Sometimes an issue floats just beyond the horizon or simmers on the backburner before it boldly flashes forward, not to be ignored or diminished any longer. That’s what’s happened with privacy – percolating for years, the subject of discussion – but with true awareness rising in the U.S. only for the past 12 to 18 months.
The combination of the GDPR in Europe, the new California privacy law and the Cambridge Analytica scandal in which the research firm harvested raw data from millions of Facebook profiles during the 2016 Presidential election has caused businesses and private individuals to think more about creating a privacy culture at their organizations.
Governments have certainly responded: Gartner estimates that by 2022, half of our world’s population will have its personal information covered under local privacy regulations in line with the GDPR, up from one-tenth today.
Big tech companies are also slowly starting to get the message, especially companies that have felt the sting of fines. For example, the French data protection authority fined Google nearly $57 million earlier this year for violations of the GDPR. More fines are expected, though critics say the fines aren’t coming fast enough.
While cynics may say that a hefty billion-dollar fine to Amazon, Google or Apple would just get written off as a cost of doing business, many companies – and especially individuals – really are taking action to protect privacy.
On the corporate front, recognizing that these issues have
caused people to leave Facebook, the most widely
used of the social media platforms has responded by making proactive statements
in the press about a new direction for Facebook based on secure communications.
Facebook still has many skeptics and has lost millions of users in the past year or two, but Susan Glick, a spokeswoman for Facebook, insists that the social media platform has been focused on keeping Facebook safe and protecting people’s data. She cites some notable improvements the company made during the past year:
• Increased staff. Facebook has more than tripled the number of people focused on safety and security to 30,000.
• Stricter application reviews. Glick says Facebook tightened its app review process and restricted the data apps developers can obtain.
• Stronger organizational focus on privacy. Facebook restructured the company and created the Privacy and Data Use organization — a group focused solely on privacy.
• More proactive enforcement. Facebook removed more than 1.5 billion fake accounts in the last two quarters.
“In 2019, specifically on privacy, we’ll keep improving our privacy controls to make them simpler and easier to use,” Glick says. “We’ll do more to make sure people understand how we use data and how they can control it. And, we’ll keep learning — from privacy advocates, policy makers, other companies, people who use Facebook – because we realize we can’t do this alone. There will always be bad actors out there, but we’ll keep improving our defenses, act quickly to protect people and be transparent about it.”
Other companies have followed suit.
David Hale, chief privacy officer at TD Ameritrade, says one recent project TD Ameritrade took on was reviewing the cookies it uses on its websites to identify places they could improve. In pursuit of the privacy principle of data minimization, Hale says the financial giant streamlined the information it collects on site visitors.
“Companies that want to be ahead of the regulations are looking at how they collect, store and use personal information,” Hale says. “This often goes hand-in-hand with data governance in the organization. It’s now critical – in a way that it wasn’t even five years ago – to understand how information moves through your systems and why.”
Hale says TD Ameritrade aims to create a culture which understands that privacy remains central to the ability of the business to create trust.
“I often tell our employees that it’s not right to characterize my job as being to protect personal information – I almost never encounter it,” Hale says. “Instead, it’s the responsibility of each of us, the entire organization, to be vigilant on behalf of our clients and fellow employees.
Consumers Rule in Europe
It’s pretty clear that Europe leads the way in terms of individuals taking data privacy matters into their own hands. Enza Iannopollo, a senior analyst at Forrester, says her research found that 53 percent of consumers in Europe would cancel a transaction if they don’t like something in the company’s privacy policy.
“Consumers have increased privacy awareness and are taking action to protect themselves,” she says. “Consumers understand that they have rights and will report wrongdoing to regulators. They are also using technology to ensure that companies don’t track them.”
Because Europe has been way ahead of the United States with privacy awareness, the American public requires more education, says Yan Solihin, director of the cybersecurity and privacy cluster and a professor in computer science at the University of Central Florida.
“Users need to know the implications of certain privacy settings,” he says. “For example, when they agree to ‘share data in order to personalize and improve services,’ they need to know what that means to their data.”
Solihin adds that users also must be educated as to what the laws say. For example, users own the content that they generate on social media and can revoke it if it has not been shared to others, but metadata generated from the analysis of the content, or data generated from how users interact with the platform are not owned by users.
In addition, browser type, IP address, time logs, cookies, and usage history are not owned by users, Solihin explains. “Social media platforms can share them with third parties,” he says. “So a social media platform can potentially share with a health insurance company public photos and data of a user or metadata derived from private content to determine the health risk leading to the calculation of insurance premiums,” or a person’s ability to pay the premiums.
Taking Care of Data
Forrester’s Iannopollo says companies need to think more critically about their retention polices. Any time companies store data for several years, it increases risk.
“When data is no longer useful, by default, organizations should get rid of that data,” Iannopollo says. “Of course, it you don’t know what assets you have, you won’t know how long to retain it. Companies need to get better visibility into what data they have and how long they can hold it. By doing so, they can reduce the risk of security breaches and the chance of consumers being upset because their data was exposed in a breach.”
Lorrie Cranor, director of the CyLab at Carnegie Mellon University, says organizations should restrict their data collection to what they really need and get permission to use personal data. She says they should safeguard personal data and make sure it’s not inadvertently exposed, adding that real privacy comes from a combination of technology and policy.
“There are technology solutions that can help protect privacy,” she says. “But it’s also critical for companies to have internal policies about data collection and usage and to make sure they actually follow them. Technology may be able to help companies enforce their own policies. New technology can be used to set and enforce access controls, store data in encrypted form and to de-identify data.”
New technologies such as consent and preference management tools can also help consumers more effectively manage their choices regarding how their personal data gets handled. According to a recent Gartner study, these preferences are then synchronized across a variety of legacy, active and incoming repositories, both on-premises and in the cloud. The ultimate goal of these tools: extend visibility and control to users, allowing them self-determination over how much of their data to expose, to whom and for what purpose, with the option of changing their preferences at will. Gartner estimates that by 2022, 30 percent of consumer-facing organizations will offer a self-service transparency portal that offers preference and consent management.
“Organizations with a mature privacy posture retain and satisfy their customers better by showing it’s understood that their most valuable asset is not data, but the customer’s trust,” says Bart Willemsen, a vice president and analyst at Gartner who focuses on privacy and risk management. “And the customer wants privacy protection – if it wasn’t a problem of this magnitude there would not be so many laws popping up in the last 24 months that intend to protect that value. Privacy is about giving the customer control over his or her data – privacy is becoming a context more than a place.”
TD Ameritrade’s Hale adds that modern concepts of privacy are both driven by and protected with ever-evolving technology. Hale says society will always struggle to meet privacy expectations with appropriate safeguards and controls. But no set of controls can protect information in a company if the people who make up the organization don’t understand their critical role in safeguarding information.
“Leaders have the responsibility not merely to deploy the right technology and create the right policies,” Hale says, “but to also make sure those policies are understood and can be followed by each individual tasked with protecting the information.”
So with strong leadership, awareness education and a technology staff that understands the symbiotic relationship between security and privacy, organizations can make great strides on privacy. It’s easy to throw up our hands and declare “there is no privacy.” But with technology poised to take another leap forward with artificial intelligence and machine learning, that’s really not an option. We need to deal with these privacy issues before they overtake us.
Developing clear privacy policies
On a certain level, just about every company has jumped on the privacy bandwagon. Pick a company or organization, and they will point to their longwinded privacy policy listed prominently on their website. But how do consumers know anything tangible is actually happening around privacy?
That’s part of the problem, says Bart Willemsen, a vice president and analyst at Gartner who focuses on privacy and risk management
“Please don’t give me 14 pages of legalistic text,” he says. “Companies would be better off making much simpler, more concise privacy statements.”
Here’s what Willemsen advises companies should share with the public:
• Identify who they are, for example, what type of company or organization they are.
• Define what personal data they are processing.
• Make clear for what purposes they are processing that data, how long and where the data resides.
• Explain who else has access to the data and why. For example, is the customer only in business with the presenting organization, or do others also have access?
• If the consumer has questions, who can they call? Is there a point of contact for privacy issues and concerns?
“With privacy policies, transparency is key,” Willemsen says. “Don’t bury on page 12 that you plan to update your privacy polices periodically, and you can read the latest version here. Who in their right mind would read that far in on a legalistic policy and keep up with when the privacy policy changed and what changed inside?”
