Striving for a privacy culture
Sometimes an issue floats just
beyond the horizon or simmers on the backburner before it boldly flashes
forward, not to be ignored or diminished any longer. That’s what’s happened
with privacy – percolating for years, the subject of discussion – but with true
awareness rising in the U.S. only for the past 12 to 18 months.
The combination of the GDPR in Europe, the new California privacy
law and the Cambridge Analytica scandal in which the research firm harvested
raw data from millions of Facebook profiles during the 2016 Presidential
election has caused businesses and private individuals to think more about
creating a privacy culture at their organizations.
Governments have certainly responded: Gartner estimates that
by 2022, half of our world’s population will have its personal information
covered under local privacy regulations in line with the GDPR, up from
one-tenth today.
Big tech companies are also slowly starting to get the
message, especially companies that have felt the sting of fines. For example,
the French data protection authority fined Google nearly $57 million earlier
this year for violations of the GDPR. More fines are expected, though critics
say the fines aren’t coming fast enough.
While cynics may say that a hefty billion-dollar fine to
Amazon, Google or Apple would just get written off as a cost of doing business,
many companies – and especially individuals – really are taking action to
protect privacy.
On the corporate front, recognizing that these issues have
caused people to leave Facebook, the most widely
used of the social media platforms has responded by making proactive statements
in the press about a new direction for Facebook based on secure communications.
Facebook still has many
skeptics and has lost millions of users in the past year or two, but Susan
Glick, a spokeswoman for Facebook, insists that the social media platform has
been focused on keeping Facebook safe and protecting people’s data. She cites
some notable improvements the company made during the past year:
• Increased staff. Facebook has more than tripled the number of people focused on safety and security to 30,000.
• Stricter application reviews. Glick says Facebook tightened its app review process and restricted the data apps developers can obtain.
• Stronger organizational focus on privacy. Facebook restructured the company and created the Privacy and Data Use organization — a group focused solely on privacy.
• More proactive enforcement. Facebook removed more than 1.5 billion fake accounts in the last two quarters.
“In 2019, specifically on privacy, we’ll keep improving our
privacy controls to make them simpler and easier to use,” Glick says. “We’ll do
more to make sure people understand how we use data and how they can control
it. And, we’ll keep learning — from privacy advocates, policy makers, other
companies, people who use Facebook – because we realize we can’t do this alone.
There will always be bad actors out there, but we’ll keep improving our
defenses, act quickly to protect people and be transparent about it.”
Other companies have followed suit.
David Hale, chief privacy
officer at TD Ameritrade, says one recent project TD Ameritrade took on was
reviewing the cookies it uses on its websites to identify places they could
improve. In pursuit of the privacy principle of data minimization, Hale says
the financial giant streamlined the information it collects on site visitors.
“Companies that want to
be ahead of the regulations are looking at how they collect, store and use
personal information,” Hale says. “This often goes hand-in-hand with data
governance in the organization. It’s now critical – in a way that it wasn’t
even five years ago – to understand how information moves through your systems
and why.”
Hale says TD Ameritrade aims to create a culture which
understands that privacy remains central to the ability of the business to
create trust.
“I often tell our
employees that it’s not right to characterize my job as being to protect
personal information – I almost never encounter it,” Hale says. “Instead, it’s
the responsibility of each of us, the entire organization, to be vigilant on
behalf of our clients and fellow employees.
Consumers Rule in Europe
It’s pretty clear that
Europe leads the way in terms of individuals taking data privacy matters into
their own hands. Enza Iannopollo, a senior analyst at Forrester, says her
research found that 53 percent of consumers in Europe would cancel a
transaction if they don’t like something in the company’s privacy policy.
“Consumers have increased
privacy awareness and are taking action to protect themselves,” she says.
“Consumers understand that they have rights and will report wrongdoing to
regulators. They are also using technology to ensure that companies don’t track
them.”
Because Europe has been
way ahead of the United States with privacy awareness, the American public
requires more education, says Yan Solihin, director of the cybersecurity and
privacy cluster and a professor in computer science at the University of
Central Florida.
“Users need to know the implications of certain privacy
settings,” he says. “For example, when they agree to ‘share data in order to
personalize and improve services,’ they need to know what that means to their
data.”
Solihin adds that users also must be educated as to what the
laws say. For example, users own the content that they generate on social media
and can revoke it if it has not been shared to others, but metadata generated
from the analysis of the content, or data generated from how users interact
with the platform are not owned by users.
In addition, browser type, IP address, time logs, cookies,
and usage history are not owned by users, Solihin explains. “Social media
platforms can share them with third parties,” he says. “So a social media
platform can potentially share with a health insurance company public photos
and data of a user or metadata derived from private content to determine the health
risk leading to the calculation of insurance premiums,” or a person’s ability
to pay the premiums.
Taking Care of Data
Forrester’s Iannopollo
says companies need to think more critically about their retention polices. Any
time companies store data for several years, it increases risk.
“When data is no longer
useful, by default, organizations should get rid of that data,” Iannopollo
says. “Of course, it you don’t know what assets you have, you won’t know how
long to retain it. Companies need to get better visibility into what data they
have and how long they can hold it. By doing so, they can reduce the risk of
security breaches and the chance of consumers being upset because their data
was exposed in a breach.”
Lorrie Cranor, director
of the CyLab at Carnegie Mellon University, says organizations should restrict
their data collection to what they really need and get permission to use
personal data. She says they should safeguard personal data and make sure it’s
not inadvertently exposed, adding that real privacy comes from a combination of
technology and policy.
“There are technology solutions that can help protect
privacy,” she says. “But it’s also critical for companies to have internal
policies about data collection and usage and to make sure they actually follow
them. Technology may be able to help companies enforce their own policies. New
technology can be used to set and enforce access controls, store data in
encrypted form and to de-identify data.”
New technologies such as consent and preference management
tools can also help consumers more effectively manage their choices regarding
how their personal data gets handled. According to a recent Gartner study,
these preferences are then synchronized across a variety of legacy, active and
incoming repositories, both on-premises and in the cloud. The ultimate goal of
these tools: extend visibility and control to users, allowing them
self-determination over how much of their data to expose, to whom and for what
purpose, with the option of changing their preferences at will. Gartner
estimates that by 2022, 30 percent of consumer-facing organizations will offer
a self-service transparency portal that offers preference and consent
management.
“Organizations with a
mature privacy posture retain and satisfy their customers better by showing
it’s understood that their most valuable asset is not data, but the customer’s
trust,” says Bart Willemsen, a vice president and analyst at Gartner who
focuses on privacy and risk management. “And the customer wants privacy
protection – if it wasn’t a problem of this magnitude there would not be so
many laws popping up in the last 24 months that intend to protect that value.
Privacy is about giving the customer control over his or her data – privacy is
becoming a context more than a place.”
TD Ameritrade’s Hale adds that modern concepts of privacy
are both driven by and protected with ever-evolving technology. Hale says
society will always struggle to meet privacy expectations with appropriate
safeguards and controls. But no set of controls can protect information in a
company if the people who make up the organization don’t understand their
critical role in safeguarding information.
“Leaders have the responsibility not merely to deploy the
right technology and create the right policies,” Hale says, “but to also make
sure those policies are understood and can be followed by each individual
tasked with protecting the information.”
So with strong leadership, awareness education and a
technology staff that understands the symbiotic relationship between security
and privacy, organizations can make great strides on privacy. It’s easy to
throw up our hands and declare “there is no privacy.” But with technology
poised to take another leap forward with artificial intelligence and machine
learning, that’s really not an option. We need to deal with these privacy
issues before they overtake us.
Developing clear privacy policies
On a certain level, just about every company has
jumped on the privacy bandwagon. Pick a company or organization, and they will
point to their longwinded privacy policy listed prominently on their website.
But how do consumers know anything tangible is actually happening around
privacy?
That’s part of the problem, says
Bart Willemsen, a vice president and analyst at Gartner who focuses on privacy
and risk management
“Please don’t give me 14 pages
of legalistic text,” he says. “Companies would be better off making much
simpler, more concise privacy statements.”
Here’s what Willemsen advises
companies should share with the public:
• Identify who they are, for example, what type of company or organization they are.
• Define what personal data they are processing.
• Make clear for what purposes they are processing that data, how long and where the data resides.
• Explain who else has access to the data and why. For example, is the customer only in business with the presenting organization, or do others also have access?
• If the consumer has questions, who can they call? Is there a point of contact for privacy issues and concerns?
“With privacy policies,
transparency is key,” Willemsen says. “Don’t bury on page 12 that you plan to
update your privacy polices periodically, and you can read the latest version
here. Who in their right mind would read that far in on a legalistic policy and
keep up with when the privacy policy changed and what changed inside?”
Gloss