The BusinessCast, co-hosted and
produced by Robert Gold, is the
Financial Post Executive Podcast:

Bennett Gold LLP Earns Mention In Toronto Life Magazine, April 2005.

A Primer for Your Chief Privacy Officer (CPO)

Business Success or Failure - This Time It's Personal

For over ten years, studies have consistently identified privacy as consumers' most important issue. Furthermore, the reluctance to invest in protecting such private information has been named as the key reason why consumers aren't buying as much, or as frequently, as most retailers had expected.

Combine this unwillingness to invest in consumers' privacy with Canada's new Personal Information Protection and Electronic Documents Act (Bill C6) that rolled-out in January 2001, and businesses of all shapes and sizes are in for a rough ride! Soon, businesses will begin incurring considerable legal fees, spending time fighting unhappy customers and employees and finding their reputations and sales suffering. However, most of these problems can be avoided by taking some simple and painless steps now.

The Key to Privacy: Establishing Accountability

Bill C6 requires every business to assign a Chief Privacy Officer (CPO), someone who is held accountable for collecting, maintaining, updating, storing and distributing customers' (and employees') private information. For the vast majority of businesses, this position and its associated responsibilities will be completely new. To assist business leaders, we answer two of the most critical questions about CPOs: 1) what skills should a CPO have? and 2) what can be done now to ensure the CPO is as effective as possible?

What skills should a CPO have?

The CPO requires a unique blend of strategic and tactical skills that go beyond traditional titles and accreditations. At a minimum, the CPO should have competency in the following key areas:

- Managing the flow and maintenance of customer information used to increase business. Rooted in marketing, the CPO needs to know how to collect and manipulate information for all promotional and customer relationship-building initiatives. For example, when conducting a direct-mail campaign, the CPO will be responsible for ensuring that all of the proper permissions have been secured before buying or re-selling customers' private information.

- Managing the flow and maintenance of employee information for optimizing internal security, consistency and performance. Traditionally the responsibility of an employee communications officer, the CPO will be responsible for ensuring that employee information collected for one purpose in one department is used appropriately in other departments.

- Managing the storage of documents and private information. Most often the responsibility of archivists, the CPO will be responsible for ensuring that private information is securely collected, stored and maintained, as well as destroyed, according to schedule.

- Managing the sharing of information across your organization. Usually the responsibility of knowledge managers, the CPO will be responsible for ensuring that customer and client information is stored and distributed appropriately during efforts to increase share of customers' 'wallets' and build organizational learning.

- Motivating staff to adopt strategically defined policies. The CPO will be responsible for developing and monitoring procedures that have an impact on the way all staff collect and distribute private information.

- Fostering skills for collecting/maintaining personal information. In addition to establishing and monitoring procedures for collecting, storing and distributing employee and customer private information, the CPO will be responsible for ensuring that staff are regularly trained and tested in these procedures.

What can be done now to ensure the CPO is as effective as possible?

Of course, the more comprehensive and integrated your privacy procedures, the more likely your CPO will be able to ensure that your business activities are in compliance with Bill C6 quickly and cost-effectively. As a result, you should spend time to develop policies and procedures to protect personal information in each of the following areas:

Defining a purpose for collecting information - Every time you gather private customer or employee information, you are obligated to detail why it is needed, how it is used and who is granted access.

Obtaining consent - You must get consent to collect private customer or employee information. If you plan to re-use that information for a different purpose, permission must be obtained again. You cannot make that consent a condition for supplying your product or service.

Use and disclosure - You can only use or disclose personal information for the purpose for which you received the original consent and keep it only as long as necessary to satisfy that purpose.

Limiting collection - You cannot collect private information at random.

Ensuring accuracy - You must take steps to ensure that any personal information that you collect is complete, correct and kept up-to-date.

Ensuring adequate security measures - You must protect personal information regardless of its format. Furthermore, you must safeguard it from unauthorized access, disclosure, copying or modification.

Being open - You must inform customers and employees that you have policies and practices for the management of personal information. You are also obligated to make these policies and practices easily understandable and readily available.

Being accessible - When asked, you must give customers or employees access to their private information, explain how it is used and who has access to it.

Providing resolutions - Finally, you must have simple and easily accessible complaint procedures as part of your ongoing measures to monitor and correct information handling practices and policies.

If any of these procedures aren't in place, the CPO's first responsibilities will be to develop, implement and monitor them.

Credible Third-Party Seals: A Quick and Painless Solution

Another highly recommended strategy is to implement a well-respected third-party assurance seal that enhances your internal privacy procedures.

Establishing and monitoring privacy procedures is at the heart of addressing customers' privacy concerns, with the assistance of a CPO. However, creating practical privacy procedures has proven so complex that some of Canada's most profitable retailers have been frustrated. Even the Internet's most recognized privacy watchdog (TRUSTe) has had difficulty enforcing its own standards.

Of the web-based seals currently available, only WebTrust, an initiative of the global accounting profession, helps retailers meet the stringent internal procedures required by Bill C6 and sets the foundation for your investment in a CPO. As a result, securing a third-party seal as complete as WebTrust may be the easiest and most cost-effective short- and long-term method to eliminate many retailers' costly privacy exposures.

Bennett Gold LLP invites your questions, comments and feedback: E-Mail: action@BennettGold.ca Telephone: 416-449-2249. Read Bennett Gold LLP's Privacy Policies and Practices.

WEBTRUST is a trade mark of the Canadian Institute of Chartered Accountants. All other cited trade names and marks are property of their respective owners.

BennettGold.ca is a P3P compliant and W3C validated web site, coded and developed by Planetcast.