Refusing to Gamble on Privacy

Sandy Hughes, chief global privacy officer for Procter & Gamble, oversees privacy efforts for the company’s 98,000 employees working in 80 countries. In an interview with Fast Company, she expanded on the company’s approach to privacy, the need for consistency, and the challenges associated with keeping up with change around the world.

Fast Company: As big as it is, Procter & Gamble is really just one company globally. How do protect and manage the privacy of your employees when every country has a different set of laws?


Sandy Hughes: We have a global privacy program, which has about 30 part-time members. The council oversees all of the privacy efforts for the entire company. Employee privacy is just one piece of the privacy we manage. We also focus on consumer marketing, consumer contact centers, and recruiting. To oversee all of this, the council has a leader for each type of privacy. They set the guidelines and the agenda. Then there is a regional person who implements — for the countries within their region — every type of privacy policy that we control. But the principles in our global privacy program are the same no matter whether you’re talking about employees, consumers, recruiting, marketing or otherwise.

FC: Those 30 people oversee privacy guidelines for all 98,000 employees?

Hughes: Yes, and for consumers as well. This approach really lets us operate well throughout the company. In addition, we have a number of external resources like people in law and purchasing on the global privacy council. The person who is responsible for employee privacy — they coordinate training and special procedures — has a network of people around the world who are also responsible. Those people on the regional level are looking out for any special legislation changes or things that would make a difference to our global employee privacy program.

FC: How long has this system been in place?

Hughes: We’ve had employee privacy for about 25 years now. The global privacy council has been in place since the late 1990s.

FC: What’s the difference between what you do and what a privacy officer might do in a smaller company?


Hughes: Our biggest challenge around the world is keeping track of all the differences between the countries — and where changes pop up. The European Directive, which was developed in 1995, was just reviewed so it came from a European Commission point of view. The member countries have all interpreted it a little bit differently, so it’s hard to get consistency. As a global company that wants to have one way of doing things globally, it’s hard to keep track of that and try to work with various groups to get some consistent interpretation of legislation so we don’t have to have different ways of doing things for various countries. The EU directive is what we tend to follow for our global policy, but Germany, Italy, and Portugal all have different interpretations on some of that.

FC: What about when employees move to a different country?

Hughes: It can get complicated. We look at the strictest privacy regulations anywhere in our 80 countries, and we adopt those as our basis for the globe. We take the strictest and say that it’s going to be our policy across the board because we want to do what’s right. It’s part of our purpose, mission, and values to always do the right thing for our employees, our consumers, whomever.

FC: So if I work with P&G, even if my country’s guidelines don’t offer much protection, I’ll be protected under the strictest laws out there?

Hughes: Yes, unless there’s a reason you wouldn’t want those privileges. If a particular country doesn’t have legislation — the U.S. doesn’t have a lot — we would ask you why our global privacy policy would hurt your business. If you can prove that it would hurt you, we’ll give you an exception. Typically, though, that hasn’t happened.

FC: Is that type of company-wide equality common among global companies?


Hughes: Well, we’re seen as one of the more forward-thinking ones. It gets down to being a business-driven principle-based program, rather than legally based. We go the extra mile because it’s the right thing to do — to give employees choices, to have access to their data. Even though we’re not required to do it in some countries, it’s the right thing to do.

FC: When you say employees have access to their data, what do you mean?

Hughes: They can access records, salary, benefits — as well as contact info, anything they’ve given us. They also have access to their performance reviews and what their ratings are. Any in-house information.

FC: How does P&G handle email and Internet monitoring?

Hughes: Monitoring is one of the areas where, country to country, it’s really vague what it actually means and how it’s going to be handled. We specify that “monitoring” is a bad word. We aggregate data so it’s not personally related. We look at peaks and valleys and when things get out of control. We have a procedure set up so that when it looks like something is wacko, and it looks like we need to actually get in and look at personal information, we involve information security, HR, etc. It’s a big procedure to actually monitor an individual. At some level, you have to trust your employees to do the right thing. If it’s something like testing of an application, where we’re [monitoring] in order to improve the application, we ask people. We tell them what’s going on, and we see who wants to do it.

FC: What about privacy matters for people who don’t use email or the Internet?


Hughes: When we have to reach people who don’t have electronic mail — people in plants and people working on [production] lines — we have procedures set up with their managers for getting training and privacy notices to them.

FC: What’s the most challenging thing about your job?

Hughes: Consistency! You have to stay on top of every place, all the time — where there are differences, where things could impact what we already have in place. We have to manage the consistency of what different countries are requiring of us. When standards and rules change, is it going to make an impact on us? Do we need to change? We try to pick the strictest guidelines, so we have to keep looking at anything new that comes up.

FC: Sounds like a full-time job.

Hughes: Pretty much; more than half-time. I have a team of two full-time people.

FC: What else do you do?


Hughes: I’m actually part of the corporate strategy group, which fits really well. If you look at future strategy — where businesses are going — it means getting closer to consumers, and that means making sure we protect their privacy.