In 2000, Harriet Pearson became IBM’s first chief privacy officer and part of the vanguard of early CPOs who laid the groundwork for how corporations approach privacy. Pearson, who is now a partner at the Washington, D.C.-based firm Hogan Lovells, is an expert in corporate data privacy and cybersecurity and now consults with companies on how to grapple with government regulation, user privacy and online threats.
Adweek spoke with Pearson about the biggest issues facing companies and chief privacy officers today.
This interview has been edited for length and clarity.
Adweek: What was your role as CPO of IBM like?
Harriet Pearson: Being in the vanguard, I’ve kind of had a blank page. … I could design something, and what my role ended up focusing on was designing a global risk-management and compliance program that said: What are the privacy issues for this organization? How do we address them? Do we have the right policies, the procedures? And as new products and new ideas come to market, how do we think about privacy and trying to embed that kind of thinking and sensibility into them? And it’s the same thought process as is completely relevant and contemporary today, and I would say that my role over time and my focus area has kind of changed from year to year, but really foundationally, it was about: Do we have a program? Do we have a culture of attention to privacy? Are we embedding that thinking across the world?
I’d say toward the beginning of my tenure in-house, so to speak, it was about governance and strategy and doing what made sense to do, influenced of course and guided by legal requirements that were present even then around customer protection laws and some privacy laws in the health arena. And Europe had its directive, the former directive that is now superseded by the regulation as of May. But it wasn’t as regulated, and so it made it a little more flexible to design and implement programs.
How do the CPO and chief security officer work together?
There’s an old saying that you can’t have privacy without security. It’s absolutely true—you can’t not pay attention to the privacy of information, which is how do I appropriately handle information and meet the commitments I need to meet with respect to what I do with that information, how I use it? How long do I store it? With whom do I share it? Those are all privacy-related questions because if you actually want to implement and comply with privacy law, regulation or expectations if you give me your data, it will allow me to have access to some information about you. I can protect your privacy as long as I handle that information well and in accordance with what you and I have come to terms with and you’ve agreed that I can do with it. But, if I have a breach, that destroys whatever chance there is to meet my privacy obligation. So the two roles need to be intensely collaborative. In good companies, they are.
Are breaches inevitable these days?
You’re right it’s not a matter of if, it’s a matter of when an organization will experience an incident that may, when it’s investigated, amount to a breach, a data breach or a breach of systems. The key is to be prepared to handle that kind of an event in a rapid and thoughtful way. … Almost all the companies I work with have a written incident-response plan in place. They rehearse that plan at least annually. They have shared that plan with their board of directors. They involve vendors in rehearsing and being part of the planning process for responding to a breach. They train their workforce on how to report a suspected incident, whether it’s a lost laptop or a computer that’s acting strangely.
What are the things that you’re most focused on with clients these days? What are the biggest challenges that companies have?
No. 1: GDPR. No. 2: GDPR. So, No. 1 and No 2 is lots of GDPR all the way, and I say it twice for emphasis. And I also say it twice because of two actual different thoughts. One is a company that is doing business in Europe or is targeting or addressing individuals in Europe as part of its business operations needs to put in place a compliance plan for GDPR. That’s clearly occupying many, many organizations now.
The second reason for mentioning GDPR is with GDPR, it’s actually an opportunity for companies to put in place a global companywide privacy compliance program, because if you’re going to go to the effort of figuring out how to comply with European privacy law, that’s very comprehensive and has very significant fines and penalties associated with noncompliance. If you’re going to do that, you might as well mature and put in place a program across your whole organization. And I’m seeing probably more than half of the companies I work with are using GDPR as a reason to relook at and mature and refine their overall privacy-compliance program. So we’re seeing a lot of new privacy officers and leaders being hired or promoted to oversee and mature their overall privacy-compliance programs.
I think being vigilant on some of the newer issues that have emerged as important practices for companies. That includes if you’re publicly held and you have an incident being very mindful about what the Securities and Exchange Commission has said needs to be in place to disclose that incident to investors or information about cyber-risk to investors to look at and make sure that insider trading, the risk of insider trading, is addressed for those who might have information about an incident that is significant. Is there sufficient technical insight in the organization to investigate those kinds of incidents? Another area that’s hot is … in the market advertising space, everything is digital. Everything is big data. There is increasing use of AI, and it’s these new tech privacy issues. What do we do? How do we chart a course forward?