Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Pricewaterhousecoopers

 

February 2004

 

Terry McQuay, Nymity's President, spoke with Linda Drysdale, Leader of the Canadian Privacy Practice at PriceWaterhouseCoopers (PwC) about privacy governance.

 

See Ms. Drysdale at Nymity's Employee Privacy Conference (May 17th,18th) as she moderates a best practices panel. Visit PriceWaterhouseCoopers to learn about their privacy practice.


Nymity:  Linda, how is privacy a part of corporate governance?


Drysdale: Privacy is integral to corporate governance. Corporate Governance focuses on enhancing shareholder value through ensuring accountability and transparency in the direction and control of an organization. Senior management and boards of directors build governance processes into operations in order to protect corporate reputation and brand image. Good privacy practices are critical to maintaining that reputation and brand image because privacy is all about building and maintaining trust, whether it be with customers, employees, business partners, investors or other stakeholders.


Nymity:  What is privacy governance?


Drysdale:  Privacy governance concerns the organizational infrastructure, processes and leadership that ensure organizations meet their privacy obligations in a way that responsibly protects and maximizes shareholder value.
Privacy governance links an organization’s business objectives to the privacy imperatives companies face today which include, laws and regulations, internal standards and policies, voluntary standards, and the growing expectations of customers, employees, and business partners.


Nymity:  What is the difference between privacy governance and privacy compliance?


Drysdale:  Privacy compliance mandates adherence to a set of privacy laws and obligations. Privacy governance focuses not only on mitigating legal and regulatory risk, but on building internal infrastructure to meet corporate responsibilities to address privacy obligations and protect corporate reputation and brand by building ongoing operational enablers including organizational structure, monitoring and management processes, technology, and value metrics.


Nymity: What are organizations’ top privacy governance concerns?


Drysdale:  Privacy is a relatively new area of focus for many organizations and not only is the legislative environment evolving, but so are customer and other stakeholder expectations and the competitive environment. Business operations also change over time. All of these elements impact an organization’s privacy practices, so organizations are concerned about things falling through the cracks, and the ability to meet not only the present, but the future demands of the business and its customers.

 

Nymity: Does this mean privacy has reached the boardroom, or are corporations reacting to Canadian privacy laws?


Drysdale:  Certainly more and more of my clients are talking about privacy at the board level, and if they aren’t they probably should be. Responsible boards want to ensure that they are not only meeting the basic requirements of the legislation, but are also responding to customer and business partner expectations and protecting corporate reputation. Boards and executive management want to have mechanisms in place to prevent poor privacy decisions, identify and address issues as they arise, and have the ability to report both internally and externally to stakeholders. A company can’t be transparent or accountable if it doesn’t have the structures in place to properly manage the personal information it deals with.


Nymity: What does good privacy governance look like?


Drysdale:  Good privacy governance results in a close alignment of privacy and business strategy, the organizational environment and operational activities. This means management is committed, and roles and responsibilities are properly defined and well understood throughout the organization. Organizational commitment is supported by formal training. Processes exist that prevent and address problems, monitor compliance and ensure effective and consistent communication with internal and external stakeholders. Metrics are in place to measure performance, costs and benefits against established internal and external standards.


Nymity: What are some of the challenges to achieving good privacy governance?


Drysdale:  It’s not easy. Changing privacy requirements make good privacy governance a challenge. The ambiguity regarding stakeholder expectations adds to the challenge by making it difficult to provide a clear understanding of the requirements to employees throughout the organization in a cost effective yet comprehensive way. Practical issues concerning how to transform ad hoc approaches into effective privacy governance, how to adequately integrate the proper processes and systems into an organization’s current infrastructure, as well as simply knowing where to begin are other common challenges.


Nymity: How is a privacy breach a governance issue?


Drysdale:  An organization’s privacy governance determines how the breach is handled, how the organization responds in dealing with the breach and the ultimate impact on the business. For example, effective privacy governance will determine whether there are mechanisms in place to alert management that a breach has occurred, whether escalation procedures are in place and whether individuals involved understand what they need to do. Further, privacy governance provides a process to manage the resolution of the issue based on its urgency, and after the immediate breach is resolved, the ability for the organization to learn and evolve its business practices to avoid future breaches.

 

Nymity: How is employee privacy becoming a governance issue?


Drysdale:  Employees are key stakeholders in good privacy governance. They need to be trained and aware of issues, and most importantly they need to buy into their roles and responsibility for privacy. An organization that includes employee privacy in its overall privacy initiative demonstrates management’s commitment to privacy and helps instill the culture of privacy that is critical for privacy governance.


Nymity: Is secure document destruction a governance concern?


Drysdale:  Document destruction is a process which is critical to privacy. Effective privacy governance would provide the oversight to ensure that document destruction policies and procedures exist, are well understood and followed by all employees, and are revised when appropriate.


Nymity: What recommendations would you make to organizations regarding privacy governance?


Drysdale:  Companies need to put in place an effective privacy governance framework in addition to focusing on meeting immediate privacy compliance, which is often done on an ad-hoc basis.
Buy-in from senior management is crucial for implementing this kind of framework.
Good privacy governance depends on developing effective operational enablers for an organization’s business objectives and compliance requirements, so this is another critical component. PwC, for example, has developed a comprehensive framework that provides a structured way to operationalize privacy throughout an organization. While the specifics must be tailored to each organization, the framework focuses on key elements in four areas: people, processes, technology and cost/value.

  

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY