Why Privacy is a Corporate Responsibility Issue

Many organizations have Corporate Responsibility programs that focus on social issues and philanthropy. Especially in today's Big Data era, why is privacy not part of the program?

Today's companies are promising to lower their carbon footprints and save endangered species. They're donating to people in developing countries who have far less than we do, which is also noble. But what about the fact that American citizens are a product whose information is bought, sold, and obtained without consent? In light of recent events, perhaps the privacy policies deserve more consideration than just two linked words at the bottom of a website home page.

"Privacy is a big issue for a host of reasons -- legal, ethical, brand protection and moral," Mark Cohen, Chief Strategy Officer at consultancy and technology service provider https://elevateservices.com/ Elevate. "[Privacy] is an element of corporate culture [so what goes into a privacy policy depends on] your values and priorities."

Problems with Privacy Policies

There are three big problems with privacy policies, at least in the US: what's in them, how they're written, and how they're ignored.

One might think that privacy policies are tailored to a particular company and its audience. However, such documents are not necessarily original. Rather than penning a privacy policy from scratch, some are literally cutting and pasting entire privacy policies regardless of their contents. In fact, the people who are simply grabbing another company's privacy policy might not even bother to read the content before using it.

The boilerplate language is also a problem. In-house counsel often uses freely available forms to put together a privacy policy. They may use one form or a combination of forms available to lawyers, but again, they're not thinking about what should be in the document.

In addition, the documents are written in legalese, which is difficult for the average person to read. Businesses are counting on that because if you don't know what's in a privacy policy, what you're giving away and what they intend to do with your information, you'll probably just hope for the best. Even better, you'll click an "I agree" button without knowing what clicking that button actually means. It's a common practice, so you're not alone if that's the case.

Oh, and what's stated in the documents may or may not be true, either because the company changed the policy since you last read it or they're ignoring the document itself.

"After May 2018 when the new GDPR [General Data Protection Regulation] goes into effect, it's going to force many companies to look at their privacy policies. their privacy statements and consents and make them more transparent," said Sheila Fitzpatrick, Data Governance & Privacy counsel and chief privacy officer at data services for hybrid cloud company NetApp. "They're going to have to be easily understandable and readable."

Businesses Confuse Privacy with Security

Privacy and security go hand-in-hand, but they're not the same thing. However, the assumption is, if you're encrypting data then you're protecting privacy.

"Every company focuses on risk, export control trade compliance, security, but rarely you find companies focused on privacy," said Fitzpatrick. "That's changing with GDPR because it's extraterritorial. It's forcing companies to start really addressing areas around privacy."

It's entirely possible to have all kinds of security and still not address privacy issues. OK, so the data is being locked down, but are you legally allowed to have it in the first place? Perhaps not.

"Before you lock down that data, you need the legal right to have it," said Fitzpatrick. "That's the part that organizations still aren't comprehending because they think they need the data to manage the relationship. In the past organizations thought they need the data to manage employment, customer or prospect relationships, but they were never really transparent about what they're doing with that data, and they haven't obtained the consent from the individual."

In the US the default is opt-in. In countries that have restrictive privacy policies, the default is opt-out.

(Image: TheDigitalArtist/Pixabay)

(Image: TheDigitalArtist/Pixabay)

The Data Lake Mentality Problem

We hear a lot about data lakes and data swamps. In a lot of cases, companies are just throwing every piece of data into a data lake, hoping it will have value in the future. After all, cloud storage is dirt cheap.

"Companies need to think about the data they absolutely need to support a relationship. If they're an organization that designs technology, what problem are they trying to solve and what data do they need to solve the problem?" said Fitzpatrick.

Instead of collecting massive amounts of information that's totally irrelevant, they should consider data minimization if they want to lower privacy-related risks and comply with the EU's GDPR.

"Companies also need to think about how long are they're maintaining this data because they have a tendency to want to keep data forever even if it has no value," said Fitzpatrick. "Under data protection laws, not just the GDPR, data should only be maintained for the purpose it was given and only for the time period for which it was relevant."

The Effect of GDPR

Under the GDPR, consent has to be freely given, not forced or implied. That means companies can't pre-check an opt-in box or force people to trade personal data for the use or continued use of a service.

"Some data is needed. If you're buying a new car they need financial information, but they'd only be using it for the purpose of the purchase, not 19 other things they want to use it for including sales and marketing purposes," said Fitzpatrick.

Privacy may well become the new competitive advantage as people become more aware of privacy policies and what they mean and don't mean.

"Especially Europeans, Canadians, and those who live in Asia-Pacific countries that have restrictive privacy laws, part of their vetting process will be looking at your privacy program," said Fitzpatrick. "If you have a strong privacy program and can answer a privacy question with a privacy answer as opposed to answering a privacy question with a security answer, [you'll have an advantage]."

On the flip side, sanctions from international countries can destroy a company from reputational, brand and financial points of view. The sanction under the new GDPR regulation can be as high as 4% of a company's annual turnover.

Does Your Company's Corporate Responsibility Program Include Privacy?

Perhaps or perhaps not. You tell us. What's your take on privacy policies? What do you think needs to happen? We'd love to continue the discussion with you in the comments section.

Lisa Morgan, Freelance Writer

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include big data, mobility, enterprise software, the cloud, software development, and emerging cultural issues affecting the C-suite.

5 Cross-functional Analytics Challenges

Cross-functional analytics can benefit businesses by replicating successful programs. Here are some common challenges you should know as you formulate a winning strategy.

Why Your Business May Not Be Ready for AI

Businesses in virtually all industries are using or experimenting with AI, but do they really understand the ultimate impact AI will have on their businesses? Not completely, according to a new survey.

Re: Data is money
  • 11/17/2017 10:25:37 PM

If [the clickwraps] were highlighted as bullets in plain English everyone would be much better off.

Not sure this would help given the overwhelming majority of people that don't seem bothered by anything that's written above a box that says ACCEPT.

Re: Data is money
  • 11/16/2017 4:09:17 PM

Privacy is a very sticky issue not only in how data is collected and stored but how it is used in a corporate atmosphere. I have seen companies that have strict privacy policies readily discuss client data in the open. Privacy needs to extend to how the data is used in all facets of the business. The clickwraps have gotten so long most people don't read them and they just click and go to move on. If they were highlighted as bullets in plain English everyone would be much better off.

Re: Data is money
  • 11/16/2017 10:39:20 AM

It could have been a marketing scheme from Equifax as well.

Re: Data is money
  • 11/16/2017 10:32:33 AM

Stangely, I this week received a letter from AT&T warning that my privacy might have been compromised and to contact Equifax's page to check. I don't even remember having any business with AT&T but checked anyway and found I seeminly didn't have any problem. I wonder if they were just being super cautious when notifying me or not only is there privacy issues in collected data but data AT&T had on me even though I don't think I was ever a customer in the last decade?

Re: Data is money
  • 11/16/2017 9:18:40 AM

I agree with your frustration. We need tougher laws and enforcement to protect privacy. Nothing will change until the cost of not changing is high enough.

Re: Data is money
  • 11/16/2017 8:26:38 AM

The Equifax incident was the first time I've been wrapped up in data loss that I know of.  What bothers me most about it is that there doesn't seem to be any concern for my privacy and the fact that if my identity is stolen it's not up to them to make it right, it's up to me to have everything made right.  I've been watching as their super confusing web site woes just make this whole situation worse.  On top of that, it's not like I had a choice in them having my data.  They collect this on their own without my permission then I have to pay so that someone else can access that data, when they lose this collection of data somehow the onus of protecting that data falls back on me and I really don't like that feeling.  The form letter I received really put it in the frame of "you need to protect yourself" but I'm wondering who I need to protect myself from.

Re: Data is money
  • 11/16/2017 12:10:58 AM

The more I read about Equifax, the less I think it should still be in business.

Most organizations, while much better than Equifax, aren’t good enough. I think part of the problem is the ‘who cares’ attitude in the US.

Re: Data is money
  • 11/15/2017 3:23:49 PM

@SaneIT, right on.  I'm bothered by the fact Congress has exempted them from what they deserve and so it's OK to fail to protect data.  Try that in Europe...

We don't seem to value privacy as a nation, which is a larger problem.

I imagine like most of you, I've been affected by just about every high-profile consumer breach that's happened over the last few years. The lack of responsibility around the issue such as timely notice and acceptance of responsibility seems secondary to sweeping things under the carpet.

I think on one level (not an excuse but a real issue) is that CIOs are throwing up their hands, knowing that every single vulnerability and possible vulnerability can't be identified, so stuff will happen.

It will be interesting to see how GDPR plays out here in the US.

Data is money
  • 11/15/2017 1:04:24 PM

What bothers me most about this is if you talk to these companies, Equifax for example, they will tell you that their customer data is the most valuable thing they have.  Many of these companies will tell you that without that data they aren't in business any more.  If that is true, why are they not bending over backward to protect my data?  Would Equifax be more concerned with the fact that they lost my data or if they lost access to their bank accounts?  If someone had access to their bank accounts would they send them a form letter and explain that they really value their bank account and that they take its security seriously or would they fight to get control of that account back?