Thinking strategically about privacy
Thinking strategically about privacy
Responsibility and accountability continue to be the watchwords when it comes to managing privacy. As the field continues to mature, we see three distinct megatrends forming based on market conditions and the impact they are having on how organizations approach privacy.
Governance: a shared responsibility for privacy management – The availability of digital information is transforming businesses at speeds so fast that regulators, and often organizations themselves, are having trouble keeping up.
Regulators realize that their tools of compliance and enforcement are simply not enough. As such, they are seeking to become more active participants — strategic advisers — in decision-making discussions with organizations and consumers. Enforcement remains an important tool, but the focus is shifting more toward collaboration, communication and education.
For organizations, as the risks associated with personal information continue to escalate, the trend for independent assurance in the privacy sphere keeps growing. Organizations are using a number of tools to address privacy risk. But, organizations and regulators need to work collaboratively to navigate in the increasingly complex privacy landscape.
Technology: personal privacy versus corporate interests – Organizations are using technology to introduce new products or services, improve efficiency and collect more information about their customers than they currently need or know how to use. However, with these universes of opportunities come risks. Organizations need to implement not only policies and controls to safeguard personal information, but also monitoring tools to track how consumer data is being accessed and used. Monitoring tools demonstrate accountability, but they can also uncover failures that may cost huge sums to resolve.
Internally, technology is propelling a transition to a fully mobile workforce. The widespread adoption of bring-your-own-device (BYOD) is generating efficiencies, but also significant security concerns. In this instance, organizations should use monitoring tools to keep an eye on their own data.
Regulation: a strategic shift from compliance to accountability – As privacy management grows more complex, so too do the questions regulators have to answer. Who gets to decide, for example, which is more important: the right to be forgotten or the right of others to remember? Privacy programs need to be able to bridge these gaps – faithfully adhering to regulatory requirements while practically addressing the challenges of their organizations and stakeholders.
Regulators are steering organizations to think beyond compliance to more holistic and encompassing privacy management programs. For example, the Federal Trade Commission is busy seeking bolder action on privacy protection.
As well, regulators have been taking a softer approach with Privacy by Design – which seeks to proactively embed privacy into the design specs of information technologies – recommending it rather than mandating it. Unfortunately, the framework has yet to gain traction. Until it becomes a regulated standard, many organizations will continue to collect reams of personal data without always taking due care to protect it.
Regulators and organizations need to work as partners rather than as opponents of one another. Together, they must serve as pillars of the digital community, setting standards of trust and respect that the rest of society can follow.
Sagi Leizerov is leader of privacy advisory and assurance services at Ernst & Young. The views expressed herein are his and not those of his employer.