• United States




Why your company needs a chief privacy officer

Feb 10, 20154 mins
Data and Information SecurityPrivacySecurity

A privacy exec with real power can ensure the protection of employee and customer data

Another week, another 70 million records compromised. Best way to not have a data breach? Don’t have the data in the first place.

Yet if you had a person or team dedicated to protecting employee and customer privacy, your data exposure would already be far less than it is today. Does your company have a chief privacy officer or advocate? If not, it should.

Most companies have a CSO (chief security officer) and/or a CISO (chief information security officer). Put chief privacy officer on the list of C-level executives your company should have. More than ever, a dedicated privacy advocate is worth his or her weight in gold.

Privacy problems are embedded in nearly every component of computer security — so much so, I propose updating the well-known security triad of CIA (confidentiality, integrity, and availability) to CIPA, with a pillar dedicated to privacy. Sure, it can probably fit nicely under confidentiality, but wedding it to better-known encryption issues doesn’t give it enough visibility.

Most companies I work with say they are big believers in privacy. But that usually means they have generalized statements on protecting customer data along the lines of a financial regulatory requirement. For example, they won’t share your customer information with additional third parties minus your consent. That’s not what I’m talking about. That’s a given. That’s a minimum.

What I’m talking about is an advocate who helps the company understand both customer and employee data confidentiality. Let’s not forget that many of the biggest, recent compromised resulted in lost employee data, too.

A dedicated privacy advocate would be your expert in all relevant applicable government and regulatory laws in all states and countries in which you practice. They would educate the other C-level officers, create documentation and policy, and educate the entire workforce. They could help create training materials, tests, and look for and remediate violations.

They would tell you what data can be collected, as well as when, where, and how long it can be kept. They would help you collect less specific data and keep the data better protected, then erased when no longer needed. They would help you realize when less specific or anonymized data would be a better choice than simply collecting highly personalized data. They would help set data retention and deletion policies. 

A privacy advocate would help you automatically delete older email and data stores at a predetermined time. I personally keep my email for decades, and I often need to refer to emails that are many years old. But a continuous email trail is a huge risk for any company. Anytime lawyers ask a company for copies of old emails, it can’t be good. Imagine how many people, recently in the news, wish their company automatically deleted their old email (subject to legal restrictions, of course).

A privacy advocate would help you navigate the very murky waters of outside third parties, such as the government and law enforcement agencies requesting private data. Many service providers have learned that having a friendly and cordial relationship with outside interests is a good way to lose business. A privacy officer would help you decide when to assist law enforcement and when to fight back.

Personally, I believe digital privacy to be this century’s key constitutional issue. Many unwarranted privacy invasions invoke unreasonable search and seizure concerns, as well as preventing me (and my employers) from the right to pursue happiness. The world’s best spy agencies of the past couldn’t dream of how much information they could easily retrieve on any individual simply by searching the Internet or scouring their own  data troves.

Whether you hire a CPO or anoint a lower-level team member is up to each individual company. The choice is often dictated by company size and need, but whichever position you create, it will involve frequent communication with employees, customers, and others regarding how much your company values privacy. In big companies, each major team or division should have a privacy advocate, with lower-level advocates reporting to the CPO.

One thing is clear: C-level leadership and real enforcement of a strict privacy policy is essential. In the recent large heists, for example, you can be certain much of the data stolen was not needed by the company. That’s the old way of doing IT. Hire a chief privacy advocate who can limit your company’s exposure and join the modern world.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author