Processing Your Payment
Please do not leave this page until complete. This can take a few moments.
- News
-
Editions
View Digital Editions
Biweekly Issues
- September 16, 2024
- September 2, 2024
- August 19, 2024
- August 5, 2024
- July 22, 2024
- July 8, 2024
- + More
Special Editions
- Lists
- Viewpoints
- Our Events
- Calendar
- Biz Marketplace
December 25, 2006
Protecting the brand | A conversation with the head of the Maine-based International Association of Privacy Professionals on the importance of corporate privacy practices
By Whit Richardson
It's commonplace these days to read news about identity theft, Internet phishing scams or hackers breaching a corporate database to steal customer information. But go back a decade, and the state of personal privacy seemed much less imperiled.
Increasing privacy concerns ˆ mostly stemming from the rise of the Internet and federal privacy legislation passed in the late 1990s ˆ have forced businesses to consider a new kind of employee, one that knows, for instance, how to safely manage the collection, storage and transfer of sensitive customer information. Privacy professionals, as they're known, have quickly moved into the upper echelons of companies. Chief Privacy Officer is a common job title today, and those executives have their own nonprofit professional association: the International Association of Privacy Professionals, founded in 2001.
While international professional associations are more commonly located in New York or Washington, D.C., the IAPP is based in Maine, housed in a small two-story office in York's village center. J. Trevor Hughes, the IAPP's executive director and a University of Maine School of Law graduate, brought the organization to York when he was hired in 2002.
When Hughes joined the IAPP as its single employee, the organization had 400 members in the United States. Today, the IAPP boasts 3,000 members in 23 countries, and has 36 chapters around the world, in cities like Singapore, Sydney, Tokyo, Brussels and Dublin. "And we are continuing to grow at a very fast clip," Hughes says. "Our staff has gone from being just me to now having 16 people here in York."
Although the majority of the IAPP's members come from large corporations like Microsoft and Proctor & Gamble, Hughes says small businesses face the same privacy issues as large ones: securing customer information, appropriately marketing through e-mail or fax, writing a company privacy policy, and the like. Mainebiz recently spoke with Hughes to learn more about the IAPP and discuss the most pressing privacy issues facing businesses today. An edited transcript follows.
Mainebiz: One of the IAPP's roles is offering certification programs that designate an employee as a Certified Information Privacy Professional. Tell me how you developed that certification program.
J. Trevor Hughes: Well, we recognized soon after forming the IAPP that as an essentially new profession, it was going to be important to create a program that provided a credential to show that people had a mastery over a common body of knowledge. That way, organizations could know when they're actually hiring someone who knows what they're talking about, because five or six years ago pretty much anyone could call themselves a privacy professional and you couldn't really argue with them.
What kinds of standards did companies employing privacy professionals use before you developed the system?
I think a combination of things. The privacy profession is interesting in that it's an eclectic mix of professionals. I am an attorney and came to the profession from the legal world. There are other people who have risen up through the ranks and come from the marketing world. Other people have come from compliance departments, from auditing departments. Some are technologists, because technology has many privacy implications. So the answer to your question is, it depends.
Do you see the creation of the chief privacy officer as a barometer for how important the business community takes privacy issues ˆ putting it on the same plane as finance or operations or other areas that typically are overseen by a C-level executive?
Certainly with the information economy that we have today, where data is the lifeblood, we need people who understand how to manage that data appropriately so we don't run afoul of consumer expectations, applicable laws or just upstanding business practices. Whether it comes under the guise of identity theft, or spam, or phishing, or spy ware or credit card fraud, it has privacy overtones to it. In that context, it is appropriate for it to be a C-level position in any company that has sensitivity around the use of data ˆ and most companies do.
But that's not to say the CPO is the end of the line. In fact, what we've found is that many of the organizations that created CPO positions five or six years ago now have robust privacy departments. We have members that have as many as 70 people worldwide working on privacy issues for their organization.
The majority of your members are large corporations, but Maine is more of a small-business state. Do small businesses face the same privacy issues as large companies?
think they do, and the challenge for small businesses obviously is that a small company may not necessarily be able to hire a chief privacy officer or a full-time privacy professional. It's a ubiquitous and overarching concern in the marketplace today. The challenge for those businesses is to know enough so that they know when they need to get help. Just like a small company may reach out to a Web developer to help them build their website, or they may reach out to an attorney to help them incorporate their business, I think increasingly it will be important for those companies to reach out to a privacy professional, a consultant perhaps, who can help them draft a privacy policy for their website, give them some high-level guidance on appropriate ways to engage in e-mail marketing and to hold and store data within an organization.
One of the topics discussed at the IAPP's summit in March was the need for broad federal privacy laws. Is there a consensus on this issue in the business community?
I think it is accurate to say there is not consensus right now. One of the interesting things about the privacy field is that data flows everywhere quickly. Whereas jurisdictional issues used to give us fairly clean lines as to where you're doing business, today if you put up a website it's as easily accessed in Singapore as it is in Presque Isle. As a result, data can move between here and Singapore in the blink of an eye.
So the call for legislation we have heard responds to issues both domestic and foreign. It responds to concerns associated with the number of state privacy laws that we have, the number of federal privacy laws that we have ˆ and we have many ˆ as well as international harmonization issues, with the hope that we could come up with a regulatory structure that is less burdensome and less expensive for businesses operating around the world.
A study last year of corporate privacy issues found that only 38% of 68 large companies polled believe their company's resources are adequate to manage privacy requirements. Does that mean companies already have a tough time keeping up with privacy laws?
I certainly think that statistic reflects the truth. This profession is new. This field is new. The profession did not grow in a vacuum; the profession has grown because the issue has grown in the marketplace. And we certainly are seeing budgets increase, positions being created, technologies being purchased to manage data in better and more sophisticated ways.
In the same study, 56% of companies said safeguarding customer information is important for their brand, an increase from only 38% two years ago. Is that increase the result of consumers becoming savvier about privacy issues?
I think that number would be higher today. I think we'll eventually get to a point where essentially all companies recognize that protecting customer data is critical to the brand. It has been said many times that the upside potential on privacy is good ˆ you can generate more trust with your customers, more loyalty to your brand. But it's even more true that the downside potential with privacy is enormous. If you mess up, your customers will punish you severely. And so increasingly I think companies are getting hip to the fact that they have got to pay attention to this, that there is a direct causal link between how they manage data, how they protect privacy, and the trust and loyalty with which customers engage their brand.
What are some of the major privacy issues facing companies in 2007?
I think number one is identity theft and notice of security breach. Companies increasingly are going to find that they have a legal obligation to provide notice of any security breach that occurs. So companies not only are going to need better security and privacy protections, they're going to need a breach-response plan so they've got effective and timely communication with their customers whenever a breach occurs.
Two, the debate over national privacy legislation will intensify, particularly as we move toward a presidential election. Three, I think businesses are increasingly going to find that even small businesses are global businesses, and that will create real challenges for companies trying to manage their data.
Fourth, I'd say that restrictions on abusive marketing will continue to increase, and that those [restrictions] may place some limits on legitimate use of marketing, as well. Problems with online advertising, spy ware and things like that continue to grow, and I think it's reasonable to expect that there may be more restrictions on marketing coming down the pike.
Finally, consumers will become more demanding with regards to the protection of their data and the management of their data. Consumers have shown that they don't like reading big, long privacy policies, but they know when they feel aggrieved. It will be incumbent upon businesses to look very closely and pay a lot of attention to what their customers think about their uses of data.
Increasing privacy concerns ˆ mostly stemming from the rise of the Internet and federal privacy legislation passed in the late 1990s ˆ have forced businesses to consider a new kind of employee, one that knows, for instance, how to safely manage the collection, storage and transfer of sensitive customer information. Privacy professionals, as they're known, have quickly moved into the upper echelons of companies. Chief Privacy Officer is a common job title today, and those executives have their own nonprofit professional association: the International Association of Privacy Professionals, founded in 2001.
While international professional associations are more commonly located in New York or Washington, D.C., the IAPP is based in Maine, housed in a small two-story office in York's village center. J. Trevor Hughes, the IAPP's executive director and a University of Maine School of Law graduate, brought the organization to York when he was hired in 2002.
When Hughes joined the IAPP as its single employee, the organization had 400 members in the United States. Today, the IAPP boasts 3,000 members in 23 countries, and has 36 chapters around the world, in cities like Singapore, Sydney, Tokyo, Brussels and Dublin. "And we are continuing to grow at a very fast clip," Hughes says. "Our staff has gone from being just me to now having 16 people here in York."
Although the majority of the IAPP's members come from large corporations like Microsoft and Proctor & Gamble, Hughes says small businesses face the same privacy issues as large ones: securing customer information, appropriately marketing through e-mail or fax, writing a company privacy policy, and the like. Mainebiz recently spoke with Hughes to learn more about the IAPP and discuss the most pressing privacy issues facing businesses today. An edited transcript follows.
Mainebiz: One of the IAPP's roles is offering certification programs that designate an employee as a Certified Information Privacy Professional. Tell me how you developed that certification program.
J. Trevor Hughes: Well, we recognized soon after forming the IAPP that as an essentially new profession, it was going to be important to create a program that provided a credential to show that people had a mastery over a common body of knowledge. That way, organizations could know when they're actually hiring someone who knows what they're talking about, because five or six years ago pretty much anyone could call themselves a privacy professional and you couldn't really argue with them.
What kinds of standards did companies employing privacy professionals use before you developed the system?
I think a combination of things. The privacy profession is interesting in that it's an eclectic mix of professionals. I am an attorney and came to the profession from the legal world. There are other people who have risen up through the ranks and come from the marketing world. Other people have come from compliance departments, from auditing departments. Some are technologists, because technology has many privacy implications. So the answer to your question is, it depends.
Do you see the creation of the chief privacy officer as a barometer for how important the business community takes privacy issues ˆ putting it on the same plane as finance or operations or other areas that typically are overseen by a C-level executive?
Certainly with the information economy that we have today, where data is the lifeblood, we need people who understand how to manage that data appropriately so we don't run afoul of consumer expectations, applicable laws or just upstanding business practices. Whether it comes under the guise of identity theft, or spam, or phishing, or spy ware or credit card fraud, it has privacy overtones to it. In that context, it is appropriate for it to be a C-level position in any company that has sensitivity around the use of data ˆ and most companies do.
But that's not to say the CPO is the end of the line. In fact, what we've found is that many of the organizations that created CPO positions five or six years ago now have robust privacy departments. We have members that have as many as 70 people worldwide working on privacy issues for their organization.
The majority of your members are large corporations, but Maine is more of a small-business state. Do small businesses face the same privacy issues as large companies?
think they do, and the challenge for small businesses obviously is that a small company may not necessarily be able to hire a chief privacy officer or a full-time privacy professional. It's a ubiquitous and overarching concern in the marketplace today. The challenge for those businesses is to know enough so that they know when they need to get help. Just like a small company may reach out to a Web developer to help them build their website, or they may reach out to an attorney to help them incorporate their business, I think increasingly it will be important for those companies to reach out to a privacy professional, a consultant perhaps, who can help them draft a privacy policy for their website, give them some high-level guidance on appropriate ways to engage in e-mail marketing and to hold and store data within an organization.
One of the topics discussed at the IAPP's summit in March was the need for broad federal privacy laws. Is there a consensus on this issue in the business community?
I think it is accurate to say there is not consensus right now. One of the interesting things about the privacy field is that data flows everywhere quickly. Whereas jurisdictional issues used to give us fairly clean lines as to where you're doing business, today if you put up a website it's as easily accessed in Singapore as it is in Presque Isle. As a result, data can move between here and Singapore in the blink of an eye.
So the call for legislation we have heard responds to issues both domestic and foreign. It responds to concerns associated with the number of state privacy laws that we have, the number of federal privacy laws that we have ˆ and we have many ˆ as well as international harmonization issues, with the hope that we could come up with a regulatory structure that is less burdensome and less expensive for businesses operating around the world.
A study last year of corporate privacy issues found that only 38% of 68 large companies polled believe their company's resources are adequate to manage privacy requirements. Does that mean companies already have a tough time keeping up with privacy laws?
I certainly think that statistic reflects the truth. This profession is new. This field is new. The profession did not grow in a vacuum; the profession has grown because the issue has grown in the marketplace. And we certainly are seeing budgets increase, positions being created, technologies being purchased to manage data in better and more sophisticated ways.
In the same study, 56% of companies said safeguarding customer information is important for their brand, an increase from only 38% two years ago. Is that increase the result of consumers becoming savvier about privacy issues?
I think that number would be higher today. I think we'll eventually get to a point where essentially all companies recognize that protecting customer data is critical to the brand. It has been said many times that the upside potential on privacy is good ˆ you can generate more trust with your customers, more loyalty to your brand. But it's even more true that the downside potential with privacy is enormous. If you mess up, your customers will punish you severely. And so increasingly I think companies are getting hip to the fact that they have got to pay attention to this, that there is a direct causal link between how they manage data, how they protect privacy, and the trust and loyalty with which customers engage their brand.
What are some of the major privacy issues facing companies in 2007?
I think number one is identity theft and notice of security breach. Companies increasingly are going to find that they have a legal obligation to provide notice of any security breach that occurs. So companies not only are going to need better security and privacy protections, they're going to need a breach-response plan so they've got effective and timely communication with their customers whenever a breach occurs.
Two, the debate over national privacy legislation will intensify, particularly as we move toward a presidential election. Three, I think businesses are increasingly going to find that even small businesses are global businesses, and that will create real challenges for companies trying to manage their data.
Fourth, I'd say that restrictions on abusive marketing will continue to increase, and that those [restrictions] may place some limits on legitimate use of marketing, as well. Problems with online advertising, spy ware and things like that continue to grow, and I think it's reasonable to expect that there may be more restrictions on marketing coming down the pike.
Finally, consumers will become more demanding with regards to the protection of their data and the management of their data. Consumers have shown that they don't like reading big, long privacy policies, but they know when they feel aggrieved. It will be incumbent upon businesses to look very closely and pay a lot of attention to what their customers think about their uses of data.
International Association of Privacy Professionals
266 York St., York 03909
Executive director: J. Trevor Hughes
Founded: 2001
Employees: 16
Members: 3,000, in 23 countries
Services: Offers certification of privacy professionals; organizes summits and
conferences on privacy issues
Contact: 800-266-6501
www.privacyassociation.org
Executive director: J. Trevor Hughes
Founded: 2001
Employees: 16
Members: 3,000, in 23 countries
Services: Offers certification of privacy professionals; organizes summits and
conferences on privacy issues
Contact: 800-266-6501
www.privacyassociation.org
The Giving Guide
The Giving Guide helps nonprofits have the opportunity to showcase and differentiate their organizations so that businesses better understand how they can contribute to a nonprofit’s mission and work.
Learn More
Work for ME
Work for ME is a workforce development tool to help Maine’s employers target Maine’s emerging workforce. Work for ME highlights each industry, its impact on Maine’s economy, the jobs available to entry-level workers, the training and education needed to get a career started.
Learn More
Senior Smart
Few people are adequately prepared for all the tasks involved in planning and providing care for aging family members. SeniorSmart provides an essential road map for navigating the process. This resource guide explores the myriad of care options and offers essential information on topics ranging from self-care to legal and financial preparedness.
Learn more-
The Giving Guide
The Giving Guide helps nonprofits have the opportunity to showcase and differentiate their organizations so that businesses better understand how they can contribute to a nonprofit’s mission and work.
-
Work for ME
Work for ME is a workforce development tool to help Maine’s employers target Maine’s emerging workforce. Work for ME highlights each industry, its impact on Maine’s economy, the jobs available to entry-level workers, the training and education needed to get a career started.
-
Senior Smart
Few people are adequately prepared for all the tasks involved in planning and providing care for aging family members. SeniorSmart provides an essential road map for navigating the process. This resource guide explores the myriad of care options and offers essential information on topics ranging from self-care to legal and financial preparedness.
ABOUT
NEW ENGLAND BUSINESS MEDIA SITES
No articles left
Get access now
In order to use this feature, we need some information from you. You can also login or register for a free account.
By clicking submit you are agreeing to our cookie usage and Privacy Policy
Already have an account? Login
Already have an account? Login
Want to create an account? Register
Get access now
In order to use this feature, we need some information from you. You can also login or register for a free account.
By clicking submit you are agreeing to our cookie usage and Privacy Policy
Already have an account? Login
Already have an account? Login
Want to create an account? Register
Comments