There are plenty of good reasons for companies to collect personal data. Personal data creates opportunities for businesses to get to know their customers better, to develop new revenue streams, and to provide a more customized level of service through both Web-based channels and the growing use of mobile devices.
But with these new opportunities come new responsibilities, including an obligation to create privacy policies that protect customers’ data from a host of perils, including fraud, identity theft and inconsistent international privacy standards.
In recent months, online privacy has been a subject of great debate and scrutiny in government circles. The Bipartisan Congressional Privacy Caucus, co-chaired by Rep. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Tex.), has taken on a number of privacy-related issues including identity theft and tracking policies. The FTC has subpoenaed leading data brokers. And the European Commission has proposed new restrictions related to how companies can acquire personal data and use it.
It’s not surprising that more and more corporations are making a pre-emptive move and creating their own privacy programs. The main advantage to this approach is the opportunity to custom-fit existing privacy laws to the specific industry or business. Having a well-thought-out privacy program also can serve as a differentiator in the marketplace.
Here are seven recommendations on how to craft a solid corporate privacy program:
1. Identify what kind of and how much personal information your organization handles.
Personally identifiable information is any information that can be used on its own or with other information to identify, contact or locate a single person. The National Institute of Standards and Technology published a guide that outlines specifics of this data.
The portion of person information in a company’s data warehouses can vary greatly. A B2B company, for example, will likely be in possession of far less personal information than a large consumer-facing Web company such as Google. Other pieces of data, such as the date and time someone visits a site, the type of operating system they use and the amount of a commercial transaction, are generally considered non-personal data and therefore not subject to privacy guidelines.
“You need to sort your individual data from other information sources,” says Glancy. This process will most likely involve a privacy audit, in which a privacy professional applies analytics to a company’s data warehouse. Privacy professionals are typically members of the International Association of Privacy Professionals (IAPP) or employees of the large consulting firms.
A privacy audit will also help “understanding what your organization is doing with data relating to individuals,” says Harriet Pearson, a partner at Washington D.C. law firm Hogan Lovells. That means understanding the business practices the company already has in place. “That is the challenge in a large corporation,” says Pearson, who once served as IBM’s chief privacy officer. Once you have the big picture, Pearson recommends working with an outside or an inside lawyer to look at sets of obligations, both regulatory and contractual, to understand how privacy may affect business practices.
As an example, both Zynga, the online game developer, and Groupon, the daily deals website, included privacy measures as a factor that might limit business growth in S-1 filings leading up to their respective IPOs in 2011.
2. Understand your organization’s obligations and risks.
A common mistake companies often make when developing a privacy program is to take a cookie-cutter approach to the process. Privacy policies need to be custom-fit to the organization, says Glancy. “Privacy and privacy protection is an expertise,” she says. “Find an expert and be prepared to educate that expert.” This person needs to know about your company’s business practices and any relevant industry conventions for managing customers’ data, for example.
Some of the questions that need to be answered include, Do my company’s current privacy policies apply to our business activities? Maybe they do, maybe they don’t. Will customers be alarmed by new policies? Are these new policies legal?
Even the biggest companies sometimes fail to answer these key questions. This past March, Google admitted it had been scooping up passwords, personal emails and other personal information while company vehicles trawled neighborhoods to photograph homes for its Google Street View project. As part of its settlement with 38 state attorneys general, Google agreed to pay a $7 million fine and set up a formal privacy program.
3. Engage senior management in developing a privacy approach.
Building a consensus internally for a new privacy program is a key part of guaranteeing its success. Pearson recommends including the company’s CEO, general counsel, and CFO in any conversations about what should be included in a new policy. Inviting board members to such meetings isn’t a bad idea, either. “Go as high as you can go,” Pearson says.
The advantage of including top executives in every aspect of the conversation is that it keeps the company’s goals in focus throughout the process and helps determine what kind of organization it wants to be in regard to privacy. The firm could do the bare minimum or decide to become 100 percent compliant.
The nature of a company’s business and the regulatory environment in which it operates also play a role in decisions about privacy policies. “Some industries are more compliant than others, such as healthcare and finance,” says Pearson, because they are more heavily regulated.
These first three steps can be very time-consuming, taking many months or even years, but once completed, form the backbone of a company’s privacy program.
4. Create a game plan.
Once the senior members of the executive team are on the same page, it’s time to create a plan of action. Pearson recommends creating a privacy council within the company, including members from human resources, communications, and finance departments, among others. Typically, privacy officers don’t have large staffs, so drawing support from each department is important.
The privacy leader should identify and prioritize projects and create a system for tracking those projects. Projects might include maintaining an inventory of data flows, instituting a complaints program, formalizing regulatory outreach, and arranging an external audit of outside service vendors.
The next step is to assemble the privacy team, and assign tasks to each member.
For example, an inventory of data flows could be managed by the enterprise IT leader and privacy complaints could be addressed by the communications head.
Establishing a game plan is crucial because, until a program is in place, a company cannot implement wide-reaching initiatives such as Privacy by Design, the concept of embedding privacy and data protection into every development stage of technologies, says Glancy.
And Privacy by Design is not just for tech companies. For example, a retailer marketing to children should build its website in such a way that will protect kids’ personal information in accordance with the Children’s Online Privacy Protection Act (COPPA).
5. Establish a way to measure success.
Implementing a comprehensive privacy program costs money and resources, so companies naturally need to quantify the benefits of initiating and maintaining one. But first, a company has to determine how it defines success in regard to privacy, says Pearson.
Some examples include “Have we finished the policy rewriting process? Have we worked with our security division to make data secure? Have we avoided bad incidents?”
Once the measures are established, the company’s chief privacy officer should perform mini-audits every month or two to assess progress and prioritize future initiatives. It is important to keep a long-term record of the ROI provided by privacy initiatives, including the cost reductions achieved by fewer data breaches, privacy complaints, and related legal cases.
6. Educate your employees.
Once a privacy program is in place, it’s time to spread the word within the organization. Privacy policies are toothless if all employees aren’t on board.
Pearson recommends a variety of ways of getting the word out to large organizations, especially those with more than 5,000 employs. “You can establish a privacy help line, create a Frequently Asked Questions file, or create a privacy Wiki,” she says. “Or you can do all three.”
Dorothy Glancy notes that many companies host a “privacy day” or “privacy week” to raise awareness and reinforce institutional values regarding individual data protection. Microsoft, Google and Twitter, for example, celebrate Data Privacy Day on January 28, the same day as the U.S. government’s Data Privacy Day, in an effort to raise awareness of privacy and data protection issues, both internally and externally.
One of the added benefits of educating the whole organization about its privacy rules, says Glancy, is that one doesn’t always need to consult the general counsel on minor legal matters. For example, she says that, “employees should understand the difference between a subpoena and warrant” for private corporate information. “Subpoenas don’t always require a response, whereas warrants do.”
It’s also important to have a legal process in place for the company to respond to privacy-related issues. Glancy says the electronic discovery rules for federal courts, for example, can be “really expensive” to respond to, requiring companies to establish a specific policy about how it handles such queries.
Having a guide to go back to for continual reassessment of the company’s privacy rules helps, too. Pearson recommends the book Building a Privacy Program, written by Nationwide Insurance’s CPO, Kirk Herath and published by IAPP. “It rings true from my experience.”
“How you declare your policy publicly is important,” adds Pearson. One option, of course, is for a company to stay quiet or avoid having a clear policy. But in today’s technology-fueled world, says Pearson, “I would argue that’s an unsustainable policy.”
When Intel announced in 2011 that it was working on digital billboards with facial recognition technology that would target consumers based on their gender, race and age, it emphasized that it would not be retaining any personally identifying information. While such an example might seem unusual and wildly futuristic, like an image from the movie “Minority Report,” it is exactly the kind of privacy issue that companies increasingly need to address before expanding their businesses into new areas.
Alec Foege, a contributing editor at Data Informed, is a writer and independent research professional based in Connecticut, and author of the book The Tinkerers: The Amateurs, DIYers, and Inventors Who Make America Great. He can be reached at email@example.com.
Home page photo of private property sign by Salem Eames via Flickr used under Creative Commons license.