From internal investigations to data privacy issues to regulatory compliance, the overlap of privacy, security and compliance functions within an organization is inevitable.

But where should privacy be housed in the organization to ensure effectiveness, and how should it interact with compliance, legal, and IT? These were only some of the questions answered during a panel at Compliance Week’s annual conference in Washington, D.C., this week

As noted by the panel members, different companies oversee the privacy function in different ways. At drugstore chain Walgreen Co., the compliance office reports to the chief executive officer and to the audit committee directly, with the privacy office being part of the compliance office, said Laura Merten, chief compliance officer of Walgreen.

At Walgreen, “privacy is driven and owned by everyone,” said Merten. “It’s a collaborative effort.”

At Dun & Bradstreet, a provider of business research and services, the privacy function, oversight and scope is global, said K.C. Turan, chief compliance officer and chief privacy officer of D&B. In addition, the company has a global compliance and ethics function, with the head of that function sitting under Turan. “So privacy is part of compliance, and compliance is part of legal,” he said.

Turan added that the privacy function of D&B is divided into two subject matter areas: data security and marketing. The data security side overlaps with information security, whether that be technical or physical safeguards, employee privacy, ID theft prevention, and such. The marketing side, on the other hand, has to do with providing and honoring opt-outs of such communications as direct mail, commercial email, and telemarketing, he explained.

Cheryl Fackler-Hug, vice president, associate general counsel of compliance for Hewlett-Packard, noted that HP has a privacy and data protection board, which has a large membership and is “very active,” made up of every function and every business unit.

All three panelists agreed that the location of the privacy function is not as important as having strong executive ownership of it.

As long as you have a “strong, knowledgeable, proactive” coalition, including the chief privacy officer, that’s just as effective as where the function sits, said Turan. With that said, he added that it’s helpful to have privacy sit somewhere within compliance function, because you’re dealing with laws and regulations. “D&B has always had the mindset that privacy deals with business compliance.”

When it comes to the centralization of a privacy program, D&B takes a regional approach, with privacy liaisons both in the European Union and the United States. Within the EU, the firm uses the country’s most restrictive data protection standards, either that of Germany or Spain, said Turan. In the United States, on the other hand, we usually take the most restrictive state standard.

Regarding cultural challenges that international companies face when it comes to privacy matters, relationship building is essential, said Turan. Outside of communication, training, and awareness, building relationships with business and operation leaders, letting them see you’re a partner in helping to execute creative solutions, is important. “Once you really establish strong working relationships, you gain that trust and confidence, it becomes much easier to overcome that cultural mindset and hurdle,” he said.

--Jaclyn Jaeger