http://online.wsj.com/article/SB10001424053111904583204576542492284984576.html

SEPTEMBER 26, 2011

Heading Off Privacy Problems--Before They Arise

With 'privacy-impact assessments,' companies understand how regulators and consumers will react to new products and services

By JULIA ANGWIN

When General Electric Co. was getting ready to launch a home energy-monitoring appliance last year, it called in an unusual expert: the company's chief privacy leader, Nuala O'Connor Kelly.

Ms. Kelly quizzed the product developers on how they planned to use the data collected by the device and advised them on what to write in the appliance's "energy data privacy policy" for consumers.

Welcome to the new world of corporate privacy.

For years, companies have conducted environmental-impact assessments to determine the effect of prospective construction projects and operations. Now, many leading companies are conducting privacy-impact assessments before launching products and services.

Legal Land Mines

The goal of these assessments: avoid running into regulatory fire in the complicated landscape of privacy law. Global companies have to manage privacy laws that differ by country--and by state in the U.S. And the stakes are getting higher, as regulators world-wide are increasingly cracking down on privacy violations.

As a result, a growing cadre of professionals is being hired to manage companies' privacy risk. Founded in 2000 by just 15 people, the International Association of Privacy Professionals has grown to more than 9,000 members world-wide.

Just in the past few weeks, Apple Inc. hired Jane Horvath, who had been global privacy counsel at Google Inc., to fill a new position that focuses on privacy. Previously, Apple's privacy initiatives had been part of the portfolio of Guy "Bud" Tribble, Apple's vice president of software technology. Apple declined to comment.

As the field has grown, those professionals have shifted away from just troubleshooting toward prevention.

"Early on it was all about compliance," says J. Trevor Hughes, chief executive of the association. "Today, there is as much business-management focus as there is law and compliance."

The Google Moment

A watershed for the industry was Google Inc.'s settlement with the Federal Trade Commission in March. The FTC had charged Google with deceptive practices related to its rollout of the social-networking service called Buzz. The commission alleged, among other things, that users who agreed to join Buzz weren't adequately informed that the identity of the people they emailed most frequently would be visible to others by default.

To settle the case, Google agreed to a number of measures, including putting in place a "comprehensive privacy program" that conducts privacy-risk assessments of Google's products and services and is audited by a third party every other year.

For privacy professionals, the settlement marked the first official endorsement of the privacy-risk management programs they had been pushing in their organizations.

"Accountability, not liability, is the future of data protection," says Martin Abrams, director of the Centre for Information Policy Leadership at the law firm Hunton & Williams LLP, in Washington, D.C.

Automating Assessments

The privacy field began to take shape during the dot-com boom, when privacy advocates protested a proposed merger between online data broker DoubleClick Inc. (now owned by Google) and offline data broker Abacus Direct Corp. The protestors claimed that merging the two types of data would violate DoubleClick's assurances that it would keep the online data it collected anonymous.

The merger eventually went through, but the high-profile debate about combining online and offline data prompted a lot of companies to examine their data-handling practices.

In 2000, International Business Machines Corp. appointed its first chief privacy officer, Harriet Pearson, making her one of the first such officers at a large public company.

Ms. Pearson, who had worked in environmental law, soon imported an idea from the environmental movement--the impact assessment--to her privacy practice. But she quickly found that it was expensive and time-consuming to have teams of lawyers assess all of IBM's internal data flows.

Six years ago, she and her Canada-based team began building an online tool to automate the privacy-assessment process. The tool is built around a questionnaire for IBM managers that first determines the type of personal data being collected and how it is being used.

The answers given to those questions then generate additional questions specific to each manager's operation and location. The tool then immediately produces an assessment of privacy risks and helps the manager and higher-level executives develop a plan to address those risks, drawing on a database that includes information on regulatory issues and best practices.

As of last year, the tool is available globally and tracks requirements for 90 countries that IBM works in. It takes account of the laws in each country and is updated whenever there are any changes in those laws.

As an example of the tool's effectiveness, Ms. Pearson says its use by managers of the company's internal jobs board alone has saved hundreds of hours of legal fees and costs for other experts.

Currently, the tool is being used only for IBM's internal operations, not to assess its products.

No Surprises

Other companies have taken that next step, including Hewlett-Packard Co., which uses a tool similar to IBM's to assess privacy risks during product development.

H-P's chief privacy officer, Scott Taylor, took the job in 2006. H-P unified the company's various privacy initiatives under Mr. Taylor's direction and set out to upgrade the company's privacy-impact assessments. It took two years, but he built an automated "privacy advisor tool" that rolled out throughout the company this year as a way to better identify privacy risks.

Anyone in the company using personal data about customers, vendors or employees will be required to assess their programs using the tool. The questions concern not only legal issues, such as European Union data-protection laws, but also the company's own privacy standards, such as its decision to treat computer IP addresses and device identifiers as personal data--something the FTC is pushing for but that is not yet standard practice.

The questions deal with operational details but also guide users toward a broader perspective.

"A simple example of one of the questions is, 'If you think about the delivery of this project, is there anything that might surprise the data subject?' " Mr. Taylor says. "Our biggest thing is we don't ever want a consumer to be surprised by something we do in a negative way."

Ms. Angwin is a senior technology editor at The Wall Street Journal, based in New York. She can be reached at julia.angwin@wsj.com.