Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Dan Swartwood

October 2004

 

Terry McQuay, Nymity's President, interview with Dan Swartwood, Data Privacy Officer, WW Customer Privacy Office of Hewlett Packard focuses on HP's use of privacy metrics as a privacy management tool.


Nymity: Dan, please describe your role and the structure of HP's Privacy Office.


Swartwood: My office manages customer and partner privacy issues globally. We also manage world wide compliance with national privacy laws for both online and offline data. To give you an idea of the scope we manage, we have over 100 million consumer records and approximately 25 million business records in our databases. These represent customers in over 130 countries. We also deal with thousands of partner companies all over the world.

We have two other privacy offices in hp. In addition to our office, we have a separate employee privacy office in our human resources group. We also have a Chief privacy office in our government affairs group. Between these three groups we have over 20 people working directly on privacy issues on a daily basis throughout our regions and business units. Together the leaders of the three groups formed a Global Privacy Board that is chartered by the company to act as a board of directors for all privacy issues for hp. The GPB meets every other week via a con call to discuss current and future issues that impact on our total privacy effort.


Nymity: How does HP manage privacy?

 

Swartwood: HP has a privacy sensitive culture. We start by building privacy into the way we do business, through our standards of business conduct (SBC). All employees are required to take annual refresher training on our SBC which includes a good overview of privacy. Additionally, all employees are required to take a specific privacy training web course every two years. We have a master privacy policy that sets a single global framework covering all personal data for customers and employees. Our online privacy statement, our customer and employee privacy policies elaborate on the master policy.

Our customer privacy office has 9 direct employees that perform corporate and regional functions. Additionally we have employees in the business units with customer privacy as a full or primary responsibility. Our extended team including employees from government affairs, legal, internal audit, indirect procurement and IT security representatives.

Our privacy framework is implemented through a detailed privacy rule book and guidelines that give specific guidance on how to implement privacy in every major region and business environment. We use a full range of tools in addition to the rule book including a Privacy Impact Assessment that is so innovative, we are exploring the option of patenting the process.


Nymity: What are HP's privacy objectives and goals?

 

Swartwood: Simply, we know that good privacy is good for customers and helps make it easier to do business with HP. Our program enables our regions and marketing organizations to have a greater trust relationship with our customers. Better trust results in more revenue from our existing customers and gives us a competitive advantage with prospects.

There are many studies that show if customers do not trust a company to handle their personal data properly, they will not do business with that company. We allow the customer to determine how they interact with HP. We collect their privacy preference and ensure our marketing and product groups follow those preferences. As an example, we have a global opt in requirement for email marketing. While this is a requirement is many but not all countries, it is a global standard for HP.

 

Nymity: Why did HP implement privacy metrics?


Swartwood: We needed to find a way to measure our progress on our program implementation. We started by asking ourselves a series of questions:

 

  • Who is the audience?
  • What do they care about?
  • Is the data useful and meaningful and tie to their/our business objectives?
  • What will we gain by tracking this information?
  • How and what will we measure?
  • How often do we want to report on this information?
  • What will we do with the information?


The answers to these questions gave us a path to implement our privacy metrics effort.

 

Nymity: What are the benefits of privacy metrics?

 

Swartwood: If you cannot measure something, you cannot know if you are succeeding. HP has made a strategic investment in our privacy program. We owe it to our management, investors, and customers to be able to show the benefit of that investment.

 

Nymity: What are some example privacy incidents that metrics have helped prevent or manage?

 

Swartwood: In a large global company it is only prudent to build in processes that will quickly identify and resolve real or potential privacy issues. The perception of a privacy problem is the same as a real privacy issue. We deal quickly with any potential privacy issue to determine if it is a privacy issue, and if so, we work with the affected business unit or region to resolve the issue and also to determine the root cause of the problem. Only by determining root cause can we insure the same thing will not occur again elsewhere in the company.

Here is an example of our process. We use an automated tool to routinely, remotely monitor our web pages. The tool uses a set of privacy rules to determine if any of the over 5 million web pages on our external sites has a privacy issue, such as a broken link to our privacy statement or is not using an appropriate cookie expiration date. In any given week, we update the content of over 500,000 pages. Even if a page was correct last month, it may have been changed and a privacy issue created this month. We have a process in place to have any issue identified to be reviewed and if found to be out of compliance, it is sent to the appropriate team for correction. We track and trend these scans routinely looking to trends.

 

Nymity: What were the considerations when setting up the privacy metric program?

 

Swartwood: One of the major considerations is the data that senior management needs to determine the health of the program. After that was determined we needed to ensure we had the processes in place to quantitatively measure those features of the program.

 

Nymity: What was the process for implementing a privacy metric program?

 

Swartwood: After initial discussions with HP senior management, we determined the baselines for agreed metrics. Then we established processes to ensure that we could gather the data needed in a timely manner.

One of the more interesting aspects was determining how to present the data in a meaningful way. Senior managers are busy and we determined a one page power point dashboard was the appropriate vehicle.

 

Nymity: What are the types of HP customer privacy metrics?

 

Swartwood: We collect and report metrics on the following areas:

 

  • Training and Awareness
  • Performance
  • Compliance
  • Consultations
  • Customer Satisfaction
  • Web compliance
  • Competitiveness / Benchmarking
  • Incidents

Nymity: How do metrics help monitor compliance?

 

Swartwood: We have a compliance manager that manages this program full time. Currently we are working especially hard to update our online privacy standards. We see our online privacy program as the most visible aspect of our privacy effort. Anyone with a browser can see how well we are complying with our online privacy statement.

 

Nymity: How have the metrics help HP in Canada?

 

Swartwood: Canada is an important market for HP. We have appointed a Canadian Privacy Officer to work with the entire HP Canada team to ensure we are compliant with both the corporate privacy standards and all aspects of the new Canadian law. The metrics are shared with all members of the privacy team. As appropriate, those metrics are shared with various country teams, including Canada. In the online space, there is country specific data collected. That data is normally not sent to country level managers unless there is a specific issue requiring their attention. Normally the web team supporting each country get the full detail so they can correct any privacy concerns.

 

Nymity: How do metrics measure organizational performance?

 

Swartwood: We have seen a marked improvement since we implemented our privacy metrics. We have used our metrics to show relative standing between business organizations in critical areas and overall we are seeing a significant increase in value added aspects of our program.

As an example, we measure the number and value of consultations with product and services organizations. We have increased the value of our privacy consultations by an order of magnitude in the last year.

 

Nymity: How do privacy metrics help as a management tool?

 

Swartwood: There are several benefits from our privacy metrics effort. They give us the ability to measure the extent and cause of privacy incidents to prevent recurring problems. Our metrics program also allows us to quickly identify issues, before they become a major problem. Additionally, the effort allows us to track and trend areas that may need improvement and show we are meeting our business objectives. Also the program gives us the ability to quickly and easily show the value we bring to the organization.

 

Nymity: What trends have you observed since implementing privacy metrics?

 

Swartwood: There is some good news in this area. We are seeing a decrease in the number of known/suspected privacy escalations and a dramatic increase in privacy consultations. The extended team has helped deliver over $US100,000,000 in privacy related contracts to hp in this fiscal year. Additionally we have consulted on other contracts worth approximately $US1Billion

 

Nymity: Please describe the infrastructure used to implement the privacy metrics.

 

Swartwood: We have created a centralized support knowledge base, training and process for the entire HP privacy team. This knowledge base is kept up-to-date and the detailed training ensures that everyone know how to use the databases and get the most accurate data.


We created a series of databases with drop down menus and made those available to the entire privacy team. We went through a detailed training effort to ensure everyone knew how to use those databases to get the best data we could. Then we established a process to ensure everyone knew how to make the appropriate entries.

 

Nymity: What kind or reports are created?

 

Swartwood: We have a weekly report that shows the number of potential escalations, customers affected, number of consultations, value of those consultations and the number of opt out requests received by our office.

We have a monthly report that details three things: First, the results of our external customer survey where they rate our performance at meeting their privacy expectations; second, the number of escalations worked measured against our baseline; and Third, the number of consultations conducted in the month measured against our baseline. All of these are displayed in a continuum of green, yellow and red. This allows us to provide a simple visual reference to determine how well we are doing against our measures.

We have a quarterly report very similar to the monthly that gives the same information as the monthly, but compares the current quarter to prior quarters.

 

Nymity: What was the cost of implementing and managing this privacy metric program?

 

Swartwood: There was no external consulting or other external costs associated with our effort. We were able to implement this effort entirely using internal resources. As the reporting is an integral part of everyone’s job, the cost to run the program is minimal.

 

Nymity: What returns have you realized on this investment?

 

Swartwood: We have been able to show ourselves and our management the real value that our privacy program brings to HP. We are spending more time on high value efforts and have clearly established ourselves as a business partner with the business units and regions. Our metrics program is the last step in a comprehensive effort to add value to the business and our customer’s interactions with HP.

 

Nymity: In closing, how would you recommend an organization go about implement their own privacy metric program?

 

Swartwood: The strongest recommendation that I would make is to start small. Do not attempt to boil the ocean. We put all of the other aspects of our program in place before we started with our metrics effort. When we started, we only measured the few key items that were the most relevant to management. We then expanded the effort to ensure we were measuring all aspects of our efforts.

  

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY