Don Draper, Data Privacy Compliance Role Model
Mad Mens latest season premieres in April, providing an opportunity to welcome back traditions that time has forgottenthree-martini lunches, smoking at work, and smaller government. As the U.S. government stepped in to help right the wrongs in the Mad Men 1960s, it also began to capture personal data about us and created rules about how companies must protect that information.
In a 2011 report on "The Evolving Privacy Landscape," the Organisation for Economic Cooperation and Development traced the genesis of data privacy legislation to the 1960s post-industrial information revolution and government use of this personal information. In the ensuing 30 years of privacy law developments, overlapping government privacy regulations now blanket the globe.
As companies design privacy compliance programs to protect against data breaches and the unintended use of personal data, each year countries revise privacy legal requirements and increase enforcement. In the first few months of 2013 alone, Peru has published regulations for implementing that countrys first data protection law, Costa Ricas data privacy law took effect following the release of implementation regulations, and India adopted new privacy regulations imposing wide-ranging obligations on companies that receive and collect personal information.
Don Draper says, "Change is neither good nor bad, it simply is. Drapers advice is spot-on for data privacy compliance, because data privacy compliance programs have the same key components as all programs designed to effectively address compliance risks on a variety of topics, such as trade controls or anticorruption. The evolving focus of data privacy isnt inherently positive or negative, but the targets do and will keep changing.
While there is no one size fits all privacy program, an effective privacy compliance program has the buy-in of business leaders and key individuals in the organizationsuch as HR and IT professionalsand appropriate division of responsibility for the success of the program. A privacy compliance program is built on a framework that ensures employee and other sensitive data is only used and transferred for legitimate business purposes and retained for appropriate periods of time. Such a program also includes comprehensive data management procedures and sets forth written policy and IT security measures to limit access and use of protected information. The program should extend to address collection and use of data by third parties and place appropriate limits on data use throughout the life cycle of a companys business. It also must provide measures to educate employees about collection and use of personal data, as lack of employee training and awareness is one of several factors that can directly contribute to a data breach.
Finally, Draper always does the hard work when it comes to protecting secrets. Your companys privacy program should have mechanisms for auditing data collection, use, and transfers, and clear protocols for responding to data breaches or unintended uses. Effective auditing and monitoring can be conducted through the same reporting mechanisms that companies have established to address other compliance risks. Part of the incident response plan may involve procedures for notifying affected parties of the breach to the extent required by law in the jurisdictions where the company operates. Ideally, annual privacy audits can be integrated into the existing internal audit function at the company. Routing auditing of the program through the internal audit function can help ensure that privacy procedures are being followed, create formal assessments, illustrate actual privacy practices to the various stakeholders, and create the groundwork for any changes needed to the program.
Just like government-mandated airbags and cigarette warning labels eventually became the standard for addressing the kinds risks faced by our heroes in Mad Men, privacy regulations are here to stay. As companies focus on how to utilize big data to improve their business, compliance officers can manage privacy data using the same management systems they rely on to address other key compliance risks.
Ryan McConnell is a partner at Morgan Lewis and former federal prosecutor. Charlotte A. Simon is an associate at the firm. Both live by Don Drapers principle, If you dont like whats being said, change the conversation. Send topics you would like to see discussed in this column or your favorite Mad Men quote to firstname.lastname@example.org.