When privacy is compromised, it can impact an organisation’s reputation, damaging corporate credibility and consumer trust, and increasingly results in rising financial penalties. Many organisations worldwide have suffered privacy breaches, largely caused by a lack of senior management understanding and often resulting from poor governance.
Information privacy protection is an important information management issue that goes beyond Data Protection regulation. It continues to challenge both private and public sector organisations, and is of growing concern to multiple key stakeholders.
The three key mechanisms for addressing these privacy management challenges have been:
Evidence suggests that consumers are sceptical about the first two mechanisms. The self-regulatory model of privacy governance may not be sustainable over the long term.
This would leave compliance with government regulation as the only other approach. However, governments have grappled – often unsuccessfully – with regulating information privacy management issues. Additionally, regulations are often reactive and outdated by the time they are enacted. Most privacy law violations are only detected and subsequently prosecuted because the organisation was required to file a disclosure after the incident occurred. By that time, the damage is done.
While the continued rise in breaches is evident, and while the challenges associated with privacy protection management are clear, what is not clear is how best to address them.
By reviewing organisations’ published practices and strategies, and their approach to privacy protection management, we can see certain trends arise in recent years. Exploring these trends enables us to evaluate privacy protection approaches and their effectiveness. We identified four key approaches to privacy protection:
Each approach demands a different information strategy and financial investment. The chosen approach depends largely on the business context of the organisation and its position within a given industry. For example, large technology companies will more quickly fall into categories 1 or 4, whereas regulated industries such as financial services or pharmaceuticals will more typically fall into groups 2 or 3.
And now as we start the descent towards 2018, organisations are squaring up to the EU General Data Protection Regulation (GDPR). Organisations operating from approach 1 are most likely already compliant with, if not exceeding, what the regulation asks.
Organisations operating from approaches 2, 3 or 4 are busy devising new strategies aimed at implementing the regulation by a particular internal deadline. However as technology matures and big data analytics grow, another regulation may well be on the horizon, or an updated version of GDPR released by the time these strategies are implemented; the donkey never quite grasping the dangling carrot, but exhausted from trying.
What if organisations implemented privacy protection initiatives that were driven by, and aimed at, enhancing the consumer trust relationship instead of merely implementing upcoming regulation? Here are a few suggestions as to how they might do this:
Although the GDPR is loosely based on these principles, they existed long before the regulation did. There is a strong case for organisations to implement these principles because it is ‘the right thing to do’; not just because the regulation tells them they should.
Organisations need to remind themselves that the personal data they hold does not belong to them but rather to the people who entrusted their personal data to that organisation. Trust is the foundation in any relationship. By demonstrating it takes the responsibility of protecting the data entrusted to it, an organisation can build lasting relationships with its customers.