With the recent wave of privacy reforms sweeping across Canada and abroad, including changes to the privacy legislation in Quebec with Bill 64 (“Quebec Privacy Law”) and the proposed reform to the federal private sector privacy legislation with Bill C-27, the role privacy officers play in organizations has garnered significant attention. Having gained substantial leadership experience as a privacy officer, what follows in this article is the perspective I gained in these unique and essential roles. Each mandate, while quite different in practice, harvested similar lessons that I believe every practitioner working in the privacy sector should adopt to maximize their effectiveness within their organization. The following are seven key lessons every privacy officer or practitioner should know.
- Obtain Support from the Top
For any privacy officer to be effective in their role, they must be supported from the top, a principle that was codified by the Quebec Privacy Law, which clearly states that an organization has to ensure that its privacy officer has the authority to ensure that the organization is in compliance with the Quebec Privacy Law. The Quebec Privacy Law appoints the CEO as the privacy officer by default, unless the CEO delegates this responsibility to someone else in the organization.
Unlike the Quebec Privacy Law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and other similar privacy legislation in Canada does not explicitly state that the individual “exercising the highest authority in the organization” is accountable for ensuring compliance. However, it is important for an organization to empower the privacy officer with the necessary authority to obtain and uphold compliance, and act as the face of privacy compliance for the company.
Quite simply, if the privacy officer does not have support from the top, it is unlikely they will be able to perform their role effectively.
- Align the Privacy Office with the Actual Risk Exposure of the Organization
The privacy office must be customized and tailored to the organization. There are many factors that should be taken into consideration when building the privacy office, including the following:
- Size of the organization
- Resourcing and budget that the organization can allocate to the privacy office
- Type of personal information collected, used and disclosed by the organization
- Actual privacy risk exposure of the organization
- Type of stakeholders (customers, investors, patients, employees, etc.)
There is no “one size fits all” model for building a privacy office that aligns with every organization’s culture and infrastructure. The privacy office should also be adaptable and flexible to evolve and change with the organization over time. For example, as the organization’s products and service offerings change, the privacy office must be able to adapt to those changes in tandem.
Taking into consideration the factors outlined above, here are three different privacy office models to consider:
- Low Risk Exposure. In smaller organizations, where the actual privacy risk exposure is low, the organization may appoint an executive or their delegate with a central and cross-cutting role (most commonly, the COO, CFO or CEO) as the privacy officer. The challenge with this model is that often the executive or their delegate may not have the expertise or knowledge to fully perform the duties of the privacy office. One way to address this issue is to ensure that the privacy officer receives ongoing training.
- Medium Risk Exposure. In medium to large organizations where there is a general counsel or legal team, the general counsel or more senior counsel may be appointed as the company’s privacy officer. My two in-house positions adopted this model, extending the legal role to include that of the privacy officer. There is a natural affinity between the legal department and privacy office, since the legal team is already responsible for legal compliance with the relevant privacy regulatory framework, while the privacy office is responsible for operationalizing the privacy compliance framework.
- High Risk Exposure. In larger organizations where privacy risk exposure is high (such as financial institutions), the organization may want to consider appointing a dedicated privacy officer or creating a separate privacy office.
Regardless of model, the privacy office should be not be treated as a mundane part-time function that is tacked onto existing responsibilities if the goal is to establish a proper privacy compliance program.
- Defining Priorities
The first and most important step I took after accepting the roles as Chief Privacy Officer of the emerging technology company, and later, as Global Privacy Officer of the multinational, was taking time to understand the business and define my priorities in each role. To achieve this, I examined the companies’ stakeholders and how they collected, used and disclosed personal information. After stepping back to see the big picture, the privacy officer needs to synthesize his or her priorities, which may be divided into monthly priorities, annual priorities, or five-year priorities. It is difficult to access unlimited resources to enable a privacy officer to achieve an endless list of priorities. To address this reality, I built priorities and then allocated resources towards each phase. Aligning the privacy priorities with available resources enables the achievement of tangible goals.
To the extent possible, the privacy officer’s priorities should align with the priorities of the organization. For example, a shared priority of the privacy office and the organization may be to deliver a better customer experience by building trust. United by this goal, the privacy office can work with the organization to build trust by being transparent about its privacy practices.
- Specializing in Crisis Management
An important goal for any privacy officer is to become a crisis management specialist, taking the lead in managing crises and investigations and, with unwavering support from the top, making decisions that elicit compliance across the organization.
Part of becoming a crisis management specialist is anticipating a series of potential crises before they arise and pre-emptively preparing written plans, procedures, and/or policies on how to respond to a certain type of crisis; building and training the crisis team; testing those plans, procedures, and/or policies in a mock setting to see how well they work; and revising them as necessary after obtaining feedback from the test.
Periodic training on how to most effectively respond to any given crisis is also helpful. For example, table exercises on responding to a data breach and/or ransomware attack will assist the privacy officer (and the cross-functional team) in developing the skills necessary to respond to a real data breach or ransomware attack.
Becoming a crisis management specialist elevates and reinforces the importance of a privacy officer’s position in an organization, making it an invaluable resource especially when confronted with crises.
- Use the Privacy Compliance Program to Build Trust with Customers
The role of the privacy officer is not strictly about regulatory compliance. In my roles, I quickly learned that, from a business perspective, the value-add of the privacy office is the way the privacy compliance program can be used to build customer trust and enhance the company’s reputation.
Especially for technology companies that handle personal health data, building customer trust and creating a sense of transparency are vital to customer experience, and ultimately, to the success of the company. Because building trust with the customers was so important to us, the privacy office communicated regularly with the communications, sales, product and marketing teams to find strategic ways to educate customers and communicate how the company collects, uses and discloses personal health information, as well as protects and safeguards the personal health information provided.
- Develop a Robust Privacy Compliance Program with the Chief Information Security Officer (“CISO”)
In my experience, aligning goals and priorities with the CISO’s priorities is a key consideration when developing a more robust privacy compliance program.
The responsibilities and skills of the CISO often complement the responsibilities and skills of the privacy officer. To successfully operationalize privacy compliance programs, an organization needs both regulatory expertise and technical knowledge. Often times, privacy officers possess the regulatory expertise, while the CISO brings the technical expertise on data security, networks, data governance and infrastructure. The goal is to marry the two skillsets, which creates a comprehensive function to effectively operationalize an organization’s privacy compliance programs.
Areas where a privacy officer may collaborate with a CISO include:
- Data breach incident response policy and procedure
- Employee privacy and cybersecurity training
- Data classification and management
- Data retention
- Vendor due diligence and contract negotiations
Neither the security nor privacy office would be effective operating as silos. The CISO and their team are vital to safeguarding personal information, breach response, and general compliance with applicable privacy laws. I was fortunate to have had good relationships with the CISOs with whom I worked. Together, CISOs and privacy officers are to achieve far greater results than when the two groups operate independently.
- Evolving Privacy Laws
Privacy laws are always changing and evolving, and the privacy officer is responsible to remain informed on changing privacy laws and how they may affect their organization.
As the Chief Privacy Officer of the health analytics company, I had to keep abreast of all current health information legislation across Canada and the US. Similarly, during my tenure as the Global Privacy Officer, the international focus of my role meant that I had to keep abreast of changing privacy laws in the UK, EU, Argentina, Chile, Bolivia, Uruguay and Canada. Of note, the GDPR and Brexit came into force during my tenure, which meant that my team had to navigate the EU GDPR and the UK GDPR.
However, beyond keeping up with ever-evolving privacy laws, to the extent that your organization has a change management team, use that team to operationalize the required changes. If your organization does not have a change management team, learn how to operationalize change effectively. The most effective privacy officers understand how to drive change effectively within an organization.
Roland Hung is Counsel in Torkin Manes’ Business Law and Technology, Privacy & Data Management Groups. His practice encompasses all aspects of corporate and commercial law, with emphasis on technology, privacy compliance, cybersecurity and data management. He was the former Chief Legal Officer and Chief Privacy Officer of Vivametrica Ltd., and the Senior Legal Counsel and Global Privacy Officer of Finning International Inc.