Por: Juan Carlos Carrillo.
Back in 2006, then IBM CPO Harriet Pearson, CIPP/US, said, “a good CPO must do more than just ensure that companies comply with the present-day law. They must also attempt to second-guess future innovation and design company security policies and procedures accordingly.”
While the position of the CPO has most certainly changed in the past eight years, as has Pearson’s, this quote has stood the test of time as innovations in technology—and with that, data collection, retention and usage—continue apace.
More recently, K Royal, CIPP/US, CIPP/E, wrote a post for Privacy Perspectives on what makes a good privacy officer. Within the body of the post, and in the comments below, it becomes clear that a CPO’s job is a lot more than checking compliance boxes. “To build this list, I searched online for the top 10 traits or characteristics of compliance officers, salespeople, CEOs and managers,” Royal writes, and then goes on to include janitors, airline attendants and social workers. Others offered up fire fighter and technology geek as CPO comps.
In order to come up with a more nuts-and-bolts list of the responsibilities of the CPO, we’ve collated, categorized and condensed a number of online job descriptions for CPOs, resulting in the description below. Certain industries, such as finance and healthcare, will have industry-specific laws and tasks, this below is a general overview. Looking for a healthcare-specific example? See here.
But let’s work to define this more clearly together. What did we miss? What needs changing? Send Emily Leach an email with your suggestions, and we’ll revise the description as innovations revise the job.
Chief Privacy Officer: Sample Job Description
Compliance related to privacy, security, confidentiality
- Work with the general counsel, external affairs and businesses to ensure both existing and new services comply with privacy and data security obligations
- Work with legal counsel and management, key departments and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent, authorization forms and information notices and materials reflecting current organization and legal practices and requirements
Coordinate regulatory monitoring efforts
- Coordinate with the appropriate regulating bodies to ensure that programs, policies and procedures involving civil rights, civil liberties and privacy considerations are addressed in an integrated and comprehensive manner
- Liaise with regulatory and accrediting bodies
- Work with external affairs to develop relationships with regulators and other government officials responsible for privacy and data security issues
Operationalize compliance efforts
- Maintain current knowledge of applicable federal and state privacy laws and accreditation standards, and monitor advancements in information privacy technologies to ensure organizational adaptation and compliance
- Ensure foreign databases are registered with the local data protection authorities where required
- Work with business teams and senior management to ensure awareness of “best practices” on privacy and data security issues
- Work with organization senior management to establish an organization-wide Privacy Oversight Committee.
- Serve in a leadership role for Privacy Oversight Committee activities
- Collaborate on cyber privacy and security policies and procedures
- Interface with Senior Management to develop strategic plans for the collection, use and sharing of information in a manner that maximizes its value while complying with applicable privacy regulations
- Assist business units with development of tools and methodologies to ensure on-going compliance.
- Provide strategic guidance to corporate officers regarding information resources and technology
- Assist the Security Officer with the development and implementation of an information infrastructure
- Coordinate with the Corporate Compliance Officer re: procedures for documenting and reporting self-disclosures of any evidence of privacy violations.
- Work cooperatively with applicable organization units in overseeing consumer information access rights
- Serve as the information privacy liaison for users of technology systems
- Act as a liaison to the information systems department
- Develop privacy training materials and other communications to increase employee understanding of company privacy policies, data handling practices and procedures and legal obligations
- Oversee, direct, deliver or ensure delivery of initial privacy training and orientation to all employees, volunteers, contractors, alliances, business associates and other appropriate third parties
- Conduct on-going privacy training and awareness activities
- Work with external affairs to develop relationships with consumer organizations and other NGOs with an interest in privacy and data security issues—and to manage company participation in public events related to privacy and data security
- Work with organization administration, legal counsel and other related parties to represent the organization’s information privacy interests with external parties, including government bodies, which undertake to adopt or amend privacy legislation, regulation or standard.
- Report on a periodic basis regarding the status of the privacy program to the Board, CEO or other responsible individual or committee
- Work with External Affairs to respond to press and other inquiries with regard to concern over consumer and employee data
Employee Management & Oversight
- Provide leadership for the organization’s privacy program
- Direct and oversee privacy specialists and coordinate privacy and data security programs with senior executives globally to ensure consistency across the organization
- Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce, extended workforce and for all business associates in cooperation with Human Resources, the information security officer, administration and legal counsel as applicable
- Develop appropriate sanctions for failure to comply with the corporate privacy policies and procedures
- Resolve allegations of non-compliance with the corporate privacy policies or notice of information practices
Build & Improve the Privacy Program
- Develop and coordinate a risk management and compliance framework for privacy
- Undertake a comprehensive review of the company’s data and privacy projects and ensure that they are consistent with corporate privacy and data security goals and policies.
- Develop and manage enterprise-wide procedures to ensure the development of new products and services is consistent with company privacy policies and legal obligations
- Establish a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the organization’s privacy policies and procedures
- Establish with management and operations a mechanism to track access to protected health information, within the purview of the organization and as required by law and to allow qualified individuals to review or receive a report on such activity.
- Provide leadership in the planning, design and evaluation of privacy and security related projects
- Establish an internal privacy audit program
- Periodically revise the privacy program in light of changes in laws, regulatory or company policy
- Provide development guidance and assist in the identification, implementation and maintenance of organization information privacy policies and procedures in coordination with organization management and administration and legal counsel
- Assure that the use of technologies maintain, and do not erode, privacy protections on use, collection and disclosure of personal information
- Monitor systems development and operations for security and privacy compliance
- Conduct privacy impact assessments of proposed rules on the privacy of personal information, including the type of personal information collected and the number of people affected
- Conduct periodic information privacy impact assessments and ongoing compliance monitoring activities in coordination with the organization’s other compliance and operational assessment functions
- Review all system-related information security plans to ensure alignment between security and privacy practices
- Work with all organization personnel involved with any aspect of release of protected information to ensure coordination with the organization’s policies, procedures and legal requirements
- Account for and administer individual requests for release or disclosure of personal and/or protected information
Third-party Contracts, etc.
- Develop and manage procedures for vetting and auditing vendors for compliance with the privacy and data security policies and legal requirements
- Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements, to ensure all privacy concerns, requirements and responsibilities are addressed
- Act as, or work with, counsel relating to business partner contracts
- Mitigate effects of a use or disclosure of personal information by employees or business partners
- Develop and apply corrective action procedures
- Administer action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel