, social, legal, and business consequences that could result from poor privacy management are far more important than an individual’s personal perspective toward government intervention or the pressure that can be applied by consumer groups. It is critical that all executives understand the necessity for privacy management and how to lead their organization in developing and implementing privacy protection policies. It is also essential that executives make clear to all departments in their organization that privacy management is not a matter of giving in to social or government pressure but is a sound business decision that has economic ramifications that may impact the future of the enterprise.
The Return on Investment for Privacy Protection Return on investment (ROI) for privacy protection can be measured in several ways. Cost avoidance and cost savings are key factors that should be considered when evaluating the potential ROI for developing and implementing privacy plans. However, achieving appropriate privacy protection can also be beneficial as a marketing and sales tool and can yield high levels of ROI. In addition, sound privacy protection policies and procedures can be used to leverage new business relationships and maximize the return on existing business relationships. It is wise for executives to consider and communicate both what can be avoided and what can be gained by implementing privacy policies and management procedures. In the process of cost avoidance, developing and implementing legally and socially acceptable privacy protection policies and procedures can help avoid many undesirable consequences that can increase operational costs. This prin-
138236-4_Erbschloe
7/5/01
11:55 AM
Page 13
The Business Case for Risk Reduction
13
ciple is illustrated in the numerous privacy scandals that have occurred during the last several years. These scandals have resulted in extensive legal costs and required thousands of hours of staff and executive time to overcome. Litigation, whether or not it is grounded in legitimate complaints or class action movements, can require hundreds of hours of legal support. Attorney fees of $500 per hour are common in such cases. If litigation requires 500 hours of legal support, fees can easily exceed $250,000. In addition to legal fees, such cases often require thousands of hours of internal staff time to compile documentation and work with legal counsel. In addition, the costs incurred for managing the public relations problems that accompany privacy-related litigation can run into hundreds of thousands of dollars. Thus, an undesirable privacy scandal, regardless of its legitimacy, can easily cost over $1 million. But legal fees, internal staff time, and public relations services are only part of the costs of dealing with privacy scandals. Damage to a company’s reputation among consumers and consumer groups can take years to overcome. During the recovery time, sales can be negatively impacted, which can result in lower than expected revenues, which in turn can impact stock prices and corporate valuation. Such costs are difficult to place a price tag on but they will certainly be felt throughout the company. Marketing and sales executives are very in tune with the costs of obtaining new customers and retaining existing customers and try to avoid a poor corporate image as much as possible. Overcoming a scandal or working to improve a damaged corporate image can make it exceedingly difficult to win new customers. Executives need to be concerned about all of these issues, but above all it is important to protect the reputation of a company in order to maintain a favorable standing with stock analysts and investment advisors. History has clearly shown that scandals and legal problems can negatively impact the reputation of a company. Analysts and advisors as well as individual investors show favor toward companies with sound reputations. Conversely, they tend not to show such favor to companies that are suffering through scandals.
138236-4_Erbschloe
7/5/01
14
11:55 AM
Page 14
Executive’s Guide to Privacy Management
The compensation and bonus plans of many executives are often tied to revenues, earnings, and stock prices. Executives should be sensitive to issues that can impact their compensation and the compensation of the management team. Scandals or lawsuits can cause rapid fluctuations in stock prices, potentially causing downgrades in the positions of stock analysts and investment advisors. The compensation of executives may easily survive a few weeks of slippage in stock prices. But privacy scandals and related litigation can last for several months, casting a shadow over a company for several fiscal quarters. This in turn can result in a considerable dip in executive earnings for several fiscal quarters and even affect compensation for several years.
The PR and Marketing Value of Privacy Protection As concern for privacy continues to grow and scandals continue to proliferate, having a reputation for sound privacy policies and protection procedures can become a valuable public relations asset. Appropriate privacy protection can be turned into an effective marketing and sales tool. A bad reputation is something that many companies have to struggle to overcome. But keeping a clean reputation can also be difficult. Many companies, however, do not fully exploit their good reputation. Implementing privacy policies and procedures that are customer friendly can be turned into a public relations asset and a strong marketing tool. Hewlett-Packard received a wave of positive press when it announced that it was becoming a safe harbor company. It made this announcement after a long run of less than favorable news coverage about corporate performance and the potential impact of an economic downturn in the computer industry. IBM demonstrated a leadership position when it implemented a policy that required Web sites on which it advertised to post a privacy policy and meet standards for privacy protection. IBM wanted to show that it was a leader
138236-4_Erbschloe
7/5/01
11:55 AM
Page 15
The Business Case for Risk Reduction
15
in the Internet age and used privacy protection as an element of its ongoing promotional campaign to become an Internet leader. Both companies achieved positive press for their efforts. One of the major public relations disasters of the last few years was the failure of dotcom companies. The death of many dotcom companies during 2000 and 2001 left many policy makers and advocacy groups concerned about what would happen to customer data once the companies went out of business. Many of these failing companies came under incredible criticism, as did their executives, when the companies were closing down. Privacy issues only compounded already bad situations and generated even more criticism and social concern. Some dotcoms have decided to avoid the potential privacy scandals, bad press, and government investigations by taking a proactive approach to privacy issues. When eToys.com closed its doors in March 2001 it left many people concerned about the value of gift certificates and their ability to return purchased products to the company for a refund. Overall, eToys, Inc. ended up with a bad reputation and cast doubt on business-to-consumer ecommerce companies. But eToys did post a notice on its Web site that assured customers that their personal data would remain private. This was a great public relations move for eToys, which many people feel will someday return to the Internet to do business again. It also kept the U.S. Department of Commerce, the Federal Trade Commission, and other government agencies from jumping on the privacy management issue. Promising to maintain the privacy of customers did not and could not save eToys from failure but the promise removed one more source of potential pressure and scrutiny. It also saved investors from what could have been an even more painful exit from the business field, which is hopefully just a temporary shutdown. Not all dotcoms have failed or will fail. But almost all of the remaining dotcoms want to make the best showing possible as they work hard to survive and thrive in a turbulent atmosphere. Many Web sites and ecommerce companies are
138236-4_Erbschloe
7/5/01
16
11:55 AM
Page 16
Executive’s Guide to Privacy Management
using their promise of privacy protection as a marketing tool. Visitors to popular Web sites can now access privacy policies and determine if the site’s policies are adequate before divulging any private information. Such efforts assure consumers that their transactions will be conducted in a secure and protected environment. The dotcoms need as many positive points with consumers as they can possibly score, and privacy protection has become a standard feature of a trustworthy Web site. However, some advocacy groups are still skeptical as to the sincerity of Internet companies in protecting privacy and have been very critical of the language contained in posted privacy policies. Many of these concerns could be legitimate. But ultimately it is up to consumers to decide if a Web site meets their personal standards. Advocacy groups are going to continue to visit Web sites and publish the results of their research and their judgments about privacy protection trends on the Internet. These groups are likely to become more aggressive in the future, and any company that is listed on an advocacy group’s hit list for poor privacy protection policies and procedures will certainly suffer from bad press. The basic nature of advocacy groups is that they must have drama in order to receive attention. When advocacy groups get attention, they can also attract new members. This enables the groups to fund their projects and pay staff salaries. Advocacy groups are also in competition with each other for news coverage, members, and financial resources. This makes the entire arena of advocacy a volatile environment. Business executives need to be aware that their company can readily become a target of an advocacy group and should preempt any strikes by moving in a positive direction on privacy management. Good reputations in dealing with privacy issues can be capitalized on and are an asset in marketing, sales, and attracting investors. Bad reputations can become a permanent line item in the annual budget and can cost millions of dollars to overcome.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 17
The Business Case for Risk Reduction
17
Business Alliances and Privacy In a global economy and in highly competitive marketplaces, very few companies now go it alone. The stand-alone company without business partners is extremely rare. As business alliances expand in the future, it is likely that such alliances will have requirements for corporate image and compliance with numerous standards, including appropriate privacy policies and procedures. One of the basic approaches to ecommerce is the establishment of relationships among organizations that are capable of providing specialized services, merchandise, markets, or core competencies. An ecommerce company can then offer one-stop shopping, order fulfillment, and shipping services. The company sponsoring the Web site generally does not offer the full array of services but instead contracts out to other companies to supply specific items and to handle packaging, billing, credit card clearance, or shipping services. The buyer actually has no real idea which company is supplying products or delivering the various services available through the Web merchant. Networks of companies that develop such relationships are often referred to as supply chain participants. These ecommerce practices are prevalent in both Internet-based business-to-business and business-to-consumer operations. Enterprises that participate in supply chain systems as a consumer of goods or services and in the process passes personal information about a customer on to suppliers or service companies is responsible for protecting the privacy of the data released during the business process. Providers of goods and services, in turn, are responsible for protecting the privacy of information that they are provided during the business process. Numerous large Internet supply chain systems started to emerge in the late 1990s. The automotive industry, the chemical industry, and many large conglomerates established supply chain systems. General Electric Corporation invested very heavily in developing a major business-to-business supply chain system that required participants to pay a hefty entry fee.
138236-4_Erbschloe
7/5/01
18
11:55 AM
Page 18
Executive’s Guide to Privacy Management
Supply chain systems may never become the end-all business solution that some of their creators envisioned. However, it is clear that business alliances, especially those supported by Internet architectures, are becoming a permanent part of the business landscape. The successful Internetbased alliances will have to struggle hard to succeed. These massive supply chain environments are costing their developers millions of dollars to establish. Therefore, they will want to avoid the potentially negative consequences that can be caused by privacy-related scandals and litigation. This in turn means that members of these alliances and supply chain systems will be required to have minimum standards for privacy protection in order to be eligible for participation.
Establishing a Risk Avoidance Philosophy All types of organizations need to develop privacy policies that maximize the benefit of reusing information in as many ways as possible while minimizing the risks associated with potential privacy violations. As political and social pressure increases, the case for a solid privacy protection plan is that it can help avoid negative incidents and scandals and their associated costs as well as open doors to participate in business alliances and global commerce environments. Executives need to bear in mind, above all, that it is important to achieve balance by providing customers with privacy protection while still enabling various departments in a company to get a strong competitive advantage from information collected and maintained by the enterprise. Chapter 3 provides an executive-level analysis of the foundation of privacy laws.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 19
3
What Privacy Means
T
here are many ways to define privacy. This is reflected in a myriad of complex industry-specific and general privacy-related laws in nations around the world. There are cultural, societal, political, legal, and national viewpoints as to what privacy means and what constitutes a violation of privacy. Thus, it is important to establish an operational definition of privacy in an enterprise and clear policies and procedures to protect privacy. A well-formulated privacy policy will help prevent inadequate interpretations of policies and procedures. When there is a lack of procedures covering specific incidents or information elements, a privacy policy will help executives make good decisions regarding the privacy of information. The third executive challenge in managing privacy is leading the organization’s efforts to convey a basic understanding of privacy-related laws. 19
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_Erbschloe
7/5/01
20
11:55 AM
Page 20
Executive’s Guide to Privacy Management
At the most basic level the privacy of information is tied to ownership of information. Ownership of information is clear in many cases. If an enterprise, for example, creates information about its products, business strategies, or operations, then that information belongs to the enterprise. The information is the property of the enterprise. Managers in the enterprise determine who has the right to know that information and when and where it can be disseminated. Many new laws are extending this concept of ownership to the individuals that provide personal data to organizations or businesses. In other words, individuals own the information they supply and have the right to determine or restrict how their information is used by organizations to which they provide information. Disseminating the information, however, is not the same as giving away ownership or the rights that are inherent in that ownership. This is where the definition of privacy becomes more complicated. It is common practice for an organization to provide another organization with proprietary information in order to facilitate a business relationship. During this process, the two organizations establish a basis for the exchange of information and expectations, and agree on how that information can be used. This provides executives with an understanding of privacy laws as well as insight into how these laws will affect organizational requirements for protecting privacy in the future. Executives should take the following action steps to assess how privacy laws may affect their organization: • Develop an understanding of the privacy laws and regulations that impact their organization on a national and global level. • Assess how privacy laws are evolving and what new laws may mean to their organization’s operations or business practices. • Determine the business-related privacy management needs of their organization. • Establish a perspective on the future of privacy management practices and how they will affect the organization, both positively and negatively.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 21
What Privacy Means
21
The Foundation of Privacy Laws and Regulations Privacy laws around the world do vary considerably, but many new laws are consistent with the European Union’s (EU) privacy legislation called the Directive on Data Protection that became effective on October 25, 1998. The directive requires that transfers of personal data to non-EU countries take place only if those countries can provide acceptable levels of privacy protection. This directive resulted in a long series of negotiations between the United States and the EU and the development of safe harbor standards. The adoption of safe harbor principles is still being hotly debated in the United States. As it now stands, compliance of safe harbor requirements are voluntary, and organizations may qualify for the safe harbor in different ways. Organizations that do decide to voluntarily adhere to safe harbor principles must obtain and retain the benefits of the safe harbor and publicly declare that they have done so. The principles of safe harbor are as follows: • An organization must inform individuals as to why information about them is collected, how to contact the organization with inquiries or complaints, what types of third parties the information will be disclosed to, and the options and means the organization provides individuals to limit its use and disclosure of information. • Notice must be provided to individuals in clear language at the point when individuals are first asked to provide personal information or as soon thereafter as is practicable. In all circumstances the organization must inform individuals before it uses information for any purpose other than that for which it was originally collected or before it discloses information to a third party. • An organization must provide individuals with an opportunity to choose (opt out) if and how personal information that they provide is used or disclosed to third parties if such use is not compatible with the original purpose for
138236-4_Erbschloe
7/5/01
22
•
•
•
•
•
•
11:55 AM
Page 22
Executive’s Guide to Privacy Management
which the information was collected. Individuals must be provided with clear, readily available, and affordable mechanisms to exercise this option. When the information is sensitive and concerns such things as medical history or health status, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information concerning the sex life of the individual, the individual must be given the opportunity to specifically affirm (opt in) that the information can be used. An organization is allowed to disclose personal information to third parties in a manner that is consistent with the original principles of notice and choice. When an organization is passing on information that an individual has approved the use of, it must first determine that the receiving party subscribes to the safe harbor principles. As an alternative to meeting general safe harbor requirements, the receiving party and the organization providing the information must enter into a written agreement in which the receiver agrees to provide at least the same level of privacy protection as is required by relevant safe harbor principles. Organizations that create, maintain, use, or disseminate personal information must take reasonable measures to assure that it is reliable for the intended use. In addition, organizations must take reasonable precautions to protect its information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. An organization may only process personal information for the purposes for which the information was originally collected. In doing so an organization is responsible for assuring that data is accurate, complete, and current. Individuals who provide information must have reasonable access to personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate.
In addition to the steps that an organization must take internally, nations and states face the need for providing pri-
138236-4_Erbschloe
7/5/01
11:55 AM
Page 23
What Privacy Means
23
vacy protection mechanisms to ensure compliance with the safe harbor principles. There must also be recourse for individuals affected by noncompliance with the principles and there must be consequences for an organization that violates safe harbor principles. Such mechanisms must include readily available and affordable independent recourse for an individual’s complaints and a method by which disputes can be investigated and resolved as well as damages awarded where the applicable law or private sector initiatives provide. There must also be procedures to verify that the assertions businesses make about their privacy practices are true and that privacy practices have been implemented as they were stated at the time the information was originally collected. Sanctions against organizations that violate the principles must be rigorous enough to ensure compliance.
How Privacy Laws Are Evolving Privacy planners should recognize that members of the EU have similar privacy laws. In addition, those countries that are negotiating for EU membership and those countries that have expressed an interest in EU membership will comply with broad EU guidelines on privacy and implement any specific laws necessary to gain membership. It is also important to understand that there are many countries outside Europe that have privacy laws similar to those of EU member states. This trend is likely to continue regardless of what the U.S. Congress decides regarding adoption of safe harbor principles. The concepts inherent in safe harbor principles and what they may mean for the practical implementation of privacy law will continue to face heated debate in the United States for years to come. However, it is important for executives to look beyond present-day political rhetoric. More privacy laws are inevitable in the United States as well as other countries. The safe harbor principles are rooted in protection of privacy for the individual and grant individuals the inherent right to determine how their personal data can be used by organizations that collect such data. Regardless of the twists
138236-4_Erbschloe
7/5/01
24
11:55 AM
Page 24
Executive’s Guide to Privacy Management
and turns that privacy laws may take over the next several years in the United States, or any other country for that matter, the global trend is toward compliance with safe harbor principles. This means that the future of privacy laws and regulations will be substantially impacted by the principles that underlie privacy laws and regulations that currently exist in European countries. It may take over a decade for these principles to be enacted in a uniform manner in U.S. law. The process of lawmaking in the United States is not solely an issue of what Congress or any state legislature wants laws to be. The constitutional process, although seemingly slow at times, usually ends up establishing a balance between the needs of the individual and of society. Privacy laws will also find a balance, and the right of the individual to determine how private information is used or is disseminated by organizations that collect such data will likely be decided in favor of the individual. While this evolutionary process is taking place, it is important that executives work to make sure that their organization does not become a victim of this social Darwinism.
Understanding Privacy Needs One of the key roles of executives in leading the privacy management efforts of an organization is to be able to articulate the need for appropriate privacy policies and procedures. In addition, it is the ultimate responsibility of executive-level managers to ensure that all middle-level managers in the enterprise understand the business, legal, and social aspects of privacy. It is up to the privacy task force to develop specific policies and procedures. But the work of the task force will be made easier if executives understand what is at stake and what can be gained by having enterprisewide policies and procedures. Chapter 4 provides an overview of the process of developing privacy plans, including a detailed privacy needs audit. As the process of developing privacy plans is initiated, it is essential that an organization establish an understanding of
138236-4_Erbschloe
7/5/01
11:55 AM
Page 25
What Privacy Means
25
privacy needs and, as a building block in the process, develop a privacy philosophy. This philosophy, like an enterprise mission statement, should be understood be everyone in the organization. Inherent in the understanding of privacy is an understanding of an implied or explicit privacy contract with those individuals or organizations that provide personal or corporate information during the normal course of business. The concept and process of privacy can be viewed from a number of perspectives ranging from political to economic. The philosophical focus of the privacy management perspectives in this book is geared toward the improvement of the business bottom line for private companies and cost controls and resource optimization for nonprofit and government organizations. This can be achieved by reducing the risks associated with privacy management problems as well as examining new ways to use information as an economic resource. The economics of resource optimization are relatively easy to get a handle on, but the definition of risks will vary widely depending on the type of organization. Privacy factors that will vary across organizations include the existence and detail of privacy policies and the degree of central control over the use of corporate information. Perspectives on privacy range from low risk to high risk. In a low-risk environment, a privacy policy is in place, information dissemination is tightly controlled, policies are set by data type, and all disclosures of information to outside organizations require approval. In a high-risk environment, there are only nominal policies in place, information is loosely controlled, at best there tends to be global nonspecific policies on privacy of information, and business units and departments are allowed to make their own decisions on the use of information. The major challenge in developing a privacy philosophy is working through the process of consensus building among departments and managers in your enterprise. Some departments will be far more willing to take the higher-risk perspective, while others may advocate moving toward a low-risk perspective. Typically, marketing and sales departments are more willing to take higher risks in dealing with privacy. This is the nature
138236-4_Erbschloe
7/5/01
26
11:55 AM
Page 26
Executive’s Guide to Privacy Management
of sales and marketing departments, which are measured by their abilities to target customers, generate revenue, and expand market share. In addition, the management teams in sales and marketing typically have compensation plans that are tied to performance, which means that they will feel threatened by any action that limits their abilities to target customers and achieve performance goals. On the other end of the continuum are the public relations departments and at times corporate counsel who are responsible for cleaning up any disasters that befall the organization. These parties will clearly push for a low-risk perspective for the organization. In addition, stockholders may tend toward a low-risk privacy philosophy because they know privacy scandals can negatively affect stock prices as well as earnings. However, there may be contradictory positions among stockholders because they want to improve revenue and sales and are willing to take higher risks to accomplish these goals. Yet they will be embittered when higher risks result in negative consequences such as privacy-related problems.
What to Expect in the Future The legal requirements for managing the privacy of information in the future will become more complex as laws evolve and social pressures increase. The legislative and political process is just beginning to churn, and it will take time for privacy laws to mature and stabilize. There will be many attempts to make sense of privacy needs, and it will take time to balance privacy needs with social, political, economic, and business conditions. It has taken several decades for socially oriented legislation in areas such as civil rights and environmental protection to evolve and to come into balance with overall social conditions. In the area of privacy, just as in civil rights and environmental protection, the dialogue among interest groups and the political process will continue to be full of conflict. These evolutionary processes will continue to make the job of privacy managers challenging and at times perhaps even
138236-4_Erbschloe
7/5/01
11:55 AM
Page 27
What Privacy Means
27
extremely difficult. It is likely that there will be very few dull moments as the evolution of privacy policies and laws occurs. One of the major tools that executives already have to help manage privacy is rapidly evolving information technology that is designed to help organizations manage data and information. The competitive nature of the information technology industry is pushing all manufacturers to develop and market more business-friendly products. Information technology producers are constantly trying to outdo each other in creating products to help solve business problems. Many of the largest information technology makers are now developing systems to help manage privacy and to ensure the security of data. New and improved privacy management abilities will be built into future information processing products and business solutions. Chapter 4 discusses the process of developing and implementing enterprisewide privacy policies and plans and how executives can help that process to move forward.
This page intentionally left blank.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 29
4
Moving Ahead in Privacy Management
T
he fourth executive challenge in privacy management is launching a formal privacy management process in the organization. The first step in developing a privacy plan is to create an organization structure in which to conduct work: a privacy task force. The privacy task force is composed of representatives from all departments in an enterprise. Leadership of the task force must be determined and an agenda for action needs to be set. It will take several months for the privacy task force to compile the data needed to determine what information must be protected and to formulate policies and procedures to ensure privacy is maintained. This chapter provides an executive-level overview of the privacy policy development and implementation process that includes establishing a privacy task force, allocating necessary resources, and estimating the time required to complete the four phases of privacy planning. Executives 29
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_Erbschloe
7/5/01
30
11:55 AM
Page 30
Executive’s Guide to Privacy Management
should take the following actions to determine how best to develop privacy protection policies and procedures in their organization: • Develop an understanding of structured processes that can help ensure that appropriate privacy policies and procedures are developed in an organization. • Determine how to establish a privacy task force and privacy management function in the organization. • Assess what resources are required to support a privacy task force and privacy management function and develop appropriate privacy management policies and procedures in the organization. • Establish realistic timelines for developing a privacy management plan to thoroughly assess privacy needs and develop and implement policies while balancing the need to complete the project in a timely manner. • Identify obstacles that may impede the development of privacy policies and plans and be prepared to deal with these obstacles in the organization.
The Four Phases of Privacy Plan Development and Implementation There are many ways to go about developing appropriate privacy policies and procedures for an organization. Smaller organizations with localized or narrow lines of business may have little difficulty determining their privacy management requirements and may be able to work through the process quickly. Larger organizations that conduct business in several countries and that have interests that cross business sectors will require a more extensive and structured process to develop and implement sound privacy management programs. In large organizations, the successful development of a privacy management program will require the participation of all departments and business units. A structured process for building an enterprisewide privacy management program is broken down into four major phases:
138236-4_Erbschloe
7/5/01
11:55 AM
Page 31
Moving Ahead in Privacy Management
• • • •
31
Phase One: Organizing and research Phase Two: Conducting a privacy-needs audit Phase Three: Developing policies and plans Phase Four: Implementing the plan
In phase one, the organizing and research phase, a privacy task force leader is appointed and the privacy task force is put into place. Departments identify and staff their departmentallevel privacy teams and the skill base of the task force and department teams is assessed. Training to round out the skills of the staff working on the privacy plan is conducted and outside help, if necessary, is identified and selected. A schedule for the work of the task force is developed and an internal awareness campaign is then launched. In phase two, the privacy-needs audit phase, an organization must begin to understand the many types of data and information it collects and uses. Identifying data, determining where or who it comes from, establishing how and where it is used, and if and where it is disseminated is accomplished during the privacy-needs audit. In addition, the audit process identifies laws, government regulations, and internal requirements that could possibly govern the collection, use, and dissemination of the data. In the third phase of privacy planning, enterprise privacy statements, policies, and procedures are developed and written. Actual implementation of the plan is accomplished in phase four. The complexity of a privacy plan development project and the resources required for each phase in a structured development process will of course vary with the nature of an organization. It is important to be thorough but it is also important to be expedient. Everything about the project may look cloudy in the beginning but the organizing and research phase is designed to make the subsequent phases go more smoothly. It is important to get off to a good start and do a thorough assessment of the project and determine the complexity and cost of the project. It is best to go slower in the beginning than have to backtrack later in the project because inadequate research was conducted during the early phases.
138236-4_Erbschloe
7/5/01
32
11:55 AM
Page 32
Executive’s Guide to Privacy Management
Executives can rely on the director of the privacy task force to handle the details of the privacy planning process. The book NET Privacy: A Guide to Implementing an Ironclad eBusiness Privacy Plan provides an in-depth explanation of the four phases. The brief overviews provided here are designed to give executives a high-level view of the phases of privacy planning.
Establishing the Privacy Task Force The highest levels of management—Chief Executive Officers (CEOs), Chief Operating Officers (COOs), Chief Financial Officers (CFOs), and Chief Information Officers (CIOs)— need to support privacy planning and privacy managing efforts across the enterprise. The support of the highest level of management helps to illustrate the importance and the seriousness of all privacy efforts. The general agreement of high-level managers should be developed in the privacy philosophy development stage. Yet, although their consensus is key, chief officers will not likely be effective in the day-to-day management of privacy or in leading the development of a privacy plan. A middle-level manager should be assigned the coordinating role in developing a privacy plan. The person assigned this task will need to put considerable time into the process and often be required to give it his or her full attention. The manager of the privacy task force needs to be detailed oriented without getting lost in the forest. This leader also needs to be able to manage a diplomatic relationship with all of the departments in the enterprise as well as work well with external resources. The major challenge in establishing effective leadership for the privacy task force is finding people in the organization who have both the internal political clout and the motivation to be involved in the long and time-consuming task of developing privacy policies and plans. Although the ideal leader is driven to accomplish the company’s privacy goals, some people who would be most willing to take on the
138236-4_Erbschloe
7/5/01
11:55 AM
Page 33
Moving Ahead in Privacy Management
33
responsibility could cause a significant problem for an organization. A person who is motivated by personal philosophies that lean toward greater privacy protection might not be the best choice for the job.. A privacy task force leader who is perceived as having already decided about privacy may very well alienate managers who are seeking a more balanced perspective. The privacy leader should be a representative of all corporate privacy concerns, who can balance the various department perspectives. The leader’s goal must be to decrease risk but not completely close off the use of information resources in the name of privacy. Once the person who can handle this leadership position has been identified, it is important to create a cross-department task force that can help build and implement the directives of the task force leader. The privacy task force is the next essential element in organizing a company’s privacy planning efforts. Every department in the enterprise needs to be represented. Each department should have two representatives, a primary and an alternate. Appointing two representatives from each department ensures a better chance of maintaining continuity of involvement as well as decreasing the difficulty in scheduling meetings. In addition, department representatives need to be the top managers in the departments, and they need to have a complete understanding of operations and the authority to make decisions and implement plans. The big challenge in pulling together a privacy task force is getting the time and attention of managers throughout the organization. Everyone is busy, and all managers already have a long list of goals they would like to achieve—many of which may affect their own personal incomes. CEO clout must be behind the task force. The best possible role for the CEO is to make sure that the privacy task force gets the resources, participation, and cooperation necessary for the privacy policy development efforts to succeed. The CEO should probably not lead the privacy task force because CEOs usually have a busy schedule. The initial response may be favorable if other managers see that the CEO is leading the task force. However, if a busy CEO has poor attendance at meetings and is too busy to keep up with the step-by-step
138236-4_Erbschloe
7/5/01
34
11:55 AM
Page 34
Executive’s Guide to Privacy Management
processes of the task force, other managers might interpret this as a lack of true interest on the CEO’s part. The CEO must be in a symbolic and supportive role that conveys the importance of the privacy task force to managers across the organization. If managers know that an overseeing CEO will recognize their efforts within the task force, they will be much more likely to push for progress at both the corporate and departmental levels. To encourage adherence to the privacy plan within departments, the privacy task force members will be expected to coordinate activities with the appointed privacy team within their own departments. Each department should have its own departmental privacy team. The departmental team should work with their privacy task force representatives to conduct specific departmental research to help establish the corporate privacy plan, to help evaluate the plan as it is drafted by the task force, and to implement the plan at the departmental level once it is developed. The size and membership of the departmental team will vary depending on the diversity of data used by the department. Departmental-level privacy teams should be made up of a mix of supervisory personnel and technical experts in the areas in which the department has enterprise responsibilities.
Allocating Adequate Resources It is important that adequate resources are allocated to the work of the privacy task force. Once the task force is established, one of the next steps is to review personnel requirements and the need for outside consulting or legal support. In phase one, the organizing and research phase, there are steps designed to review resource needs. As the task force is preparing to move from phase one to phase two, the privacyneeds audit phase, there should be a clearer picture of resource needs. In most situations a full-time middle-level manager will be assigned as the director of the privacy task force. The director will likely need at least one full-time assistant to help manage information flow and prepare documentation
138236-4_Erbschloe
7/5/01
11:55 AM
Page 35
Moving Ahead in Privacy Management
35
and to publish the privacy plan and policies. This requirement of course depends on the organization’s size, business complexity, and its geographic location. Departmental support will also be required in all phases of the privacy planning process. Departmental staff conducts research on privacy needs, works as a group to formulate policies, and works as a team during the implementation process. Departments must allocate necessary personnel to fulfill the needs of the privacy task force. In addition, the support of legal counsel is required to help the task force interpret laws and develop appropriate language for the privacy policy. The amount of legal support necessary will also vary by the organization’s size and business complexity. Those industries that are heavily regulated will probably require more legal support while those industries that are less regulated will likely require less legal support. It is important to recognize that if in-house counsel or existing retained counsel does not have specific experience in privacy management, it will be necessary to either train existing legal staff or complement the staff with outside legal talent. It is impossible to set an estimated budget because there are so many possible combinations of needs and organization environments. The privacy task force, during phase one, should be able to get a good grip on the potential costs of privacy plan development. Smaller organizations have developed and implemented privacy plans for as little as several thousand dollars. Large, more complex organizations that are the size of a Fortune 200 company may need to spend several million dollars to develop and implement an enterprisewide privacy plan. Once the privacy plan is developed and implemented, there will be ongoing costs for keeping policies and procedures updated and to refine the privacy management approach as the organization evolves. In large organizations it will probably be necessary to establish a privacy office and staff it with a director and at least one administrative staff person. In smaller organizations a middle-level manager, working on a part-time basis, may be able to manage the responsibility of maintaining the privacy plan and procedures.
138236-4_Erbschloe
7/5/01
36
11:55 AM
Page 36
Executive’s Guide to Privacy Management
It is important to bear in mind that developing the privacy policy and procedures is only the beginning of the process. Implementation and follow-up testing also take time to accomplish. In addition, executives should note that privacy management is an ongoing process that will require some resources on a continuous basis.
Expected Timelines for Developing Privacy Management Plans The length of time it will take to fully develop and implement a privacy policy and plan will depend on the size and complexity of an organization, the level of regulation of privacy in the corresponding industry sector, and the diversity of businesses in which an enterprise is involved. In addition, adequate resources must be allocated. Generally speaking, the first draft of a good privacy plan with appropriate input from all departments should take from three to six months to develop in a larger organization. Once developed, it will take another three to six months to implement a privacy plan. In smaller organizations the entire four-phase privacy plan development and implementation process could take as little as two or three months. Because managing privacy is an ongoing effort, after the plan is implemented, outcomes must be measured and policies and procedures must be updated as business and legislative conditions change. In other words, the work on privacy management is an ongoing process and should not be considered finished once the privacy plan is implemented. Once the privacy plans and procedures are developed, implemented, and tested and the privacy management process is well established, privacy managers must then determine how quickly the organization will need to evaluate new requirements and modify existing policies and procedures to ensure that privacy is maintained. Executives should take these factors into consideration and work to establish appropriate timelines for modification of policies and the implementation of new procedures and allo-
138236-4_Erbschloe
7/5/01
11:55 AM
Page 37
Moving Ahead in Privacy Management
37
cate resources adequate to accomplish the task within the expected time frame.
The Biggest Obstacles to Overcome The biggest obstacle for an organization to overcome during the privacy planning process is to pull together well-rounded privacy task force and departmental privacy teams. Many people may not want to work on the privacy task force. Supervisors and technical experts are busy and are focused on departmental performance goals that may very well affect their own personal compensation. In addition, they may feel threatened by the entire privacy protection movement. The departmental managers must ensure that they have assembled a well-rounded team, and they must motivate the team to participate fully in the privacy-needs audit as well as the policy and procedure development phases. One way to overcome such resistance and objections is to establish a bonus program for departmental team members. Bonuses for involvement in such special projects can range from $1000 up to 5 percent of the team member’s annual base salary. Executives can have considerable influence over compensation programs and can overcome barriers in the implementation process. Chapter 5 discusses the role of upper managers in developing and implementing enterprisewide privacy policies and plans.
This page intentionally left blank.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 39
5
The C Level Emissaries
T
he fifth executive challenge in privacy management is to communicate the organization’s position on privacy management. Executives are ultimately responsible for leading the development of privacy policies and plans in their organizations. Middle-level managers, however, will do most of the detailed and day-to-day work to analyze privacy needs and develop procedures to protect privacy in the enterprise. Executive-level managers play an essential role in the privacy management process that no other person can perform— they serve as high-level emissaries to boards of directors, investors, business partners, the general public, and the media on behalf of the enterprise. This means that executives must understand and be able to readily articulate the privacy philosophy and policies of the organization. In many ways the executive is the embodiment of the enterprise. Executives represent their organization in a way 39
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_Erbschloe
7/5/01
40
11:55 AM
Page 40
Executive’s Guide to Privacy Management
that no other employee can possibly accomplish. This is due in part to status and expectation, but it is mostly due to the type of functions and events that executives attend where they represent their organization. They need to be able to serve as high-level emissaries in a variety of public settings and do so in a manner that helps to effectively position the organization in a positive light to each audience. This chapter covers the range and depth of knowledge that executives must have about the privacy management approach of an organization. Executives should take the following action steps to prepare the executive management team to discuss the privacy policies and procedures of their organization: • Establish a briefing process for upper managers on the ongoing development of privacy policies and procedures. • Develop appropriate statements on the organization’s privacy policies and procedures or responses to deliver to different audiences, including the board of directors, investors, the media, business partners, and the general public. • Determine the appropriate people in the organization to refer detailed questions to regarding privacy policies and plans and ensure that all executives know who these spokespeople are.
Briefings for Upper Management on Privacy Policies and Plans Executives need to understand the privacy philosophy of their organization. They must understand the process that the organization went through to establish its privacy policies and plans as well as the fundamental principles of privacy protection that the enterprise has adopted. The step-by-step process of developing and implementing privacy is explained in Chapter 3. Although executives will not be involved in the details of the process, it is advisable that they understand the major phases of privacy policy development, how the privacy policy is translated into procedures, and the process of implementing and testing these procedures in their organization.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 41
The C Level Emissaries
41
Much of this information will be made available to executives during the training process that is an integral part of the implementation process of privacy plans. The executive-level training sessions for privacy management should take less than two hours to conduct. The key points that executives should learn from training during the implementation phase of a new or revised privacy plan are • The effort that has been put forth in developing the privacy plan • The status of privacy policy development if the policies are not completely developed • The contents of the privacy plan and how it is used as a reference tool • Major laws that regulate privacy protection in their organization • How to make decisions based on the enterprise philosophy toward privacy • Information in the organization that is protected by privacy policies • How to conduct business negotiations in accordance with privacy policies • What employees should do when confronted with new situations It is advisable that the director of the privacy task force, or the manager who is primarily responsible for privacy management in an organization that does not have a privacy task force, be ultimately responsible for briefing executives on the privacy policies and plans of an organization. In addition, privacy leaders from various departments should be present at such briefings to answer specific questions and assist executives in understanding how privacy policies and specific procedures may impact business practices. It is also advisable that key public relations personnel and legal counsel attend the briefings to make sure that executives are aware of the types of issues they should address when discussing privacy management with the board of directors, investors, the media, business partners, and the
138236-4_Erbschloe
7/5/01
42
11:55 AM
Page 42
Executive’s Guide to Privacy Management
general public. Executives should be provided with a list of staff people that they can call and discuss privacy management issues with and who can help them prepare to address a specific audience about privacy management issues. If executives are going to speak in what could be potentially hostile environments, the director of the privacy task force or the lead staff person responsible for privacy management as well as a trained public relations representative should accompany them.
The Message That Upper Management Should Convey to the Outside World As executives interact with representatives from other organizations during the course of business and even in social situations, they should convey a consistent and uniform message about enterprise privacy policies. The substance of these messages can surely be reinforced during the training process, but it is prudent to have agreed-upon statements that executives should make even as the privacy plan is being developed. In general, any statement that executives make regarding privacy policies or the process that the organization is undertaking to develop privacy policies should be relatively short and to the point. These executive statements should be formulated in coordination with the privacy task force and with the input of public relations staff and, depending on the circumstance, with advice from legal counsel. If an organization is not involved in a privacy violation or incident, executives should be somewhat casual in the discussion of privacy and rely upon the privacy task force and public relations department for guidance. On the other hand, if there is a serious problem with privacy and if any litigation is pending or if there is a government investigation under way, executives need to be extremely careful about what they say about privacy policies and procedures. In a low threat environment where there is no litigation or investigations under way, it is recommended that executives take an upbeat attitude toward privacy management.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 43
The C Level Emissaries
43
Executives should be made aware of what phase of development the privacy policies and plans are in and be able to make brief comments. During the first two phases of privacy policy development, executives should comment that: W “ e have established a privacy task force and are in the process of reviewing existing policies and are developing appropriate procedures for our current business climate.” It is important to have at least one comeback to deal with likely questions. The most likely question is H “ a ve you had any privacy management problems?” The response in a low threat situation should be simple and to the point. W “ e have not experienced any privacy management problems but as our business model and the business climate evolves, we want to make sure that we are taking appropriate steps to address our privacy management responsibilities.” An alternative question or sometimes the second question in such discussions often focuses on the general position of an organization toward privacy. Executives should respond: O “ f course we respect privacy, and the goal of our privacy task force is to make sure that all of our operations are consistent in the way they manage privacy protection.” It is advisable that only well-versed executives go into greater detail on privacy management issues. It is also recommended that executives not comment on pending legislation or government regulations. Usually these laws and regulations are open to many interpretations. Often new regulations or laws take time to clarify and are sometimes overturned in court. If asked about legislation, the executive should comment: W “ e have established a process in which our privacy task force reviews new laws with counsel and establishes appropriate privacy management procedures.” Fur ther comments are not advisable and, if all else fails, the inquirer should be referred to the director of the privacy task force. In high threat situations where there is pending litigation or ongoing government investigation, it is advisable for executives to say nothing and at most should comment: W “ e do not make public comments on litigation or government investigations until the matters are concluded.” Ex ecutives should make it clear that everyone in the organization should respond in the
138236-4_Erbschloe
7/5/01
44
11:55 AM
Page 44
Executive’s Guide to Privacy Management
same manner when confronted with such situations. This includes all members of the privacy task force as well as any employee who has contact with people outside the organization. Executives as well as all other employees should refer the person or persons with questions to a designated department such as public relations or the privacy management office.
What Upper Management Should Tell the Board and Investors Executives are responsible for briefing the board of directors on the privacy policies of an organization. During the development of privacy plans and policies, executives should be prepared to inform the board of the status of the planning process. In general, executives should briefly report what phase the development of the privacy plan is in and whether any major obstacles have been encountered. As the work of the privacy task force moves into the implementation phase, the board may be interested in seeing an actual copy of the privacy policy and plan. If the board does take an interest in the details of the plan, it is recommended that the director of the privacy task force prepare a brief, seven- to ten-minute presentation to the board that covers the high points of the plan and the implementation process. The investor relations department and staff can work with executives to prepare a brief overview of the privacy policy that can be made available to investors on the corporate Web page. In the event that there is an investor meeting that takes place on a scheduled basis, the investor relations staff should work with executives to determine the extent of information about the privacy policy that should be included in information packets distributed to attendees. Investors should also be supplied with a phone number to make further inquiries about privacy management. It is advisable that investors first speak with the investor relations staff who can then collect information and make sure that investors are receiving consistent answers to their questions.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 45
The C Level Emissaries
45
Executives, with the support of the investor relations staff, should prepare a brief statement that captures the basic philosophy of the privacy policy and conveys to the investors that considerable effort was put forth to accomplish the development and implementation of the privacy policies and procedures. Executives should avoid going into detail about procedures and limit responses to questions that are general in nature. It is best to refer specific questions back to the investor relations staff, who can work with the privacy task force to formulate appropriate answers to an investor’s questions.
The Message to Take to the Media and the General Public Executives are constantly confronted with questions from the media, and as they attend various functions and meetings they may need to deal with questions from the general public. Responses to media and public questions should be short and to the point, just as they are when executives deal with the board of directors, investors, and business partners. Detailed questions should be referred to appropriate public relations staff and the privacy task force. The purpose of this approach is not to obfuscate policies or positions but rather to make sure executives are not put in a position where they would have to answer questions without having all the facts at hand. This approach will make things easier for the executive as well as help to ensure that the media and the public receive consistent answers to questions. In the event that an organization decides to take a highprofile approach to their privacy protection policies and a general press conference or analysts’ briefing is held, all comments that are to be made by executives should be predetermined. Comments can be prepared and reviewed through the joint efforts of the privacy task force, the public relations department, and legal counsel. During such briefings, the director of the privacy task force should be present
138236-4_Erbschloe
7/5/01
46
11:55 AM
Page 46
Executive’s Guide to Privacy Management
to deal with specific questions. However, the privacy task force, public relations, and legal counsel should agree about which questions should be addressed immediately and which questions will be answered in a follow-up session or conversation. These responses should be discussed prior to any public statements or briefings. If the organization is going to take a high public profile in privacy management, it is advisable that a press packet be assembled before any major announcements. The packet can contain an overview as well as any specific items that the organization would like to be made public. If the packet is assembled, executives should be made aware that it is available. This may provide a greater comfort level for the executives because they can respond to questions by saying, W “ e have assembled an entire packet that explains our privacy program, and it is available from our public relations department.” This will allow the executive to show confidence that the organization can easily respond to questions in a high-profile situation.
Establishing Organization Support for Executives It is essential and therefore worth repeating that executives need the support of several departments in the organization to provide them with accurate information. The executive needs this support to deal with people who have questions that require detailed answers about privacy policies or procedures. The public relations department, investor relations staff, and the privacy task force should all establish procedures to handle referrals from executives. A quick and courteous response to questions is the hallmark of excellence in an organization. It also demonstrates that the executive who referred the persons with questions was both serious and sincere in making the referral and was not just giving them the executive brush-off. If this support is not in place or there is an unacceptable lag time in responding to people with questions, it will reflect
138236-4_Erbschloe
7/5/01
11:55 AM
Page 47
The C Level Emissaries
47
negatively on the referring executive. It may also give people outside the organization an impression that there is an effort to avoid answering questions about privacy management. Any organization that is taking privacy management seriously should recognize that no matter how serious it is about privacy, outsiders will have doubts if they do not get quick and thorough responses to their questions. This does not mean that the internal processes or issues should be totally exposed or that staff people in the various departments who are responsible for answering questions should not be prudent in their responses. But outsiders with questions should be dealt with in a manner that demonstrates the very best in diplomacy and external relations. Chapter 6 addresses the role of executives in keeping the privacy planning process on track and on schedule.
This page intentionally left blank.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 49
6
Maintaning Momentum in Privacy Management
he sixth executive challenge in privacy management is maintaining appropriate momentum in developing privacy policies and privacy management procedures in the organization. It is important to keep a privacy planning project moving ahead. Developing and successfully implementing an appropriate privacy plan requires support from all departments in an organization. Executives need to bear in mind that the staff, whose contribution to the project is absolutely essential, will also have other tasks that need to be done. In some cases these critical contributions may run counter to the workload and departmental goals of the members of the privacy task force and of the departmental privacy teams. This means that the privacy planning process may often be pushed to the back burner or be overridden by projects that team members feel are more important. In some cases, privacy team members may not be able to meet all of their goals. If work on the privacy planning process
T
49
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_Erbschloe
7/5/01
50
11:55 AM
Page 50
Executive’s Guide to Privacy Management
affects their ability to complete other tasks that may affect their compensation, then it is likely that team members will pursue that work which they see as the most beneficial to them as individuals. This is basic human nature, and it is up to organization executives to keep the privacy planning process moving and strike a balance between the various sources of pressure that employees may face. Executives can play an important role in ensuring that the privacy planning process does not get ignored or slighted in the face of other organizational demands. Executives should take the following steps to ensure that the development of appropriate privacy policies and procedures continue at an acceptable pace in their organization: • Appoint an executive-level manager to oversee the privacy task force and to act as champion for the development of a privacy plan. • Schedule regular meetings with the director of the privacy task force to monitor the progress of privacy policy and procedure development. • Develop plans to help keep the privacy task force motivated, including a system of bonus payments to compensate team members for extraordinary effort. • Recognize the achievement of the privacy task force at appropriate organization events, retreats, or meetings.
The Role of Upper Management in Keeping the Privacy Project Moving All organizations should appoint an executive-level manger to oversee the work of the privacy task force. This will help keep the task force moving and be a channel to discuss resource needs and any obstacles that the task force encounters. The appointed executive should act as a champion for the project and help to acquire the necessary resources for the completion of the project. In addition, the champion can help ease internal organizational conflicts that may stall the project. The primary overseeing executive will be able to work with upper-level managers of different
138236-4_Erbschloe
7/5/01
11:55 AM
Page 51
Maintaining Momentum in Privacy Management
51
departments and urge them to allocate adequate resources when necessary. Executives can do many things to support the momentum of a privacy project. Occasionally attending meetings of the privacy task force is a good way to reinforce the importance of the privacy planning process. Executives can rotate their attendance at these meetings in order not to overburden any individual executive. The chief executive officer (CEO) could attend a meeting once a month, as could the chief operating officer (COO) and the chief financial officer (CFO). Such attendance should be primarily as an observer. It would be helpful if at one point during the meeting the executive could make encouraging statements about the task force and the importance of privacy management. It is important, however, that these statements be brief and sincere. Executives should not give long rhetorical and philosophical statements but focus on the business importance of having a sound privacy policy and the proper procedures to make sure that the policy is implemented. In addition to attending meetings of the privacy task force on an occasional basis, at least one executive should attend major milestone meetings of the task force. This is especially important when members of the task force are receiving recognition for their work and contributions. These occasions are appropriate for the executive to reiterate his or her support of the task force and support of the privacy policy. Comments of the executives at these events should be coordinated with the director of the privacy task force. Executives can also use other meetings that are not directly related to the work of the privacy task force or the development of new privacy policies to reiterate the importance of privacy. If, for example, there are annual or periodic meetings, luncheons, or retreats where recent or year-to-date accomplishments of the organization are reviewed, executives should remember to include the work of the privacy task force during these reviews. If, during one of these events, it is appropriate to give recognition to employees by name, then those who worked on the privacy task force should be mentioned by name.
138236-4_Erbschloe
7/5/01
52
11:55 AM
Page 52
Executive’s Guide to Privacy Management
Overseeing the Process from the Top Executives play an important role in maintaining momentum in their organizations, and this role is essential during the privacy planning process. During phase one, the organization and research phase, the privacy task force will establish a timeline for the completion of the project. Upper management can help monitor progress by getting periodic progress reports from the director of the privacy task force. Upper-level management team meetings that are scheduled on a regular basis are an excellent forum to receive progress reports from the director of the privacy task force. If such meetings are not held, then the director of the privacy task force should provide periodic progress reports to a selected executive-level manager. If there is a COO, then periodic progress reports should be made to that executive. If there is no COO then, depending on organization structure, the CEO may be the most logical executive to receive the progress reports. The progress report should be an interactive event that allows executives to ask questions and the director of the privacy task force to candidly discuss any problems that have been encountered and, if necessary, the need for additional resources. In the event that additional resources are needed, the overseeing executive should provide support to the director of the privacy task force in procuring such resources. Executives also need to be able to recognize when the privacy planning process gets really stalled. If goals or deadlines are constantly not being met or the process falls behind without a reasonable explanation, it may be time for intervention at the executive level. If the overseeing executive feels that the privacy planning process is failing, then he or she should confer with the director of the privacy task force or members of the task force with whom they have had a working relationship. This is not a matter of spying on the task force, but should nevertheless be handled with care. If the overseeing executive feels that the director of the privacy task force should be replaced, it is recommended that conferences be held with other executive-level man-
138236-4_Erbschloe
7/5/01
11:55 AM
Page 53
Maintaining Momentum in Privacy Management
53
agers to determine if they have comments or insights into the situation. It is important to recognize that even if a director of the privacy task force is lagging behind schedule, he or she should be kept in place until a suitable replacement can be found to take over the work. It may take considerable time to find a replacement, and it is better to have some momentum than no momentum at all. There are certainly many reasons why an employee should be terminated immediately but if the director of the privacy task force is a seasoned employee with a good reputation for accomplishing goals, it is unlikely that immediate termination would be required. The overseeing executive also needs to understand and monitor the transition phases of the privacy task force. Many privacy task force directors feel that it is easier to formulate a policy and develop an implementation plan than it is to actually implement the plan. This perception is rooted in two dynamics. First, some people are better at analysis, research, and planning than they are at implementation. The privacy policy and plan may be perfectly well crafted but the director who brought it to that level may have little, if any, experience in implementing policies. This can be a relatively delicate situation for the executive, but it is important to bear in mind that the plan must be thoroughly implemented to be of value to the organization. If the overseeing executive feels that implementing the plan is beyond the skill set and experience of the privacy task force director, then the director needs to be replaced with an individual who has more implementation experience. A second dynamic that can stall the implementation of the plan has little to do with the director of the privacy task force. Implementation may get stalled at the departmental level, for various reasons. These could include inadequate resources as well as what might be an inherent resistance to change. An experienced executive should be able to ascertain why implementation is not going well. He or she should conduct brief meetings with the task force director to discuss obstacles and meet with department managers to discuss their view of the process and examine the resources available to implement the
138236-4_Erbschloe
7/5/01
54
11:55 AM
Page 54
Executive’s Guide to Privacy Management
plan. If an overseeing executive finds him- or herself in this situation, it could turn into a real test of management ability and diplomatic skills. There are no simple solutions to address a lack of cooperation from department managers or departmental-level privacy teams. These types of problems can really only be addressed at the executive level. If executives have demonstrated ongoing support for the privacy planning process, departments are more likely to give the necessary support. However, such problems should not pose any more of a challenge than other issues or problems that executives deal with throughout their career. It is not uncommon for executives to smooth out conflicts between feuding departments. Hopefully, the privacy planning process will not create such problems, but executives need to monitor the progress of the privacy task force and, when possible, head off these types of conflicts.
Motivating the Privacy Team The privacy task force and the departmental teams are facing a very large and complex project. It is advisable to develop an approach to motivate the team to stay on track and on schedule. This can be achieved through a variety of means. Bonus plans are always helpful in motivating employees, as are other perks that may be commonly used in an organization. The champion executive and the director of the privacy task force, in cooperation with the human resources department, should establish a bonus or perk plan and put it into place when the privacy planning project is launched. Bonuses can be paid in several ways, but incremental payments made to task force members for meeting specific deadlines and goals will probably be the most effective. A payment could be paid, for example, after the privacy-needs audit is conducted, as well as when the final plan is developed. Other payments could be made at the time when implementation has reached a certain level. Bonus payments for the director of the task force should be substantial and in a
138236-4_Erbschloe
7/5/01
11:55 AM
Page 55
Maintaining Momentum in Privacy Management
55
large organization equal at least 25 percent of the director’s base salary. Bonus payments for task force members and departmental privacy teams need not be as high as that given to the director of the privacy task force but should equal at least 10 percent of the participating employees’ base salary. In addition to bonus payments, recognition events are also generally helpful in motivating staff. This could be implemented in the form of a special luncheon or dinner where letters of appreciation, plaques, or other award items are given to members of the privacy task force and departmental teams. How these perks are developed or how programs are implemented will largely depend on the culture of an organization. It is recommended that the perk plans be consistent with the organizational philosophy regarding such programs. Another perk that may be attractive to privacy task force members is the opportunity to attend high-profile conferences on privacy management. This is an expensive perk but if task force members are being considered for long-term positions in privacy management within the enterprise, sending them to such conferences will help round out their perspectives on privacy management issues. It is recommended that conferences be carefully evaluated to ensure that task force members and the organization will benefit from their attendance. Conferences that focus on ways that organizations can better manage privacy will be the most beneficial. It is also advisable that the conference attendees conduct a briefing for the privacy task force on what was covered at the conference and share new ideas with the entire privacy task force.
Recognizing Achievement Recognizing the achievements of the privacy task force members needs to go well beyond bonuses and perks. A bonus based on performance is a relatively private matter between the employee and the employer. The celebration events are, for the most part, focused on the group of participating individuals. A more public method of recognition
138236-4_Erbschloe
7/5/01
56
11:55 AM
Page 56
Executive’s Guide to Privacy Management
helps to bring attention to the accomplishments of the task force members and can also serve as a means of reinforcing the importance of privacy policies and procedures. Public recognition can take the form of articles in organization newsletters or the announcement of special commendations for exemplary task force members. These approaches will require coordination among those responsible for internal communications and the human resources department as well as all of the departments that deployed departmental-level privacy teams to work on the privacy-needs audit and plan implementation. At the least, members of the privacy task force should be provided with a letter of recognition for their contribution to the development and implementation of the privacy policy and related procedures. Such a letter should be given to the employee and placed in his or her personnel file in a manner that is consistent with organization policy. Executives should keep in mind that some employees will find their work on the privacy task force very rewarding. Other employees, however, may consider working on the privacy task force an interruption to their personal and professional goals. Hopefully, this can be avoided, but the contributions from departmental managers and area experts may help move the privacy planning process along at a faster pace and result in more thorough work. This is a delicate balance that executives need to deal with in overseeing the work of the privacy task force and the overall privacy management efforts of an organization. Chapter 7 covers the process of finalizing privacy policies and plans.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 57
7
Finalizing and Implementing Privacy Policies
T
he seventh executive challenge in privacy management is to ensure that the organization addresses privacy management needs on an ongoing and long-term basis. As the privacy planning process moves into phase three and the actual privacy policy and procedures are written, executives need to be briefed on the plan and participate in final policy approval. In addition, executives must continue to show support for the plan as it moves into phase four, the implementation phase. This requires availability on the part of executives to read the policy and to the extent necessary review proposed procedures. This review must be done in a thorough and timely manner in order to keep the process moving forward. This chapter examines the role of executives in finalizing the privacy plan and giving an executive-level endorsement 57
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.
138236-4_Erbschloe
7/5/01
58
11:55 AM
Page 58
Executive’s Guide to Privacy Management
to the plan as well as providing appropriate support during the implementation process. Executives should take the following action steps to move from the privacy planning process to implementing the newly formulated policies and procedures: • Establish a procedure and set a time for executive review of the privacy policies and implementation plan. • Support the adoption of the new privacy policy and procedures by verbally endorsing the policies and making business decisions that are consistent with the new policies. • Provide ongoing support and endorsement of the privacy policy and procedures during the implementation process. • Lead the transition from privacy plan implementation to normal business management conditions. • Develop a perspective on the future of privacy management in order to better understand how to lead the organization’s efforts to maintain privacy management as conditions change and new technology becomes available.
Executive Review of Privacy Policies and Implementation Plans As the privacy policy and plan are finalized, executives need to take time to review the work of the privacy task force. This review can be approached in a variety of ways. However, executives should take time to review the final policy documents and, if desirable, have a formal briefing by the director of the privacy task force. Bear in mind that departmental managers and legal counsel have been involved in the development of the policy, and at this point the policy should be consistent with other policies and procedures already established by an organization. Thus, executives need to review the plan at a high level and not at a detailed level. This means that executives do not need to review every procedure in the plan but must be familiar with the overall philosophy and business implications of the plan.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 59
Finalizing and Implementing Privacy Policies
59
Executives should work with the director of the privacy task force to determine how the executive review should proceed. Some executives like to read and prepare before they are briefed while others prefer a briefing and then be left with documents to review and comment on at their convenience. Neither approach is necessarily better than the other, and executives should select an approach that best meets their needs and the needs of the organization. Regardless of the sequence in the review process, the briefing by the director of the privacy task force should be scheduled well in advance so that he or she has adequate time to prepare. Briefings should be relatively short and to the point. Essential material can be covered in thirty minutes or less and some time should be scheduled to deal with questions and answers. At the end of the briefing, executives and the director of the privacy task force should agree on a date and time for further discussion and a date and time for receiving final executive comments. Advance scheduling of the briefing is important because executives generally maintain a very busy schedule. In addition, the executive review process should not hinder or slow the momentum of the privacy task force. This means that the privacy task force must also stay on schedule to meet the deadline for submitting material for the prescheduled executive review. The review process should occur in a supportive and professional environment. It is not a time for philosophical debate about the role of government in regulating business. Some venting may be helpful, but it should be kept to a minimum. It is important that executives recognize that the director of the privacy task force as well as all of the members of the task force and departmental teams have put forth considerable effort to develop the privacy policies and plans. During the executive review process, encouragement and words of appreciation should be exchanged between any executive participating in the briefing and the director of the privacy task force and any task force members that participate in the briefing.
138236-4_Erbschloe
7/5/01
60
11:55 AM
Page 60
Executive’s Guide to Privacy Management
The Role of Upper Management in Policy Adoption Executives in all organizations play a very significant role in adopting policies. It is essential that executives be involved in adopting the privacy policies. This will help ease the implementation process and convey a message to all employees as well as outside observers and interested parties that the organization is serious about privacy management. As the privacy task force finishes its work on establishing policies and procedures, executives need to be both visible and verbal. The process of developing a wellbalanced privacy policy means that all interests within the organization are heard. It does not necessarily mean that all departments or business units will get their way. Privacy management is a relatively new concept in many organizations. In the past, healthcare, education, and banking and finance organizations have certainly been required to protect the privacy of their constituents and members. However, for many organizations the concepts of privacy management and protection may have never been considered an issue. Even if all departments have demonstrated reasonable cooperation during the development of the privacy policy and the procedures necessary to see that the policies are implemented, there may still be some resentment and resistance. Much of the potential remaining resistance and resentment can be nullified if it is clear that executive-level managers endorse the new policy. Many executives will not have a problem at this stage of the privacy planning process. However, all executives must show their support for the adoption of the policy. If any one executive shows doubt or has not signed on to the new policies, then resisters will think they have a champion and may not give their full cooperation during the adoption process and will be an obstacle as the new procedures are implemented. It is critical that executives are consistent and public about the adoption of privacy management efforts.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 61
Finalizing and Implementing Privacy Policies
61
The Importance of Executive Participation During Implementation The need for executive support does not stop once a privacy policy is adopted. It takes time to implement new procedures that are designed to ensure that all of the information management activities of an organization are compliant with enterprise privacy policies. Full implementation of new procedures can take months to accomplish. Executives must continue their oversight of the privacy management process throughout the implementation process to ensure that the process goes smoothly and all activities come into compliance. In smaller organizations, implementation can be achieved in a matter of months and possibly just a few weeks. In large organizations with multiple business units and business operations in several countries, the implementation of a new privacy policy could take several months or more to accomplish. Executives can show their support of the implementation process in the same way that they demonstrated their support during the privacy policy and procedure development process. This includes attending occasional meetings of the privacy task force and continuing to give public support to the privacy management process. Without clear signs from executive-level managers that new privacy policies will be implemented, any individual or department that disagrees with the policies will slow down their implementation. This resistance can stem from many sources. Some people just don’t like change. Others may feel that new enterprise policies are an encroachment on their territory or their ability to accomplish departmental goals. Others may feel that new policies will hinder their accomplishment of goals and result in lowering their personal compensation. Executives need to maintain a positive attitude and help keep up the momentum of implementation. All of this may sound redundant and ridiculous to some managers. But it is during the implementation process that human nature will run its final course of resistance. It is the role of the executive-level manag-
138236-4_Erbschloe
7/5/01
62
11:55 AM
Page 62
Executive’s Guide to Privacy Management
er to ensure that implementation is not slowed down by personal or political feelings on the part of any departmental managers or their employees. During the implementation process is when the executive can become a cultural and spiritual leader in the organization. It is essential to show a continuous and positive attitude during implementation. One of the worst things that an executive can do during the implementation of new privacy policies and procedures is to attempt to hinder the implementation directly. This can happen when an executive identifies a new business opportunity that may run counter to the privacy policy. Information about customers is a valuable resource. It is also a resource that can be turned into a new business opportunity and more revenue. This in turn may result in great monetary compensation for the executive. Although passing up an opportunity may run counter to the personal and professional goals of an executive, any opportunity that can result in compromising privacy protection needs to be either modified or passed on completely. Executives need to set a constant example and adhere to the privacy policy. If they do not, they cannot expect the rest of the organization to remain in compliance with enterprise privacy policies and procedures.
What to Expect in Managing Privacy Protection in the Long Term Once an organization has gone through the extensive process of developing a privacy policy and then implementing procedures to support the policy, it will be time to move into a normal business management mode. This means that privacy management becomes a routine part of conducting operations and has become institutionalized in the structure as well as in the culture of an organization. This transition should happen in a natural fashion as the work of a privacy task force or privacy office moves from an implementation focus to a monitoring and maintenance mode.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 63
Finalizing and Implementing Privacy Policies
63
The long-term privacy management challenges that organizations face fall into two major categories—the evolution of privacy laws and policies, and adapting information technology to meet privacy management requirements. Currently there is little consistency or alignment between privacy needs and the ability and desire to manage privacy. In the future we can count on the fact that laws will change and there will be better information technology solutions to help manage privacy. But this is going to take time and will require considerable effort. The legal requirements for managing the privacy of information in the future will become more complex as laws evolve and social pressures increase. The legislative and political process is just beginning to churn and will take time to mature. There will be many attempts to make sense of privacy needs, and it will take time to balance privacy needs with social, political, economic, and business conditions. It has taken several decades for socially oriented legislation in areas such as civil rights and environmental protection to evolve and to come into balance with overall social conditions. In the area of privacy, just as in civil rights and environmental protection, the dialogue among interest groups and the political process will continue to be in conflict. These evolutionary processes will continue to make the job of privacy managers challenging and at times perhaps even extremely difficult. It is likely that there will be very few dull moments as the evolution of privacy policies and laws occurs. The database software that drives most business applications is extremely flexible and can be used to manage data for almost any business process. Although this flexibility is an asset, there are two ways in which such high levels of flexibility are an obstacle. First, to get the most out of database software requires a cadre of highly skilled programmers and administrators that must be capable of interpreting business rules and translating those rules into functions that control how data can be used. Second, even when an organization has a sufficiently skilled workforce to use database technology,
138236-4_Erbschloe
7/5/01
64
11:55 AM
Page 64
Executive’s Guide to Privacy Management
the emergence of supply chain systems and interconnections across organizations still can put data at risk. These risks arise from the potential of abuse by some members of the supply chain as well as increased exposure to security risks because of a weakness somewhere in the supply chain system. To overcome the exposure to risk in a supply chain environment, to reduce the cost of having to hire and train highly skilled software personnel, and to maximize the benefits of new off-the-shelf applications software, organizations will seek alternative methods of deploying information technology solutions. Several methods for achieving these goals have been tried in the past including outsourcing entire information technology operations and implementing enterprise resource planning and management systems from major software producers. These methods still have a high degree of potential to solving the problems of information control, risk avoidance, and cost reduction. However, none of the existing approaches completely address all of the needs that an organization faces in managing technology and maintaining privacy. The evolutionary direction of information technology products and services is toward the creation and maintenance of a trusted environment. A primary characteristic of a trusted environment is that the information technology that is used to process information be supplied by producers that develop and market hardware and software products that meet stringent security standards and have high levels of interoperability. If the environment is a supply chain system managed by a third party, it essential that this environment have the highest levels of system availability, data security, and privacy management standards. In addition, membership in the supply chain should be restricted to companies that adhere to safe harbor principles and that deploy information technology products that comply with stringent security standards and have high levels of interoperability. There will also be financial liability and legal consequences for third-party supply chain managers, technology suppliers, and supply chain participants for failure to meet standards or the violation of safe harbor principles. The emergence of trusted environments will take about five years. At this point there is no clear leader among third-
138236-4_Erbschloe
7/5/01
11:55 AM
Page 65
Finalizing and Implementing Privacy Policies
65
party companies that has enough experience and is currently capable of supporting a trusted environment model. In addition, there is no universal standard on security and technology. Producers are, for the most part, still creating proprietary technology. Existing Web-based trading communities and marketplaces do not meet all of the criteria to be a trusted environment and none have been in existence long enough to gain a solid reputation in the traditional business community. There are also potential antitrust and fair trade issues that need to be addressed before the trusted environment is politically acceptable. Although these obstacles are indeed formidable, the need for privacy management and the continued growth of ecommerce are trends that will help to foster the emergence of the trusted environment. Another more practical issue, the taxation of ecommerce, may also contribute to the emergence of trusted environments because the underlying transaction technology could also facilitate the payment of sales taxes to hundreds of taxing entities. There will also be increased pressure for trusted environments as safe harbor principles gain universal acceptance.
This page intentionally left blank.
138236-4_Erbschloe
7/5/01
11:55 AM
Page 67
About the Author Michael Erbschloe is the coauthor of Net Privacy: A Guide to Implementing an Ironclad eBusiness Privacy Plan. He is an information technology consultant, educator, and author. Mr. Erbschloe has also taught and developed technologyrelated curricula for several universities, including a graduate program in electronic commerce for the University of Denver. Mr. Erbschloe is the vice president of research for Computer Economics, Inc., of Carlsbad, California, a leading technology think tank. He has consulted with leading companies around the world on technology management. Mr. Erbschloe has authored over 3200 articles for technology newsletters and magazines covering the economic aspects of information technology. His research work and comments as a technology futurist have appeared in many leading magazines and newspapers including Fortune, Time, The Wall Street Journal, U.S. News & World Report, InvestorÕ s Business Daily, The Washington Post, and USA Today.
Copyright 2001 Michael Erbschloe. Click Here for Terms of Use.