This is very much where I see this going for other companies as well. As the economy gets tighter and jobs get tightened, things are going to converge, teams are going to have to work together. More of us are going to have more roles and multiple duties.
Second, privacy has always been to me a very reactive and negative term in corporate America. People think 'Oh it's a privacy officer. He or she is going to tell me what I can't do.' I like information governance because it's creating good rules and policies and structures that allow us to get our jobs done. It creates both the internal information sharing environment so that our employees can find data and information resources and also creates the good lens though which we judge how our information is touching sales products as well. We have a huge healthcare IT division, a huge security IT division and a whole bunch of folks doing products offerings in this area.
If more companies were to adopt this kind of model, what might a future CPO look like?
An understanding of technical systems and technical assets is going to be crucial. As we see our data and information holdings transform from a paper base, more and more of our assets are held electronically. Will that person need an understanding of the regulatory environment? Sure. But I've always felt strongly that a privacy officer doesn't have to be a lawyer. Understanding process, risk management and quality systems in some ways might be more important because I've always felt we need to operationalize the values around data privacy and data security.
A good reading of the law is essential, but a more sustaining model is somebody who understands how to inculcate those values in both technical assets and also in the education of our employees. So human behavior, as well as systems behavior, are going to be more important than being a lawyer and having to write memos.
If more CPOs are asked to take on this holistic approach, might some view these additional duties as just another thing they have to worry about?
That is certainly something we hear from legal and compliance folks. 'Oh, yet another thing we need to worry about.' But that's probably what people said about privacy ten or 12 years ago. I don't see it that way. I see it as congealing of a vision of information as a legitimate asset of companies. Instead of being reactive, and to a certain extent being embarrassed about data holdings or uncertain about how to create a regime around information and vital assets, I think it's a recognition that in the information age, information is one of biggest assets of any institution. And it needs to be dealt with in a very holistic approach. It needs to have a soup to nuts approach about both physical and technological protection around it: Education of our employees, all of those are assets of good data management in a security program, including how long this stuff is kept.