Any company that collects personal information needs a way to manage that information and ensure that it is used responsibly. Such a company also needs a system for keeping people informed of what data is being collected, and how it is stored. The person responsible for overseeing these efforts is the chief privacy officer. The chief privacy officer, or CPO, is an executive who is charged with both data management and consumer relations. He or she is responsible for making sure that the company’s data collection and storage complies with the law, and that customers feel safe continuing to share their personal information with the company.
The breadth of what is considered “personal information” is in constant flux. Laws and regulations in most every country of the world define personal identification and set rules for its use and collection, but the definitions are not always consistent. Some personal details must be protected nearly everywhere, such as Social Security or tax identification numbers and health records and information. Whether data such as online web browsing history, purchasing patterns, and financial information should be considered private enough to be protected is much more ambiguous.
Laws like the Health Insurance Portability and Accountability Act in the United States and the EU Data Protection Directive that has been implemented in all European Union member states set out some guidelines with respect to appropriate data protection practices. Data protection laws are also constantly being amended and updated as technology changes. The chief privacy officer job involves identifying the company’s data protection practices, and ensuring that they meet the legal standards of any jurisdiction where the company does business. Because much of the job is regulatory, many chief privacy officers are lawyers, but they do not have to be.
The chief privacy officer is also responsible for interfacing with clients and customers to assure them that (1) their data is being protected, (2) that protection is adequate, and (3) they should continue providing data. Since the advent of the Internet and its penetration into everyday life, data collection has become just as important as data storage. Originally, a company only needed a chief privacy officer if it was in the practice of storing sensitive information in conjunction with ordinary business, as a financial institution or health care company would be. In the online world, however, information is often the primary currency.
Companies with Internet presences can track who has visited their Websites, and where they have come from. They can drop cookies on visitors' computers to see where the visitors go next, and can design Internet advertisements to display based on certain user characteristics and data amalgamated over time. Often times, too, companies can store client files and information online, which makes them searchable — but also more readily prone to inadvertent exposure.
It is generally in a company’s best interest to make use of archiving programs, Internet collection tools, and online tracking to stay competitive. It is the chief privacy officer who ensures that the company’s practices are sound and well communicated to the public. For a company to be protected, there needs to be oversight, and for the public to continue to part with its data, there needs to be trust. A foundational duty of the privacy officer is to satisfy both.