An interview with IBM Chief Privacy Officer - Harriet Pearson
"I'm an example of what has become basically a new profession".
As IBM's chief privacy officer, Harriet Pearson oversees our policies for gathering, sharing and using personal information from customers and employees. It's a pioneering position, but it's hardly a lonely one. In her words:
"There are thousands of privacy professionals now, in the U.S. and Europe and Asia. Most of the Fortune 100 have a privacy officer or some sort of equivalent".
This high-level concern for privacy is a direct result of the Internet's explosive growth. Once used only for "surfing", the Web has become a destination for shopping, banking—even looking after our health and relationships. As the details of our lives accumulate in other people's databases, privacy has become a source of consumer anxiety—and corporate concern.
If individuals fear an Orwellian loss of privacy, businesses and governments fear the opposite scenario: that consumer's worries may lead them to opt out of online data gathering, or to simply avoid participating in an increasingly networked economy. But beyond that anxiety is the growing idea that safeguarding personal data is a corporate responsibility—not just to the customer, but to the business itself. If the information is valuable enough to be collected and warehoused, then it is valuable enough to be carefully managed and protected, just as much as any other corporate asset.
As Pearson puts it, "Privacy is good for business".
Harriet Pearson on privacy vs. security
The terms "privacy" and "security" are often used interchangeably, but Pearson is careful to draw a distinction between the two:"
"Privacy is the ability of an individual to control what happens to data about him or her. Security is the way we implement that expectation. You can have outstanding security, yet violate people's perception of what their privacy ought to be. But you can't have privacy without having the right security measures in place. Privacy rests on a good security foundation always".
Building the "trusted balance"
Between the extremes of total transparency and total public withdrawal lies a third scenario, which Pearson calls "trusted balance". In it, organizations continue to collect data—even to buy, sell and pass along that data—but they do so in ways that are transparent, responsible and in many cases, controlled by the individual. Governments and businesses inform the public about how they collect, store and use personal information. And people have the choice to opt out or opt in as they see fit (except in cases where that right is superseded by a compelling public need, such as law enforcement or public health). These rules are enforced at the organizational, industry and governmental level and are protected by strong security protocols.
The trust in "trusted balance" is what makes this scenario work. It's not simply a result of consumer acquiescence. It comes from a willingness by governments and corporations to create, communicate and most importantly, enforce a set of clear rules. While it does limit the power of these organizations, the resulting benefit—the ability to do business with greater efficiently—more than offsets the restrictions.
But privacy concerns impact more than just the bottom line; they affect multiple areas of an organization, from legal liabilities to PR efforts to CRM and employee retention. A well-designed, well-implemented policy can help a company in all of these areas, on both the tactical and the strategic levels.
The tactical benefits include basic legal compliance. Privacy concerns have led to new laws governing the collection and handling of personal data. These exist locally and nationally, in countries all around the world.
"So in many cases", Pearson says, "there is no choice. Companies have to comply to the fullest extent of the law. The liability and the enforcement exposure is too great to ignore". But the implications can reach beyond the legal department. She cites a recent California law that requires companies who have experienced security breaches to notify the individuals whose data may have been compromised.
"Now imagine", Pearson says, "the first few times an insurance company or a university sends out a letter saying, 'excuse me, but we were hacked and we don't know what happened exactly, we don't know what happened to your data, but we are required by law to notify you that something might have happened'. That's not a pleasant situation to be in".
Creating "privacy by design"
How can companies reap these benefits? They need to start at the top. Security and privacy are not simply IT challenges—they need to be addressed as strategic issues, at the highest levels of the organization. In Pearson's words, "I think the key challenge is to have CEO support for a strategy that confronts these issues proactively. If a company is tackling a transformation effort—transformation of the core business or core set of business processes, chances are that the effort has senior-level support. If it doesn't, and the IT organization is driving it, the biggest piece of advice that I would have is to go sit with the head of marketing, sit with the head of legal, the head of communications, and develop an approach to handling these policy issues at the forefront, before they become issues you have to react to".
Privacy by design is more than just an idea. It is a guiding principle for IBM as we look to the future of online information management. Pearson describes it as "a comprehensive road map for how, at all levels of the IT stack, from infrastructure to applications, we can build privacy-enabling capability into technology".
Securing privacy among partners
Ultimately, however, it is organizational policies, not technology, that are most important to enforcing privacy. This becomes even more apparent as data is shared across organizations. As outsourcing and the reliance on "value chains" of partners, suppliers and distributors become more widespread, information gets handed from organization to organization, multiplying the risks of security breaches. In these cases, it's the company that originally collected the data that has the most to lose. Formal privacy and security policies, backed up by the right IT design, can help eliminate potential issues and maintain the customer's trust. Pearson has several ways that organizations can safeguard the privacy of their consumer data.
Her first piece of advice is simple: "Choose wisely. Choose a business partner carefully to ensure that they have the same level of integrity with regard to information and its use". And that trust should be accompanied by verification: "Do some informal or even formal audits of your business partners, particularly if they're vendors. Reserve the right in contracts to conduct an audit of them once, twice a year. Ask them to do a self-audit and document the results". And she adds one more important caution:
"All of that legal mumbo-jumbo does you no good when, at the end of the day, it's your company up there in the limelight and you have the end responsibility. So you've got to be careful, you've got to manage, you’ve got to protect your liability. And if something happens, you have to be able to take the hit and make good with the customer".
Your business, your customer, your responsibility…even in the age of information overload, the basics of business never change.
Moving ahead: Building the privacy team
As IBM's chief privacy officer, Harriet Pearson is part of a growing business trend. Organizations of any size, if they gather consumer information, need strong privacy and security policies—and they need strong leadership to put them into place. Here's how to build a privacy dream team:
Start from the top. Your privacy policies will have an impact throughout your organization: marketing, communications, CRM, IT, HR, legal and beyond. Such wide-ranging changes require support from your CEO and other senior executives.
Build your board. No CPO, no matter how talented, can go it alone—privacy and security issues require a wide range of competencies. Here are the core competencies your privacy board needs to master. You don't need to appoint one person (or only one person) for each discipline. And, depending on your corporate structure and the concerns of your industry, you may need expert advice from other disciplines. But at a minimum, these four areas need to be covered:
Marketing. Privacy and security will be an important part of your relationship with your customers. You need to make sure your policies mesh with and support your CRM goals.
Legal. Know your liabilities—locally, nationally and everywhere you do business. Make sure that you're in compliance, and that your legal exposure is minimized.
Communications and training. Once you establish your security policies, you need to communicate them—clearly, consistently and often. And not just to your customers, but to the employees and strategic partners who will be carrying them out.
IT. You need strong security systems to back up your privacy policies. And to get the benefits of "privacy by design", you need to make IT part of your core team.