Does the whole privacy ‘thing’ feel like you’re wading through glue, with every step slow and difficult? You know what? We agree. In fact, we think the privacy ‘thing’ is a bit out-dated. Let’s face it, it only really matters if you get caught, right? We’d like to challenge the debate about privacy, stir the pot and see what happens!
Here’s the problem. We believe privacy is vitally important in the digital world. Moreover, privacy is the very essence of today’s customer intimacy – hard to gain, easy to lose. Sadly, we feel this subject has become marginalised because the narrative is all wrong. We are often struck by how organisations feel paralysed by privacy. When we listen to clients, they describe it as something that creeps up behind them in the night – oh no, not privacy!
We believe that privacy is not a thing. It’s not a set of principles, nor is it legislation. It’s far more important than any of these key artefacts. Privacy should form part of the very fabric of a business, public or private. Companies and governments should take great pride in the way they handle privacy. Moreover, there should be a rating system much like other consumer products. Customers should be confident their data, information and knowledge is safe.
In our research, we have found that many companies and governments do care deeply about privacy but often only act when something goes wrong. Many don’t look at privacy as an integrated activity across all business functions, and worse still many organisations don’t even know where to start.
The current narrative is all about the negative aspects of information privacy; this is reflected in both the media coverage, the approach of governing bodies and the wider business perception. The focus on what happens when privacy is breached, rather than what should be done to prevent it, is creating the narrative predicament. This is not to say that privacy breaches are trivial matters; it is in fact stating the opposite. Thinking of information privacy as a ‘journey’ rather than a static ‘thing’ or after-thought emphasises the importance of privacy being proactive, planned and well thought-through.
A few simple, repeatable steps can be applied to support and guide your business, to prevent a mad scramble when something goes wrong. This ‘privacy engineering’ approach has multiple benefits. Not only does it save the reputational and financial damage that often comes with a breach in privacy, it also allows organisations to realise the full benefits of consumption-based technology (cloud computing).
Over many years we’ve helped our clients on the information privacy journey and we’d like to share that experience to help change the narrative. By embedding privacy and dealing with issues early on in projects and business change initiatives, privacy assurance is the default mode of operation and allows you to proactively protect your information and build deep customer trust. One privacy breach and your customer will look elsewhere. Given the expense of getting new customers, retention is always a major priority. This is just as relevant in the public sector – lose trust with the community and it’s a long road back.
So enough from our soapbox. “We get it!” you all say, “but how do we start?” Start with today, now, this very minute, and never stop thinking about privacy.
Step one: What is it?
The information privacy journey starts with understanding the information you have. Things to be considered include:
What type of information do you capture?
Do you store personal information such as names, addresses and phone numbers?
Is any of the personal information considered sensitive, such as religious beliefs or criminal records?
If you answer yes to any of the above, then this personal and sensitive information must comply with privacy legislation. This includes securely destroying this information if you no longer need it for the purpose it was collected.
Step two: Who, What, Where
Knowing where your information goes and who has access to it is the next important step, as the privacy of the information you hold hinges on these two factors. Are there appropriate security measures in place for your information storage facilities, both digitally and physically? Is any of your information stored or transferred overseas? If so, you need to understand the associated risks and use tools such as commercial arrangements to mitigate these risks.
Step three: Regulations and Legislation
Ensuring your organisation’s information management practices secure the privacy of personal information will assist compliance with legislation and help avoid civil penalties. Use skilled privacy practitioners and experienced legal professionals to reduce risk. The greater opportunity, however, is to leverage information privacy to add customer value, and enable improved business services.
Pragmatic opportunities for leveraging privacy within your organisation may include:
• Sharing personal information to improve client experience
• Recordkeeping to demonstrate accountability
• Giving your customers choices to amend or release their information
• Assessing sovereignty impacts through risk assessment
• Reducing the risks of inappropriate access
• Proactively managing breaches to minimise risks of penalties
Step four: Customer Expectations
It is also important to understand customer expectations when it comes to the privacy of personal information. Although many people are happy to release personal and sensitive details about themselves through public forums such as social media, this does not set a precedence for how organisations can treat the same information. The primary customer expectation is that the information provided to an organisation will be used solely for the purpose it was collected and will not be re-used or on-sold to another entity.
Step five: Be Proactive
When it comes to information privacy, doing nothing is not an option. Small steps to embed privacy assurance processes at the start of new initiatives goes a long way to protecting your organisation from any reputational and financial risk associated with privacy breaches. Being proactive is the best way to avoid civil penalties.
You can easily leverage information privacy to gain greater customer trust, improve business services and realise the full benefit of digital technology.
Privacy assurance as the default mode of operation should be at the forefront of business planning. Our guide to privacy, at the beginning of this article, is designed to help organisations see privacy as a journey, rather than just another “thing”.