7 Best Privacy Practices for Companies Managing Customer Data

by   |   June 7, 2013 1:55 pm   |   0 Comments

There are plenty of good reasons for companies to collect personal data. Personal data creates opportunities for businesses to get to know their customers better, to develop new revenue streams, and to provide a more customized level of service through both Web-based channels and the growing use of mobile devices.

Related Stories

Four points HR needs to know about employment law, data privacy and security.
Read the story »

US Internet industry leaders want to see common international privacy policies.
Read the story »

Chief privacy officer profession grows with big data field.
Read the story »

A European view of consumer data privacy.
Read the story »

3 questions to ask about data privacy when managing big data.
Read the story »

FTC updates online privacy rules for collecting data on children.
Read the story »

FTC launches investigation into data brokers’ practices.
Read the story »

But with these new opportunities come new responsibilities, including an obligation to create privacy policies that protect customers’ data from a host of perils, including fraud, identity theft and inconsistent international privacy standards.

In recent months, online privacy has been a subject of great debate and scrutiny in government circles. The Bipartisan Congressional Privacy Caucus, co-chaired by Rep. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Tex.), has taken on a number of privacy-related issues including identity theft and tracking policies. The FTC has subpoenaed leading data brokers.  And the European Commission has proposed new restrictions related to how companies can acquire personal data and use it.

It’s not surprising that more and more corporations are making a pre-emptive move and creating their own privacy programs. The main advantage to this approach is the opportunity to custom-fit existing privacy laws to the specific industry or business. Having a well-thought-out privacy program also can serve as a differentiator in the marketplace.

Here are seven recommendations on how to craft a solid corporate privacy program:

1. Identify what kind of and how much personal information your organization handles.

Before you can implement a company-wide privacy policy, you must to figure out what percentage of your company’s data is personal information, says privacy expert Dorothy Glancy, a professor at Santa Clara University School of Law.

Personally identifiable information is any information that can be used on its own or with other information to identify, contact or locate a single person. The National Institute of Standards and Technology published a guide that outlines specifics of this data.

The portion of person information in a company’s data warehouses can vary greatly. A B2B company, for example, will likely be in possession of far less personal information than a large consumer-facing Web company such as Google. Other pieces of data, such as the date and time someone visits a site, the type of operating system they use and the amount of a commercial transaction, are generally considered non-personal data and therefore not subject to privacy guidelines.

“You need to sort your individual data from other information sources,” says Glancy. This process will most likely involve a privacy audit, in which a privacy professional applies analytics to a company’s data warehouse. Privacy professionals are typically members of the International Association of Privacy Professionals (IAPP) or employees of the large consulting firms.

A privacy audit will also help “understanding what your organization is doing with data relating to individuals,” says Harriet Pearson, a partner at Washington D.C. law firm Hogan Lovells. That means understanding the business practices the company already has in place. “That is the challenge in a large corporation,” says Pearson, who once served as IBM’s chief privacy officer. Once you have the big picture, Pearson recommends working with an outside or an inside lawyer to look at sets of obligations, both regulatory and contractual, to understand how privacy may affect business practices.

As an example, both Zynga, the online game developer, and Groupon, the daily deals website, included privacy measures as a factor that might limit business growth in S-1 filings leading up to their respective IPOs in 2011.

2. Understand your organization’s obligations and risks.

A common mistake companies often make when developing a privacy program is to take a cookie-cutter approach to the process. Privacy policies need to be custom-fit to the organization, says Glancy. “Privacy and privacy protection is an expertise,” she says. “Find an expert and be prepared to educate that expert.” This person needs to know about your company’s business practices and any relevant industry conventions for managing customers’ data, for example.

Some of the questions that need to be answered include, Do my company’s current privacy policies apply to our business activities? Maybe they do, maybe they don’t. Will customers be alarmed by new policies? Are these new policies legal?

Even the biggest companies sometimes fail to answer these key questions. This past March, Google admitted it had been scooping up passwords, personal emails and other personal information while company vehicles trawled neighborhoods to photograph homes for its Google Street View project. As part of its settlement with 38 state attorneys general, Google agreed to pay a $7 million fine and set up a formal privacy program.

When developing a program, completeness is a must. A custom privacy program should encompass all activities a company engages in, not just its core products. And while it’s important to make sure such programs hew to existing privacy policies, they also should anticipate the reaction of customers to any changes. In late 2012, Facebook radically altered its privacy policy to permit the sharing of personal information with affiliates near midnight on the night before Thanksgiving. Many Facebook members, understandably, went into panic mode and some even shut down their accounts.

3. Engage senior management in developing a privacy approach.

Harriet Pearson of Hogan Lovells

Harriet Pearson of Hogan Lovells

Building a consensus internally for a new privacy program is a key part of guaranteeing its success. Pearson recommends including the company’s CEO, general counsel, and CFO in any conversations about what should be included in a new policy. Inviting board members to such meetings isn’t a bad idea, either. “Go as high as you can go,” Pearson says.

The advantage of including top executives in every aspect of the conversation is that it keeps the company’s goals in focus throughout the process and helps determine what kind of organization it wants to be in regard to privacy. The firm could do the bare minimum or decide to become 100 percent compliant.

It also could make the decision to differentiate itself in the marketplace by highlighting its privacy policy, much in the way Microsoft has done in recent years, such as with its recent “Don’t Get Scroogled” campaign, which argued that Microsoft Outlook was more secure than Google’s Gmail. (Speaking at an industry event, Keith Enright, Google’s senior privacy counsel, called the Microsoft campaign intellectually dishonest.)

The nature of a company’s business and the regulatory environment in which it operates also play a role in decisions about privacy policies. “Some industries are more compliant than others, such as healthcare and finance,” says Pearson, because they are more heavily regulated.

These first three steps can be very time-consuming, taking many months or even years, but once completed, form the backbone of a company’s privacy program.

It’s important to remember, however, that a privacy program will require revisiting. “When your business changes, you often have to change your privacy policy,” says Glancy. “It requires constant vigilance.”

4. Create a game plan.

Once the senior members of the executive team are on the same page, it’s time to create a plan of action. Pearson recommends creating a privacy council within the company, including members from human resources, communications, and finance departments, among others. Typically, privacy officers don’t have large staffs, so drawing support from each department is important.

The Principles of Privacy by Design

Privacy by Design is a framework for ensuring the privacy of an individual’s data. Ann Cavoukian, the information and privacy commissioner of Ontario, Canada, has advocated the Privacy by Design model and has published “7 Foundational Principles” for the approach:

1. Proactive not reactive. The approach “does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred—it aims to prevent them from occurring.”

2. Privacy as the default setting. The approach “seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice.”

3. Privacy embedded into the design and architecture of IT systems and business practices. “The result is that it becomes an essential component of the core functionality being delivered.”

4. Full functionality. Privacy by Design “seeks to accommodate all legitimate interests and objectives” so that all parties can achieve gains. It “avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both.”

5. End-to-end security. The approach “extends throughout the entire life cycle of the data involved, from start to finish. This ensures that at the end of the process, all data are securely destroyed, in a timely fashion.”

6. Visibility and transparency. Privacy by Design calls for ensuring the parts of a business practice or technology is “operating according to the stated promises and objectives” in the privacy policies, subject to independent verification.

7. Respect for user privacy. The approach calls for maintaining user-centric privacy practices including measures like strong privacy defaults, appropriate notice of privacy changes and “empowering user-friendly options” for products and services.

The privacy leader should identify and prioritize projects and create a system for tracking those projects. Projects might include maintaining an inventory of data flows, instituting a complaints program, formalizing regulatory outreach, and arranging an external audit of outside service vendors.

The next step is to assemble the privacy team, and assign tasks to each member.

For example, an inventory of data flows could be managed by the enterprise IT leader and privacy complaints could be addressed by the communications head.

Establishing a game plan is crucial because, until a program is in place, a company cannot implement wide-reaching initiatives such as Privacy by Design, the concept of embedding privacy and data protection into every development stage of technologies, says Glancy.

And Privacy by Design is not just for tech companies.  For example, a retailer marketing to children should build its website in such a way that will protect kids’ personal information in accordance with the Children’s Online Privacy Protection Act (COPPA).

5. Establish a way to measure success.

Implementing a comprehensive privacy program costs money and resources, so companies naturally need to quantify the benefits of initiating and maintaining one. But first, a company has to determine how it defines success in regard to privacy, says Pearson.

Some examples include “Have we finished the policy rewriting process? Have we worked with our security division to make data secure? Have we avoided bad incidents?”

Once the measures are established, the company’s chief privacy officer should perform mini-audits every month or two to assess progress and prioritize future initiatives. It is important to keep a long-term record of the ROI provided by privacy initiatives, including the cost reductions achieved by fewer data breaches, privacy complaints, and related legal cases.

6. Educate your employees.

Once a privacy program is in place, it’s time to spread the word within the organization. Privacy policies are toothless if all employees aren’t on board.

Pearson recommends a variety of ways of getting the word out to large organizations, especially those with more than 5,000 employs. “You can establish a privacy help line, create a Frequently Asked Questions file, or create a privacy Wiki,” she says. “Or you can do all three.”

Dorothy Glancy notes that many companies host a “privacy day” or “privacy week” to raise awareness and reinforce institutional values regarding individual data protection. Microsoft, Google and Twitter, for example, celebrate Data Privacy Day on January 28, the same day as the U.S. government’s Data Privacy Day, in an effort to raise awareness of privacy and data protection issues, both internally and externally.

One of the added benefits of educating the whole organization about its privacy rules, says Glancy, is that one doesn’t always need to consult the general counsel on minor legal matters. For example, she says that, “employees should understand the difference between a subpoena and warrant” for private corporate information. “Subpoenas don’t always require a response, whereas warrants do.”

7. Institute oversight of privacy policy.

Privacy Policy Resources

• “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” Federal Trade Commission, March 2012. In this report, the FTC called on companies to implement best practices to protect consumers’ private information and making privacy “the default setting” for commercial data practices.


• “Guide to Protecting the Confidentiality of Personally Identifiable Information,” National Institute of Standards and Technology, April 2010. The guide defines personally identifiable information as “any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name or biometric records” and other data that is “linkable to an individual,” such as medical, financial and employment information.


• International Association of Privacy Professionals, founded in 2000, is a nonprofit organization with 12,000 members in 78 countries. Based in Portsmouth, N.H., the group is a source of auditors for corporate privacy policies as well as a professional guidebook.


• “Unlocking the Value of Personal Data: From Collection to Usage,” a February 2013 report by the World Economic Forum and Boston Consulting Group on issues related to rights and responsibilities in the use of personal data.

“Every time you claim to do something you put yourself at risk,” says Pearson, the lawyer and former chief privacy officer. That is, establishing and publicizing a company privacy policy has legal ramifications. Oftentimes, unplanned events challenge even the most rigorous programs, for example, if personal data is compromised, stolen, or lost.

It’s also important to have a legal process in place for the company to respond to privacy-related issues. Glancy says the electronic discovery rules for federal courts, for example, can be “really expensive” to respond to, requiring companies to establish a specific policy about how it handles such queries.

Having a guide to go back to for continual reassessment of the company’s privacy rules helps, too. Pearson recommends the book Building a Privacy Program, written by Nationwide Insurance’s CPO, Kirk Herath and published by IAPP. “It rings true from my experience.”

“How you declare your policy publicly is important,” adds Pearson. One option, of course, is for a company to stay quiet or avoid having a clear policy. But in today’s technology-fueled world, says Pearson, “I would argue that’s an unsustainable policy.”

When Intel announced in 2011 that it was working on digital billboards with facial recognition technology that would target consumers based on their gender, race and age, it emphasized that it would not be retaining any personally identifying information. While such an example might seem unusual and wildly futuristic, like an image from the movie “Minority Report,” it is exactly the kind of privacy issue that companies increasingly need to address before expanding their businesses into new areas.

Alec Foege, a contributing editor at Data Informed, is a writer and independent research professional based in Connecticut, and author of the book The Tinkerers: The Amateurs, DIYers, and Inventors Who Make America Great. He can be reached at alec@brooksideresearch.com.

Home page photo of private property sign by Salem Eames via Flickr used under Creative Commons license.

Tags: , ,

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>