Over the years in INSIDE 1to1: Privacy, we've emphasized that having a senior-level privacy professional within an organization is critical to creating business impact. That theory is slowly being realized, but what's the current reality in the marketplace?

In the first of what will be an annual snapshot of Chief Privacy Officers (CPOs), we look at the role privacy professionals play within their organizations.

We discovered that CPO statistics are hard to come by. While there is an abundance of figures relating to privacy policies and standards, information about the people behind the process is more difficult to track. We did find two studies, although with conflicting reports of how many companies actually have a CPO.

The most comprehensive information comes from the 2005 Benchmark Study of Corporate Privacy Practices, released in July 2005 by the Ponemon Institute and Vontu. According to that report, which surveyed 68 large organizations, 69 percent of respondents have a privacy leader (often with a CPO title), up from 67 percent in 2003. Yet, only 41 percent of these individuals are fully dedicated to privacy management issues.

As for their clout within the organization, 48 percent of these privacy leaders report to C-level executives, but only 38 percent of the leaders believe they have adequate corporate resources in place to manage privacy requirements across the enterprise. This is a 10 percent drop since 2003. The study attributes the drop to a higher sensitivity of privacy issues by consumers, coupled with shrinking budgets and resources in organizations.

Conflicting information comes from the Eighth Annual Global Information Security Survey released in August 2005 by InformationWeek and Accenture. In that survey of more than 2,500 security and IT professionals, only 15 percent say their company has created the position of Chief Privacy Officer. This survey was of employees at both large and small companies, which may account for the difference in results. Large companies are much more likely to have CPOs, compared to small firms.

Who makes a good CPO?
There are many routes to the privacy chief's office, including legal, marketing, or IT experience. Each of these backgrounds brings with it a different set of priorities and experiences the CPO will consider when planning privacy initiatives.

Good privacy practices lead to trust, which ultimately leads to business growth. So we went directly to the top: the 2004 Most Trusted Companies for Privacy, compiled by TRUSTe and the Ponemon Institute. The firms we researched were Amazon.com, Citibank, Dell, Earthlink, eBay, Hewlett-Packard (HP), IBM, Procter & Gamble (P&G), and the United States Postal Service (USPS).

Not surprisingly, all of the companies have a senior privacy official. Four have specific CPO titles (Barb Lawler at HP, Harriet Pearson at IBM, Earthlink's Les Seagraves, and Zoe Strickland at the USPS), and one, Sandy Hughes at P&G, has the title of Global Privacy Executive, serving as both chief privacy and chief strategy officer.

Other titles are more general and combine different responsibilities. For instance, Scott Shipman from eBay serves as privacy counsel, and at Citibank, Christopher Putala is the executive vice president of Public Policy.

We found that eight of the privacy leaders come from legal backgrounds. What's more, they split their privacy duties with other responsibilities related to legal issues or corporate affairs. This reflects the reality that privacy is still generally considered more a compliance issue than a business strategy.

On the non-legal side, Barb Lawler at Hewlett-Packard rose up through the marketing ranks, though she has a business degree with a concentration in business law. And Sandy Hughes of P&G comes from the IT side of the house, specializing in process engineering.

There is no right or wrong background for a CPO, Hughes says. It depends on the privacy objective of each company. "In our case, we have a privacy program centered on trust," she says. "If we don't have our customers' trust or lose their trust, we lose business."

"My personal opinion is that legal compliance in the future will not be enough," Hughes predicts. She stresses the importance of a cross-functional team working together with a common privacy goal. "With 110,000 employees in 80 countries, it can be hard" without a collaborative approach, she says. Her team is comprised of more than 35 employees around the globe.

Where are we going?
Dr. Larry Ponemon, chairman of the Ponemon Institute and INSIDE 1to1: Privacy board member, says that he thinks there will be a shift toward more customer-focused privacy leaders in the future.

"Early stage privacy programs are often housed in the corporate law department," Ponemon says. "As programs mature, other organizational stakeholders become engaged either directly or indirectly in the privacy program, including corporate, IT, marketing and communications, and public relations. Our findings show that CPOs with experience in customer-facing activities, such as marketing or customer support services, are most successful in accomplishing long-term program goals."

Don't forget about emerging technology, says P&G's Hughes, who is spearheading new RFID programs within the consumer goods giant. "There is always going to be new technology, and it is getting more focused on relationships with customers," she says.

Ultimately, it all comes back to the customer, says J. Trevor Hughes, executive director of the International Association of Privacy Professionals (IAPP) and INSIDE 1to1: Privacy board member. "Businesses are now looking at the issue through the lens of customer integrity: Are we keeping our promises with our customers?"

We'll check back again next year to see how the results compare.

>> Feedback | Forward to a Friend | Return to Index

When The Customer Respect Group unveiled its report last month on privacy E-Loan found itself ranked third. The online consumer direct lender also claimed a top-20 spot in the Ponemon Institute/TRUSTe survey of America's most trusted companies for privacy, landing between financial behemoths Fidelity and Visa.

Though E-Loan operates in a sector where full transparency in regard to privacy issues is rare, the company goes beyond regulations in the name of customers.

E-Loan first went against accepted industry practice in 2000 when it provided consumers with access to their credit scores, a move that incurred the wrath of Fair, Isaac & Co., the firm that calculates the figures. E-Loan was forced to rescind this policy when Fair, Isaac threatened to cut off the company's access to credit data. Yet it received widespread praise when, around 12 months later, Fair, Isaac and others gave into public pressure and started allowing consumers to access their credit scores.

Around that same time E-Loan attempted to raise the bar for the online financial services business by instituting regular independent privacy audits. Company co-founder and current chairman and CEO Chris Larsen said then that stringent privacy controls were imperative if the industry hoped to gain the trust of would-be consumers.

E-Loan's peers didn't necessarily agree. "Financial institutions were not regulating themselves," says E-Loan CMO Catherine Muriel. So Larsen took matters into his own hands, co-founding Californians for Privacy Now and spending nearly $800,000 to bankroll a signature drive designed to get privacy legislation on the California ballot.

The move paid off. On August 19, 2003, the California Senate passed what was at the time the toughest financial privacy bill in the United States. (It has since been overridden by a weaker federal statute).

Muriel admits that E-Loan made concessions along the way. "We got the California legislature and financial community to agree on an opt-in regime for third-party marketing, but we only got opt-out for affiliate marketing. But it was better than what we had before, which was no choice at all," she says.

Asked if E-Loan's privacy focus could hamper the company's performance in the short term, even as it builds trust and respect for the longer term, Muriel pauses briefly. "Without a doubt, there are things I don't do in marketing that I could get better results with: more modeling, getting triggers on mortgages or whatever else from the bureaus, including more personal data in direct-mail pieces," she says. "But overall it's not worth it. What we're doing is comparable to the Apple and Nordstrom mentality: If you do the right thing by your customers, they'll do the right thing by you."

In its latest move E-Loan recently became the first company in the online financial space to offer consumers the option of preventing their home equity loan applications from being processed by Wipro, a firm based in India. "Some people don't want their information sent outside the country," Muriel says. She says the point isn't whether overseas application processing poses a privacy risk. It's that E-Loan presents customers with the information and lets them make the decision for themselves. To date, around 85 percent of customers have OKed the outsourcing.

"I'm not sure it's even a privacy issue," Muriel adds. "Really, it's about being upfront with your customers."

>> Feedback | Forward to a Friend | Return to Index