It may have taken a few years and any number of HIPAA-related headaches, but just about every company of substance has accepted, if not embraced, the role of privacy officer. Strangely absent from the back-and-forth bickering, however, has been discussion about what makes a good CPO -- specifically, what type of background best prepares an individual for this high-profile gig.
Predictably, consultant types as well as those holding such positions have vastly different ideas as to what works and what doesn't.
One issue hotly debated is whether a legal background is really necessary. While a number of CPOs have arrived at their positions with law backgrounds such as trial attorney or lobbyist -- many say that legal training helps but should not be deemed a job prerequisite.
"My view is that information protection and privacy is much more a business issue than a legal issue," says Chris Zoladz, Marriott International's vice president, information protection and privacy, who comes from an accounting background sharpened by 13 years at Ernst & Young. "I had two business law courses as part of my accounting degree. Combine something like that with access to legal resources, and that should be plenty."
Kirk Herath, Nationwide's associate general counsel and chief privacy officer, as well as an Inside 1to1: Privacy board member, doesn't necessarily agree. "The [CPO] job is so steeped in the law," he says. "If you don't have a legal background, you better have a really competent privacy lawyer tied to your hip." It could largely be a matter of internal and external perception, he adds. "Especially in financial services companies, it really helps to have the cachet of a law degree."
Privacy experts also question whether execs who have sharpened their skills in the worlds of sales and marketing can effectively fill the CPO role. "Absolutely somebody like that could," says Sandy Hughes, global privacy executive at Procter & Gamble, who boasts a systems-analysis background. "The more consumer-facing things your company does, the more value [a person with a sales/marketing background] would have at the privacy table."
Counters Herath: "Reasonable minds may differ on this, but I do not think marketing people should be CPOs. I think there is an inherent conflict between what marketers want to do -- a robust use of data -- and the privacy role, which almost by definition requires you to impose constraints on how data can be used and by whom."
If there is a single requirement for an effective CPO, it would seem to be a fairly long and active tenure within the company at which he or she is to assume the role. With the increasing importance of privacy as both a competitive differentiator (the sales/marketing side) and regulatory hazard (the legal side), the person who presides over it must know how to navigate the company's unique nooks and crannies.
"A CPO needs to know how things work. You wouldn't choose somebody with, for example, two years of experience at the company and no knowledge of privacy or information flow, because that person might not have the breadth that he or she would need," says Hughes.
Zoladz agrees, citing the importance of "growing up in the trenches" and thus being very familiar with both formal and informal communications channels. To this end, he questions whether a hired privacy gun should be brought in to oversee a company's operations.
"Maybe it can happen with the right resources and backing, but you'd have to have superlative interpersonal skills and you'd have to have the CEO shadow you all the time as a threat to anybody who got in your way," Herath adds. "It's a matter of knowing through your own experience who can actually get things done. Just because somebody has a title doesn't mean they're going to be reliable when it comes to privacy-related issues."
|
