BUSINESS SUCCESS OR FAILURE - THIS TIME IT'S PERSONAL
A Primer for Your Chief Privacy Officer
Source: Canadian Public Relations Society (Toronto)
Posted on June 23, 2001
(This article was co-written by Robert Gold, Editor-in-Chief of E-CommerceALERT)
For over ten years, studies have consistently identified privacy
as consumers' most important issue. Furthermore, the reluctance to invest in protecting such private information has been named as the key reason why consumers aren't buying as much, or as frequently, as most retailers had expected.
Combine this unwillingness to invest in consumers' privacy with Canada's new Personal Information Protection and Electronic Documents Act (Bill C6) that rolled-out in January, and businesses of all shapes and sizes are in for a rough ride! Soon, businesses will begin incurring considerable legal fees, spending time fighting unhappy customers and employees and finding their reputations and sales suffering. However, most of these problems can be avoided by taking some simple and painless steps now.
The Key to Privacy: Establishing Accountability -
Bill C6 requires every business to assign a Chief Privacy Officer (CPO), someone who is held accountable for collecting, maintaining, updating, storing and distributing customers' (and employees') private information. For the vast majority of businesses, this position and its associated responsibilities will be completely new. To assist business leaders, we answer two of the most critical questions about CPOs: 1) what skills should a CPO have? and 2) what can be done now to ensure the CPO is as effective as possible?
What skills should a CPO have?
The CPO requires a unique blend of strategic and tactical skills that go beyond traditional titles and accreditations. At a minimum, the CPO should have competency in the following key areas:
Managing the flow and maintenance of customer information used to increase business -
Rooted in marketing, the CPO needs to know how to collect and manipulate information for all promotional and customer relationship-building initiatives. For example, when conducting a direct-mail campaign, the CPO will be responsible for ensuring that all of the proper permissions have been secured before buying or re-selling customers' private information.
Managing the flow and maintenance of employee information for optimizing internal security, consistency and performance -
Traditionally the responsibility of an employee communications officer, the CPO will be responsible for ensuring that employee information collected for one purpose in one department is used appropriately in other departments.
Managing the storage of documents and private information -
Most often the responsibility of archivists, the CPO will be responsible for ensuring that private information is securely collected, stored and maintained, as well as destroyed, according to schedule.
Managing the sharing of information across your organization -
Usually the responsibility of knowledge managers, the CPO will be responsible for ensuring that customer and client information is stored and distributed appropriately during efforts to increase share of customers' 'wallets' and build organizational learning.
Motivating staff to adopt strategically defined policies -
The CPO will be responsible for developing and monitoring procedures that have an impact on the way all staff collect and distribute private information.
Fostering skills for collecting/maintaining personal information -
In addition to establishing and monitoring procedures for collecting, storing and distributing employee and customer private information, the CPO will be responsible for ensuring that staff are regularly trained and tested in these procedures.
What can be done now to ensure the CPO is as effective as possible?
Of course, the more comprehensive and integrated your privacy procedures, the more likely your CPO will be able to ensure that your business activities are in compliance with Bill C6 quickly and cost-effectively. As a result, you should spend time to develop policies and procedures to protect personal information in each of the following areas:
- Defining a purpose for collecting information - Every time you gather
private customer or employee information, you are obligated to detail
why it is needed, how it is used and who is granted access.
- Obtaining consent - You must get consent to collect
private customer or employee information. If you plan to re-use that
information for a different purpose, permission must be obtained
again. You cannot make that consent a condition for supplying your
product or service.
- Use and disclosure - You can only use or disclose personal
information for the purpose for which you received the original
consent and keep it only as long as necessary to satisfy that
purpose.
- Limiting collection - You cannot collect private
information at random.
- Ensuring accuracy - You must take steps to ensure that any
personal information that you collect is complete, correct and kept
up-to-date.
- Ensuring adequate security measures - You must protect
personal information regardless of its format. Furthermore, you must
safeguard it from unauthorized access, disclosure, copying or
modification.
- Being open - You must inform customers and employees that
you have policies and practices for the management of personal
information. You are also obligated to make these policies and
practices easily understandable and readily available.
- Being accessible - When asked, you must give customers or
employees access to their private information, explain how it is used
and who has access to it.
- Providing resolutions - Finally, you must have simple and
easily accessible complaint procedures as part of your ongoing
measures to monitor and correct information handling practices and
policies.
If any of these procedures aren't in place, the CPO's first responsibilities will be to develop, implement and monitor them.
Credible Third-Party Seals: A Quick and Painless Solution -
Another highly recommended strategy is to implement a well-respected third-party assurance seal that enhances your internal privacy procedures.
Establishing and monitoring privacy procedures is at the heart of addressing customers' privacy concerns, with the assistance of a CPO. However, creating practical privacy procedures has proven so complex that some of Canada's most profitable retailers have been frustrated. Even the Internet's most recognized privacy watchdog (TRUSTe) has had difficulty enforcing its own standards.
Of the web-based seals currently available, only WebTrust (www.WebTrust.net), an initiative of the global accounting profession, helps retailers meet the stringent internal procedures required by Bill C6 and sets the foundation for your investment in a CPO. As a result, securing a third-party seal as complete as WebTrust may be the easiest and most cost-effective short- and long-term method to eliminate many retailers' costly privacy exposures.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca
In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.
|