How GE Coordinates a Large Privacy Team

Customer Experience
Customer Experience

What would you do if you were appointed chief privacy
officer (CPO) of a multinational corporation with 52
privacy leaders and more than 200 employees
working on privacy scattered across 39 business
units? You might start updating your resume again, or
if you're a seasoned privacy leader like Nuala
O'Connor Kelly, you might try something new -- like
holding a series of privacy "workouts."

That's what O'Connor Kelly spearheaded during her
second year as Chief Privacy Leader of the company
that Thomas Edison started in 1890. Last month, 70 of
General Electric's privacy professionals met at the
company's world headquarters in Fairfield, Conn., for
the "Americas Privacy Workout." Similar gatherings will
take place in Europe and Asia later this year,
according to O'Connor Kelly, CIPP/G, who serves as a
board member for the International Association of
Privacy Professionals, the world's largest association
for privacy professionals. O'Connor Kelly also is the
former CPO of the U.S. Department of Homeland


"Our biggest number of privacy practitioners is, not
surprisingly, in Europe," said O'Connor Kelly, "so we'll
likely see at least 70 there, and a smaller, but growing
number at our Asia workout."

The need for regional privacy conclaves has been
developing at the company since the formation of its
privacy function in 2001. According to Orrie Dinstein,
Chief Privacy Leader & Senior Counsel for Privacy and
IT at GE Commercial Finance, GE's internal privacy
meetings have evolved in two ways since then.

"The number of attendees keeps growing as we
expand our team size and our geographic reach, first
from Europe, to around the globe," he said. "The
topics we cover have also shifted as we moved from
basic tutorials to more detailed issue-driven topics,
sharing of best practices, and the use of tools and
automation to address our needs. We're a much more
mature team than we were six years ago."

General Electric's $160 billion in annual revenues --
generated by 330,000 employees -- make it the
11th-largest company in the world. Its massive
amounts of employee data prompted GE to become
the first company in the world, under O'Connor Kelly's
predecessors Ivan Fong and Jim Jordan, to seek EU
approval for its "binding corporate rules (BCRs)."
BCRs are essentially a company's privacy policy and
procedures approved by country data-protection
authorities allowing it to transmit personal data
anywhere in the world.

From Thomas Edison's first light bulb, GE has grown
into 39 business units organized into six segments.
Most sell their products and services to other
businesses that expect privacy compliance: GE
Infrastructure ($47 billion in annual revenue), which
sells aviation, energy, rail and water products; GE
Industrial ($34 billion), which provides appliances,
lighting, plastics and silicon products; GE Healthcare
($17 billion), which sells diagnostic equipment to
physicians; GE Commercial Finance ($24 billion),
which helps businesses finance their purchases; and
NBC Universal ($16 billion), the famous media and
entertainment provider.

GE also operates several businesses that sell to end
consumers and must incorporate privacy as part of
their brands. Among those are GE Industrial and GE
Money ($22 billion in annual revenues), which offers
credit services to consumers, retailers and automotive
dealers. It's hard to imagine a privacy law anywhere
that doesn't somehow affect one of General Electric's

With so much privacy activity occurring under one roof,
the risks of redundancy and inconsistency are
heightened -- and the need for privacy workouts that
much more pressing.

What was unique about the Americas Workout?

First, it wasn't a top-down push of O'Connor Kelly's
agenda onto the rest of the organization. She has
instead taken the approach of bringing all of the
company's privacy talent together in one place to pool
their innovations from the previous year. Several of
them are accomplished CPOs in their own right who
bring deep experience to the table.

"It's really energizing to get together with your privacy
peers to share best practices and problem solve,"
said Jennifer Garone, Privacy and Security Leader of
GE Money. "We leave the workout ready to share the
wisdom with our business, so that we aren't just
talking to ourselves."

Second, the invite list was broader than the privacy
team. Among those attending were GE's General
Counsel, CIO, Chief Security Officer, and Chief
Information Security Officer. O'Connor Kelly also
included outside counsel in the discussions to enable
her team to tap into their expertise.

"Having these annual workouts is a great way for us to
put all our top experts in a room, and have a detailed
discussion about several select topics -- see how
each of us is handling it and what solutions we can
leverage across our businesses," Dinstein said. "The
odds are that somewhere someone has a fix for the
issue you're facing."

Third, the topics spanned the privacy spectrum.
Privacy leaders outside GE might have found the
agenda items to be the same as those on their plates:
privacy auditing, incident response, electronic health
records, e-discovery, and privacy and the brand. But
they also would have found niche topics, such as the
exchange of employee information during M&A
transactions, and a debate on the merits of BCRs for
employee data versus customer and supplier

The participants left the sessions with a shared
understanding of GE's privacy program's goals for the
upcoming year.

"The 'Back to the Sheet Music' theme of our workouts
this year reflects our desire to make sure we're world
class in the basics of our privacy program -- our
compliance stance, our legal analysis, and our
understanding of the expectations of our employees,
customers and vendors," O'Connor Kelly said. "We
want to make sure we've built a program on a solid
foundation and that it will be sustainable and scalable
over time. We want to make sure that all our
employees and businesses are 'singing off the same
sheet of music' when it comes to privacy