I participated on a panel recently, at an event organized by Wirewheel and with some other distinguished folks, to explore the idea of the chief privacy officer as spokesperson. The event was under Chatham House rules, so I can’t provide a play-by-play of the conversation, but I did want to take a moment to share some thoughts I had on this topic, leading up to and during the event.
Let’s start by considering a few things we know: that people care about their privacy – otherwise, there wouldn’t be laws and a thriving privacy sector; that more and more, people want to do business with organizations they feel are ethical; that doing privacy well builds customer trust; and that regardless of the role consent may play down the road, the need for openness and transparency isn’t going away anytime soon.
I believe that with the right foundation, making the Chief Privacy Officer (CPO) – the subject-matter expert on and champion for privacy – more proactively visible in an organization’s communications can be a way to demonstrate more transparency and accountability, and that it has the potential to boost an organization’s credibility and help it stand out as privacy leader in the marketplace.
What does it take for a CPO to delve into the wonderful world of communications? Granted, every situation is different. It certainly depends on the maturity of their privacy framework and whether they’re confident the organization’s privacy is in good shape. If not, we suggest you consider getting your privacy “house” in order and the folks at nNovation LLP can certainly help. It also depends on whether collecting and protecting personal information is a relevant aspect of the business model. It depends on the company’s communications policy and whether it’s open to a more decentralized approach and the CPO’s level of knowledge on the subject. And it certainly takes collaboration with communications experts – within or outside the organization – as well as proper planning, training and practice.
What form can this take? I’m not suggesting that the CPO needs to get out there tomorrow to pitch and grant interviews to the Globe and Mail on their company’s privacy practices or that the CPO should take over the comms function – we need to recognize that everyone has their role. What I am suggesting however is that with the right planning, the CPO may be the best person, as the subject-matter expert, to respond to certain media requests, pen a blog, submit an article to a trade publication, participate in a podcast, give a speech on the topic and even play a role in privacy-focused marketing. Exploring the potential of these activities with the company’s comms team can help ensure the CPO is well prepared with clear key messages, strategies for responding to challenging questions, and armed with best practices and things to avoid. In this world, let’s face it: almost everyone is a communicator to a degree. These are very transferable skills and in my experience it’s best to get your feet wet and not wait until something goes wrong to try to develop these muscles.
What about when things do go wrong? There can also be a role for the CPO in public communications, in the unfortunate event of a privacy breach. If the organization has done a risk assessment, collects personal information and has identified cyber security as a risk, the company likely has mitigation strategies in place. It’s important to remember that these should go beyond the technological ones. Breach preparedness is key to successfully weathering a breach, reputation intact. Building a communications strategy directly into that breach response plan is essential. Part of the equation is ensuring subject matter experts, like the CPO, are ready, willing and, most of all, able. Sure, there are certain occasions when the CEO will have to be the spokesperson and there are others when it might make sense for corporate communications to handle things. I would argue that in an era of openness and transparency, when privacy is paramount, considering a more proactive role for the CPO in communications and a public role in the event of an incident is a way to help establish trust and credibility – in either scenario. Are there risks associated with the CPO being out there? Sure, but I’d encourage organizations to weigh those against the advantages, as well as the risks of not doing so.
Privacy is sometimes seen as standing in the way of certain communications and marketing efforts. I’d like to concentrate on updating that narrative. If you look closely at the privacy principles built right into the law, you’ll see that about half of them can be significantly advanced through effective communications. Let's help organizations understand and implement communications strategies that will enable them to better comply with privacy requirements on the front end, better respond publicly to privacy incidents when they do occur and ultimately contribute to better positioning them as the privacy-forward organizations they are… and can be.
Comments