The Privacy Lawyer: CPO Watch: Richard Purcell

His excitement over this new model is infectious. He's mobbed by executives and other privacy professionals whenever he addresses his new approach. "It's simpler than people realize," he says. "Privacy needs to be defined more broadly in larger corporations than previously thought. People tend to focus on privacy as what's collected at the Web site or on health insurance or warranty forms, instead of recognizing that privacy is much broader. Privacy and respect for personal information has to become a core value. And all employees need to guard it and make sure they are implementing the corporate strategy."

Today Richard allows himself "to pursue innovative thinking and strategies that have no boundaries. For the first time in what seems like forever, I am running my own business and have the freedom to set my own strategy."

Richard's approach is to enable employees to make better and localized decisions, especially when privacy is implicated. "To do that, they need to be better trained. We are developing Privacy Directions SM, a set of privacy training courses to educate employees and help spread better information controls across the entire corporation."

Relying on technologies alone isn't enough. "Technologies are very helpful to privacy and data protection, yet there is little they can do directly. Most software that is designed to aid privacy protections does so only in context of the other elements of policies and procedures. Unlike security, the software itself is not the end game. It needs to express the corporate values and help secure the desired outcome. But those values and the outcome need to be carefully defined first."

Privacy Directions SM training involves a series of processes, which Corporate Privacy Group calls life cycles. They describe the processes needed to develop a privacy vocabulary, corporate policies, data practices, and implementation. While many of these processes already exist, too often no one is connecting the dots. Without that overview, it's impossible to have a meaningful information strategy. "Most importantly," Richard says, "without it, privacy remains a tactical problem for most companies, subject to ad hoc and often arbitrary solutions. With the overview, security applications, trust relationships with customers, and interplay with government agencies are improved radically."

Richard Purcell has helped flesh out the role of a privacy professional during his term at Microsoft. Those in the know are now watching as he begins to flesh out privacy training and processes in the private sector. With the challenges we face balancing legal compliance, risk management, and new technological advances, Richard's help is welcome.

Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law. Her Web site is at aftab.com. To suggest other privacy professionals to be featured in CPO Watch, write to her at [email protected].

To discuss this column with other readers, please visit the Talk Shop.

To find out more about Parry Aftab, please visit her page on the Listening Post.