When privacy is compromised, it can impact an organisation’s reputation, damaging corporate credibility and consumer trust, and increasingly results in rising financial penalties. Many organisations worldwide have suffered privacy breaches, largely caused by a lack of senior management understanding and often resulting from poor governance.
Information privacy protection is an important information management issue that goes beyond Data Protection regulation. It continues to challenge both private and public sector organisations, and is of growing concern to multiple key stakeholders.
The three key mechanisms for addressing these privacy management challenges have been:
- Individual self-protection
- Industry self-regulation
- Government regulation.
Evidence suggests that consumers are sceptical about the first two mechanisms. The self-regulatory model of privacy governance may not be sustainable over the long term.
This would leave compliance with government regulation as the only other approach. However, governments have grappled – often unsuccessfully – with regulating information privacy management issues. Additionally, regulations are often reactive and outdated by the time they are enacted. Most privacy law violations are only detected and subsequently prosecuted because the organisation was required to file a disclosure after the incident occurred. By that time, the damage is done.
While the continued rise in breaches is evident, and while the challenges associated with privacy protection management are clear, what is not clear is how best to address them.
A new approach to privacy protection
By reviewing organisations’ published practices and strategies, and their approach to privacy protection management, we can see certain trends arise in recent years. Exploring these trends enables us to evaluate privacy protection approaches and their effectiveness. We identified four key approaches to privacy protection:
- As a consumer trust enhancing tool
- As a risk management objective
- As a compliance problem to be solved
- As a cost to be minimised.
Each approach demands a different information strategy and financial investment. The chosen approach depends largely on the business context of the organisation and its position within a given industry. For example, large technology companies will more quickly fall into categories 1 or 4, whereas regulated industries such as financial services or pharmaceuticals will more typically fall into groups 2 or 3.
GDPR on the horizon
And now as we start the descent towards 2018, organisations are squaring up to the EU General Data Protection Regulation (GDPR). Organisations operating from approach 1 are most likely already compliant with, if not exceeding, what the regulation asks.
Organisations operating from approaches 2, 3 or 4 are busy devising new strategies aimed at implementing the regulation by a particular internal deadline. However as technology matures and big data analytics grow, another regulation may well be on the horizon, or an updated version of GDPR released by the time these strategies are implemented; the donkey never quite grasping the dangling carrot, but exhausted from trying.
Beyond the regulatory requirements
What if organisations implemented privacy protection initiatives that were driven by, and aimed at, enhancing the consumer trust relationship instead of merely implementing upcoming regulation? Here are a few suggestions as to how they might do this:
- The implementation of a more ‘justice’-based set of non-binding rules such as the OECD Fair Information Practices Principles
- The incorporation of Privacy-By-Design principles into new product developments and processes
- Accreditation to Trust Seals such as TRUSTe (now known as TrustArc). Research shows the seals and the awareness of their presence introduces and builds trust with the consumer
- Providing data protection and privacy awareness training to both internal and external customers such as consumers, employees and suppliers. These types of initiatives build trust, and are visible to all stakeholders
- Publishing privacy initiatives in Corporate Social Responsibility and sustainability reports
- Placing consumer trust at the core of every strategic information management decision
- Communicating policies and terms and conditions – not as legal documents that require mandatory publishing but as documents that establish and enhance the trust relationship with the consumer.
Although the GDPR is loosely based on these principles, they existed long before the regulation did. There is a strong case for organisations to implement these principles because it is ‘the right thing to do’; not just because the regulation tells them they should.
Organisations need to remind themselves that the personal data they hold does not belong to them but rather to the people who entrusted their personal data to that organisation. Trust is the foundation in any relationship. By demonstrating it takes the responsibility of protecting the data entrusted to it, an organisation can build lasting relationships with its customers.