This blog summarizes Chapter 15: Securing privacy and profit in the era of hyperconnectivity and big data, by Booz Allen Hamilton: Bill Stewart, Executive Vice President; Dean Forbes, Senior Associate; Agatha O’Malley, Senior Associate; Jaqueline Cooney, Lead Associate; and Waiching Wong, Associate.
The corporate landscape is now characterized by the data economy, or the exchange of digitized information to create value.
Although there is no common agreement on what ‘privacy’ refers to, it is essential to employ responsible ways of collecting, using, and sharing of personal information to accomplish business tasks, enabling the organization to gain its customers’ trust and unlock the real potential of the data economy.
Forward-thinking companies are proactively gaining their customers’ trust and using that as a differentiator. Apple, for instance, uses the privacy features of its apps as a selling point.
International and local laws create challenges for organizations.
The landmark ruling of the European Court of Justice against Google in 2014 on the “right to be forgotten” set a precedent for removing information from search results that are deemed to be no longer relevant or in the public interest.
Beyond technical issues, compliance concerns can be administrative, such as in Google’s case, which required creating forms in many different languages and employing staff to review requests.
Beyond personal information
Personal information (PI) is described in privacy and information security circles as “information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context.”
The definition of PI has become broader with the advent of geolocation data and associative analysis, such as facial recognition, which have compounded the challenges associated with regulating and managing data privacy.
What to do? Build consumer trust
Privacy can be a competitive differentiator. Building consumer trust requires taking action to secure personal information, such as the development of appropriate privacy policies, introducing privacy considerations into business operations, and setting guidelines for required employee conduct. Externally, this requires building privacy considerations into products and services, such as the following:
Create easy-to-understand consumer-facing policies
In addition to being clear, simple, and easy to read, companies should give an easy opt-out at every stage and only use data in the ways stated.
To increase trust, privacy policies should clearly state the following:
- the personal information that you will collect;
- why data is collected and how it will be used and shared;
- how you will protect the data;
- an explanation of how the consumer benefits from the collection, use, sharing, and analysis of data.
Go “privacy by design”
Privacy by design means to “integrate and promote privacy requirements into systems, services, products, and business processes at the planning, design, development, and implementation stages, to ensure that businesses meets their customer and employee privacy expectations, and policy and regulatory requirements.”
By adopting privacy by design, organizations can reduce their privacy and security risks and costs.
Privacy by design is recognized by the Federal Trade Commission as a recommended practice for protecting online privacy, and has been considered for inclusion in the European Union’s draft General Data Protection Regulation.
Communicate your good work
Privacy policies and actions can be turned into marketing tools for savvy organizations. It is important to actively communicate all the actions you are taking to secure your customers’ data so that they know you can be trusted.
The data economy brings exciting opportunities for companies to grow by enhancing their products and services. Building consumer trust requires keeping information safe from hackers, creating easy-to-understand privacy policies, and applying the principle of ‘privacy by default’.
“Companies that reframe these actions as business enablers instead of business costs will thrive—and find it easier to comply with an increasingly complex web of regulations. Finally, communicating your good work to consumers will elevate the profile of your organization as a trusted partner, and pave the way for future gains.”
Best-practice cyber risk management
The international standard ISO 27001 sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they actually face in the most cost-effective and efficient way.
Registration to the Standard demonstrates to investors, stakeholders, customers, and staff that information security best practice is being followed.