Andy Grove, Chairman of Intel in an interview in the year 2000 said: 'Privacy is one of the biggest problems in this new electronic age. At the heart of the Internet culture is a force that wants to find out everything about you. And once it has found out everything about you and two hundred million others, that’s a very valuable asset, and people will be tempted to trade and do commerce with that asset. This wasn’t the information that people were thinking of when they called this the information age.'
When I recently asked CIOs about data privacy, they were clear that it matters everywhere but there are certain industries where it is crucial to regulatory compliance and thus represents a massive business risk. Given this, I asked CIOs what steps they are taking to deliver privacy. For the most part, their thoughts mirror Canada’s Information & Privacy Commissioner, Ann Cavoukian’s work on Privacy by Design.
Proactive not Reactive
CIOs assert that there should be a degree of foresight with regards to data use and its connection with business strategy, but they openly admit that for far too many, privacy is really an afterthought. CIOs see privacy as clearly relating to the use of information and that protecting it requires worrying about the data touch points. This means that organizations need to be explicit about what privacy means to them and embed it internally and externally in their business culture.
Those designing privacy into their data projects to be proactive, need to consider ethics and compliance throughout the entire data flow – this means the inputs and the outputs. One CIO stressed that it is very important to understand that information often flows between many applications and that once data flows have been mapped, the process of protecting privacy can include redacting records, using tokenization where applicable, and establishing and maintaining clear security standards.
Privacy as the default setting
One CIO suggested that enterprises need to start acting like the military by compartmentalizing data access. Others asked more basic questions: Is there a business case for the data being collected? Is there a known lifecycle for it? And what is the impact of collecting it?
Prior to setting privacy protection as a default, CIOs say questions should be asked of data owners such as what can happen if data is exposed? And what potential financial and reputational liabilities might impact an organization’s brand as a result of a privacy breach? By answering these questions, appropriate action can be taken in advance. Think of this effectively as building a business case for privacy.
In order for privacy to be a default setting, CIOs say that regulatory compliance, security culture, and data governance need to be joined with other business functions and that the shared development of privacy policies within the community served is essential. They emphasize that success here will take a combination of both technical and policy-based solutions.
Embedded into Design
CIOs says that protecting privacy should occur from the start of data projects, even though for many it's often only added later as the result of an audit or compliance requirement. CIOs from varied industries all say that privacy protection needs to be 'baked in', and insist that, just like QA – it is best if privacy begins at the design phase.
End to End
While not all CIOs had a systematic perspective, those that did said that as privacy relates to the use and protection of information, the emphasis needs to be on the data touch points. In this vein, one CIO said, 'Organizations need to collect only as much information as is required, store it only as long as it needs to be stored and anonymize as much of it as you can, and do this in an automated, policy based fashion.' I agree with this, but I think there is a risk in thinking about data in a piecemeal fashion and business risk in just taking the project approach. A key responsibility for organizations is data discovery, to locate private information wherever it is within enterprise data flows, so it can be appropriately represented within policies and protected accordingly. Data protection governance needs a composite view of systems as a whole, otherwise, compliance and governance holes will exist.
Visibility and Transparency
CIOs said that awareness of and transparency about the intended use of data needs to be part of privacy by design, with policies to hold the business accountable for the processing of information. This was seen by CIOs as critical to a ‘cogent privacy program’ and to ensure the trust of data subjects. It is considered vital for organizations to have a governance that provides visibility and control over data wherever it goes.
Respect for User Privacy
Finally, organizations need to be clear internally and externally what privacy means and integrate it as a priority into enterprise culture and management. Part of this process is creating data owners and explicitly involving them in policy implementation. Policies need at their core to respect the sources of information and determine which elements are considered private or personally identifiable in order to determine which aspects of a dataset need to be de-identified.
CIOs are clear that ensuring privacy needs specific things: for the business to be on board and for the design of privacy to be systematic and by design. If you want to learn more about CIOs perspective and challenges regarding data as a whole, take a look at 4 CRITICAL DATA-DRIVEN CHALLENGES FOR TODAY’S CIOS. Here CIOs share explicitly not only how they can do better at protecting data, but also how they can help their organizations benefit from managing data better.