BRUSSELS—Well, compliance officers, for all the years of frustration you've endured struggling with anti-corruption programs, I have good news from last week's Compliance Week Europe conference: that experience will give you a superb grounding for the years of frustration coming next with privacy programs.
Time and again during our Europe conference, issues of privacy streaked across the conversational stage. Of course, that's to be expected: Europeans have long taken personal privacy more seriously than Americans do, and the European Union is in the throes a major overhaul to privacy law by next spring. Edward Snowden's news earlier this summer that the National Security Agency has been spying on pretty much everyone only accelerated that push to put more bite into privacy law.
Still, as I ran from one session to another, gulping café au lait and croissants along the way, I couldn't help thinking that I had heard this all before.
Take the speech delivered by Peter Hustinx, head of the European Union Data Protection Supervisor. Hustinx outlined a uniform, no-nonsense privacy regulation that he wants to see imposed across the entire EU. Among his more notable points:
- Every large organization should have a chief privacy officer;
- Every organization should conduct a privacy risk assessment regularly, and embrace “privacy by design” as it begins new business ventures;
- The privacy compliance program should be able to ensure, demonstrate, and verify compliance with EU privacy regulation;
- Data privacy regulators will look more favorably on companies that self-disclose privacy breaches promptly (within 24 to 72 hours).
Those are tough words, to be sure. Still, look at the details: a strong and clearly identified compliance officer; risk assessments; demonstrating effectiveness; encouragement of self-disclosure. What's new about that? Compliance officers have been doing the same for anti-corruption issues for years.
Indeed, I had the privilege of interviewing Hustinx after his keynote speech, and I specifically said that his vision sounded an awful lot like what compliance officers have had to do since the 2000s for anti-corruption efforts. His answer: “Yes, that's true.”
A word on the politics of all this, while I'm here. Hustinx is so adamant about enacting a new EU data privacy regulation by next spring because the clock is ticking. The current crop of EU lawmakers and regulators, Hustinx among them, have their terms of office expire next May, and all pending legislation will expire with them. Hence we're seeing many EU officials making headlines with regulations they are vowing to pass by next spring; Hustinx' counterpart in the anti-trust offices said much the same thing last week.
The wording matters here too. Right now the EU has a data privacy directive—essentially, model legislation adopted in Brussels, that each nation in the European Union must then enact into law locally. That process at the local level can take years, and result in legislation that differs quite a bit from one country to the next. Hustinx now wants to deliver a data privacy regulation—one law, adopted across the entire EU, all at once, with no room for different interpretations from one country to the next.
That would be a serious step in privacy regulation for the EU, and already some skeptics wonder whether it will actually happen. Another privacy expert speaking later that day, Simon McDougall of the Promontory Group, cautioned that “there's a substantial chance” the EU data privacy regulation won't pass by the May 22 deadline. Should it indeed fail, current EU data privacy law would continue while new regulators start all over again.
Let's assume the new EU data privacy regulation does pass. To my thinking, one of the biggest thorns in that rule will be the part about creating a chief privacy officer role. Contrast that task to, say, conducting a privacy risk assessment—which should be nothing new for large companies, since sloppy privacy policies are an invitation to bad press and litigation when something goes wrong. But U.S. companies don't necessarily need a chief privacy officer, and dropping one into the organizational chart can be easier said than done.
Businesses will need to think about where their chief privacy officer will come from. Chris Babel, chief executive of TRUSTe and someone who encounters chief privacy officers fairly often, said he still sees most CPOs emerge from the legal department, although a few now come from the marketing department—especially if the company is in a highly visible part of the retail sector.
For all that uncertainty, however, I keep coming back to the parallels emerging between the anti-corruption compliance of today and the privacy compliance of tomorrow. The basics don't seem that different: a strong compliance function, headed by an executive with real power and who has responsibility for demonstrating that the compliance program works.
That's not easy, I know—but it's not news, either. Indeed, it may even be the path for compliance officers to demonstrate their importance to the whole company yet again, and push the organization to that fabled idea of enterprise-wide risk management and compliance. Good luck.