The role of chief privacy officer (CPO) is one that has gained widespread appreciation and integration into the corporate ecosystem over the last several years; however, few individuals hold the title of CPO as well as the less familiar and understood one of CDO, or chief data officer. Balancing the agendas of a CDO and a CPO is the story of James Howard’s career.
James Howard is a former partner who served as chief privacy officer and chief data officer at KPMG in the U.S. Howard developed, implemented and operated an information management office, positioning the organization to leverage the transformative opportunities that cognitive computing and intelligent automation present. As CPO and CDO, James was responsible for the processes, tools and controls necessary to meet the complex information handling requirements, enabling business growth while ensuring protection. Howard’s perspective on how to leverage use of information while simultaneously complying with regulatory obligations and protecting “crown jewels” makes him the subject of this quarter’s installment of Coffee with Privacy Leaders.
What first attracted Howard to the privacy vertical was a desire to create balance and integration. “I have long recognized and appreciated the importance of the balance between the execution of business and the management of risk,” states Howard. “Very often when you look at how organizations approach privacy, they approach it as a legal concept – which of course it is – but we are all trying to run a business. Handling and manipulating data to protect privacy needs to be integrated with the business, not separated into silos of control.”
Howard has nothing at all against lawyers, but having observed lawyers exert a disproportionate influence on the business, he was determined to make a cornerstone of his career success the integration of business operations and legal requirements. “How do you eliminate the compartmentalization between legal and business decisions?” asks Howard. Step one is pulling privacy out of a pure compliance function. “If business operations are involved with handling data, you have to embed handling the controls in the processes, which means embedding the attorneys into the process,” states Howard.
“Legal compliance and business operations need to be symbiotic,” proclaims Howard. The privacy community was built on the backs of lawyers, and much of the privacy talent being hired to both guide a company toward compliance and operationalize the efforts within the organization to adhere to privacy regulations is in the hands of attorneys. “Lawyers look at the letter of law, yes, but they also consult on legal risk,” says Howard. “Their thought process can be very different than those of executives whose focus is on business growth and meeting mission goals.” For Howard, the business side needs to lead, but legal has to remain closely involved.
“You can always eliminate risk by eliminating customers, but that’s not good for business,” smiles Howard. “So together, business and legal have to develop a framework for managing – not eliminating – risk.” Words like “risk” and “control” are often thrown around loosely. From Howard’s perspective, risk is simply the calculation of the probability that an adverse event could happen, while control is the throttle against the risk. Howard observes that sophisticated businesses will also work to manage residual risk which is the probability controls will not work to prevent risk. “The portfolio of controls make up a control framework, which reflects a company’s philosophy toward and appetite for risk, implemented through policy and procedures,” says Howard.
Howard believes that in today’s climate an organization must frequently revisit its existing controls and reevaluate risk. There are certain triggers that Howard sees as driving reassessment of existing controls. “Changes in the business environment like a new product or an acquisition, changing regulations, an incident impacting a competitor in the market that could affect or have happened to you (say Equifax or Facebook) – these are qualifying moments. If everything were static, companies would not have to revisit risk, but nothing is static in a business environment,” observes Howard.
Howard feels annual risk assessments are too infrequent, but quarterly might be too disruptive to manage effectively. “Ideally, I envision a world where we could codify and monitor risk and residual risk on an ongoing basis, using a GRC platform to create a dashboard that gives you needles and gauges on where a company sits on the risk scale for particular issues.” However, to codify risk, an organization must stay abreast of all the potential changes in environment and regulation.
For Howard, that is the biggest challenge today for privacy professionals: remaining relevant and adding value. “What’s happening in the market right now is that obligations are increasingly complex and overlap one another – and business is making more demands of information, which thrusts privacy and data professionals into the forefront,” observes Howard. There is no denying that employers hiring privacy talent require an understanding of the ever-changing statutes on compliance state by state in the U.S., federally with regard to HIPAA and internationally with respect to the GDPR, as well as appreciating the monetization potential of data. “With so much nuance in privacy law, it makes sense why the EU wants the GDPR to be the law of the whole earth,” chuckles Howard. “So, how does a company remain effective in business, but also protect information in accordance with all these various regulations?” According to Howard, it comes back to balance and integration.
When asked to give advice to professionals seeking to create or maintain a career in privacy, Howard offered the following: “Privacy is about building relationships.” These relationships straddle business and legal, and privacy professionals who can harmonize the agendas of both will likely be successful. “Step in with a vision that all businesses have a mission,” reiterates Howard. “If a privacy professional, even at the analyst level, brings open-mindedness, curiosity and a desire to help the business meet its mission goals, that person can indoctrinate anyone to any approach.” For Howard, again, privacy is all about balance and integration: “We add value by creating controls and policies that protect information, but also always drive the broader mission.”