“Typically jurisdictions or companies begin by assuming that the privacy leader should be a lawyer…But very quickly, what they discover is that a legal background is probably not sufficient. A full suite of skill sets are necessary,” Justin Weiss, the Global Head of Data Privacy at Naspers Group, said when asked about the role of a Chief Privacy Officer.
As privacy legislations take root in countries around the world, the role of the Chief Privacy Officer has become increasingly crucial within organisations that deal with sensitive data. India is also expected to have a Personal Data Protection Bill soon, which means Indian companies will need to figure out how to align themselves accordingly.
Weiss made these comments at a session on ‘Adapting to global privacy legislation’ at PrivacyNama 2021, a global conference on privacy regulations held by MediaNama on October 6 and 7. In the session moderated by lawyer Rahul Matthan, Weiss was joined by Idriss Kechida and Srinivas Poosarla, who are Chief Privacy Officers at Match Group and Infosys respectively. Here’s what they had to say about how to be a Chief Privacy Officer:
Start from the top
Reporting to the board: Both Poosarla and Kechida agreed that the Chief Privacy Officer needs to report directly to the company’s board to avoid interference from other functions within the organisation. “A great amount of independence is required. Typically the requirement to report to the board comes to the fact that the other functions will influence you. So it is very important to have the ability and autonomy to take issues at the top,” Poosarla said.
Sponsorship from highest levels: Kechida highlighted the need for Chief Privacy Officers to seek sponsorship from the highest level of the organisation for their privacy agenda:
You need to find that sponsorship at the highest level… and employees need to be aware of that decision or policy the company has. So, that when those decisions are taken, they know where it comes from and they know why it makes sense for the company. — Idriss Kechida
Weiss emphasised that employees must feel recognised and rewarded for implementing privacy measures within their verticals:
You need the executive team to make those assignments [to implement privacy measures]… People are rewarded and recognized for doing work that their bosses expect of them. If their friend Justin comes in and expects them, and it seems like a favour, they may try to help me out. But it’s very different than if the boss says you’ve got to do this thing, and you’re going to be rewarded and recognised on that basis. — Justin Weiss
Support MediaNama’s endeavor to enable meaningful conversations around technology policy. Subscribe here.
Allocate resources to implement privacy measures
Weiss said that there were three crucial elements to consider when budgeting for an in-house privacy initiative:
- Human Resources: The number of people dedicated to the privacy vertical will depend on the nature of the business, Poosarla said. The salary range for a Chief Privacy Officer is similar to that of a mid-level attorney, according to Weiss.
- Automation: Weiss also recommended budgeting for automated services that offer to make it easier for your company to implement privacy measures, like dealing with customer complaints or managing consent.
- Training: Budgets for privacy need to accommodate the time it takes to train different teams within the organisation in best practices around privacy, both Weiss and Kechida emphasised. This could include automated training modules or creating original video content.
Adhere to high privacy standards to comply with local laws
It can be a challenge for companies operating in multiple jurisdictions to comply with local privacy legislations. The panelists suggested:
Adhering to a standard: Poosarla and Kechida agreed that companies should adapt to a single privacy standard that makes them compliant in most jurisdictions:
I always recommend that we should go for a standard like ISO 27701 which got published in 2019… It is mapped to GDPR principles and therefore you are more likely to be doing all that is required to be able to comply to various jurisdictions so scalability becomes easy. — Srinivas Poosarla
Addressing customer concerns: The role of any data protection authority, at least in part, is to address privacy issues brought up by citizens. But Poosarla emphasised the need for privacy officers to take on this burden themselves:
Effectiveness lies in listening to requests properly and take them as an opportunity for improvement. If you don’t, these same people will go to the data protection authority (DPA). So I when I meet DPAs I tell them, we are like an extended arm of DPA. If I am in Spain I am ensuring that people don’t go to DPA of Spain, they come to me. If only I am not able to satisfy them they go there, and that’s my failure. — Srinivas Poosarla
Kechida too talked about how customer service was at the heart of a CPO’s role. “Ultimately it’s the customers whose data you process, and so if you want to really do things well, it’s there. What matters to them like directly is: I want to know what data you have about me. I want you to delete my data. This is the thing you want to put a lot of effort in, to make sure people are satisfied with the way that you’re handling this,” Kechida said.
Figure out how to balance user privacy and company growth
How to manage risks: The way to think about risk management for privacy roles is slightly different because you’re not just thinking about the risk to the company, Weiss said. “You can frame privacy issues as a kind of corporate risk, and when you do, you might assume that running a privacy program is very similar to running other types of programs that try to manage risk for the corporation. What is unique and different about privacy is that the privacy officer’s primary duty and responsibility is to think about risk to a different class: risk to individuals,” he said.
Conflicting priorities: There are often conflicts between the privacy of individuals and the company’s growth. What should CPOs prioritise in such cases? Weiss argued for navigating away from a yes or no approach: “The question is not, should you take away all algorithms, yes or no. The question is, what are the features of an algorithm that balance in a proportionate way the need to do what the algorithm is supposed to do… with the potential negative impact on individuals. And once you do that balancing work, it’s not usually a yes or no, it’s a how,” Weiss said.
MediaNama hosted this event with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners – the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).
- TikTok’s Handling Of Children’s Data Invites Scrutiny From EU Regulators
- Bowing To Data Localization Demands, Microsoft To Let EU Users Store All Data In The EU
- Tinder To Launch Government-ID Based Verification Feature For Users Worldwide Soon
Have something to add? Subscribe to MediaNama here and post your comment.