The Wall Street Journal reports on moves by companies to create “privacy impact assessments,” in order to prevent privacy problems from arising. [Disclosure: I am a member of the International Association of Privacy Professionals, which is discussedin this story.]:
For years, companies have conducted environmental-impact assessments to determine the effect of prospective construction projects and operations. Now, many leading companies are conducting privacy-impact assessments before launching products and services.
The goal of these assessments: avoid running into regulatory fire in the complicated landscape of privacy law. Global companies have to manage privacy laws that differ by country—and by state in the U.S. And the stakes are getting higher, as regulators world-wide are increasingly cracking down on privacy violations.
As a result, a growing cadre of professionals is being hired to manage companies’ privacy risk. Founded in 2000 by just 15 people, the International Association of Privacy Professionals has grown to more than 9,000 members world-wide. […]
As the field has grown, those professionals have shifted away from just troubleshooting toward prevention.
“Early on it was all about compliance,” says J. Trevor Hughes, chief executive of the association. “Today, there is as much business-management focus as there is law and compliance.” […]
A watershed for the industry was Google Inc.’s settlement with the Federal Trade Commission in March. The FTC had charged Google with deceptive practices related to its rollout of the social-networking service called Buzz. The commission alleged, among other things, that users who agreed to join Buzz weren’t adequately informed that the identity of the people they emailed most frequently would be visible to others by default.
To settle the case, Google agreed to a number of measures, including putting in place a “comprehensive privacy program” that conducts privacy-risk assessments of Google’s products and services and is audited by a third party every other year.