DOING PRIVACY ‘RIGHTS’

Vs

DOING PRIVACY “RIGHT”

VALERIE LYONS

COO, BH CONSULTING & PHD SCHOLAR, DCU

CURRENT APPROACHES:

Individual Self Protection

Industry Self Regulation

Government Regulation

RIGHTS Vs RIGHT

CONTROL Vs JUSTICE

CONTROL Vs JUSTICE

A strong control-driven privacy

protection approach =

• minimum behaviours to avoid

regulatory oversight.

• focusing initiatives on internal

stakeholders

• operating an information

ownership strategy (Greenaway

and Chan, 2013).

A strong justice-driven privacy

protection approach =

• focus privacy initiatives on all

stakeholders,

• embed privacy into externally

focused programs such as CSR,

value trust and reputation highly

• demonstrate an information

stewardship strategy.

(Greenaway and Chan, 2013).

A ‘culture of caring’ (Ponemon &

Accenture 2015).

Vs

INFORMATION

OWNERSHIP

Information ownership refers to the

possession of, responsibility for, and

control over that information (Loshin,

2002).

INFORMATION

STEWARDSHIP

Information stewardship reflects Fair

Information Privacy Practices (FIPPs), and is

intended to convey a trust level of

responsibility toward the information

(Rosenbaum, 2010). No matter what, the

organisation remains responsible and

retains oversight of the processing of that

information

DOING RIGHT What if organisations implemented privacy initiatives that were driven by, and aimed

at, enhancing the consumer-trust relationship (instead of focusing on the ‘culture of

compliance’)?

SO WHAT?

Results from a recent global survey (Accenture and Ponemon, 2015) determined that

organisations that exhibit a ‘culture of caring’ with respect to information privacy

protection are far less likely to experience privacy breaches.

€€€!!! These organisations tend to see themselves as stewards of the information taking

actions BEYOND regulatory compliance to protect the information ENTRUSTED to

them.

Trust under the microscope

“The intention to accept vulnerability based upon positive expectations of the intentions or behaviour of another” (Rousseau et al., 1998) ….has values in congruence with ones own values , particularly in new or high risk situations. (Sitkin & Roth, 1993)

Components

of

Trust

Ability

Benevolence Integrity

Predictability

Dietz and Hartog (2006)

Where to look:

• CSR reports of some of the Fortune 500 technology companies

• Privacy disclosures and policies of same companies

• Looking for themes: TRUST, CONTROL, JUSTICE, EXCEEDING

Key Findings :

• Privacy Protection as a Tool to Enhance Consumer-Trust

• Privacy Protection as a Risk Management Objective

• Privacy Protection as Compliance ‘Problem-to-be-Solved’

• Privacy Protection as a Cost-to-be-Minimised

• IBM : A company must be true to its values in all of its activities — both internal and external. IBM’s core values have remained consistent and are embedded in all our citizenship activities. These values are….. Trust and personal responsibility in all relationships.

• CISCO: Doing business honestly, ethically, and with integrity helps us build long-term, trusting relationships with our employees, customers, suppliers, and stakeholders worldwide

• IBM: Your Privacy is important to IBM, maintaining your trust is paramount to us

• CISCO: We are committed to maintaining the trust of our stakeholders by advocating for global standards, improving product security, and protecting data privacy to enable widespread access to information...

• HP: Maintain HP’s position as the most trusted private sector advisor to regulators by upholding an industry-leading privacy program that anticipates trends such as big data, cloud computing, Internet of Things…

• M’SOFT: measures to continue to meet commitments to data privacy/security and earn customers’ trust include expanding encryption across our services, providing choice/transparency on data location, stronger legal protections for customers.

TRUST

• Samsung: announced its Global Policy on Personal Information to reinforce data protection, and has policies in place that reflect regional regulatory environments and local characteristics. We operate a Privacy Legal Management System through which lawyers in charge of this issue review whether the company’s policy is reflected throughout the stages of products and services

• Cisco: Our commitment to an approach that balances protecting user data privacy and the rule of law

• Facebook: If the ownership or control of all or part of our Services or their assets changes, we may transfer your information to the new owner.

• Apple: We have developed powerful tools to help others adhere to our strict standards

CONTROL

• IBM’s long-standing commitment to policies of equal opportunity, fairness and diversity — from our stand against segregation in the 1950s, to our pioneering protection of employees’ genetic privacy, to our staunch defense of our clients’ data against government intrusions.

• Cisco: We advocate for strong freedom of expression and privacy protections, which we believe are fundamental to successful business innovation and a thriving society

• Apple Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.

• IBM are extending our long history of leadership in privacy and data protection to our new areas of strategic focus

• Google: We want to be a responsible steward of the information we hold. We recognize our responsibility to protect the data that users entrust to us.

JUSTICE

• HP’s Chief Privacy Officer co-chairs the project’s research team, which is developing a code of ethics to guide companies and other organizations that work with big data

• HP strive to provide protections across all of our operations that EXCEED legal minimums and to deploy consistent, rigorous policies and procedures.

• Dell is committed to engaging in the process to help shape public policy in a responsible and transparent way to ensure the interests of customers, employees and other stakeholders are fairly represented at all levels of government

• Cisco: In addition to regulatory compliance, we voluntarily support several ambitious and successful industry-led initiatives, such as the Online Privacy Alliance and TRUSTe, which are well respected efforts that achieve a reasonable balance between consumer protection and business requirements.

• IBM employs some of the industry’s most sophisticated, enterprise-level security capabilities to protect our clients and their data.

• MSoft: We’ve led our industry with privacy protections such as our commitment to not scan Microsoft Outlook email services for targeting online advertising. ….the 1st companies to sign the Student Privacy Pledge developed by the Future of Privacy Forum to establish a common set of principles to protect the privacy of student info.

EXCEED

Microsoft

Enhance Consumer Trust

Risk Management

Cost to be minimised

Compliance problem to be solved

Microsoft

Compliance Vs Privacy

Cultures

Key Elements of a Privacy Culture?

• Information Stewardship

• Privacy Governance

• Privacy embedded into all projects

• Information initiatives required privacy signoff

• Privacy awareness training, to all stakeholders

• Stakeholder focus : 360

• The Consumer is central to all privacy protection initiatives

• Privacy is not optional

• Privacy reported as a CSR

What would ‘Doing Right’ look like?

• Exceeding Compliance,

where Compliance is

the baseline, not the

end-goal. Policies and

T&Cs are living working

documents, not just

legal requirements

• The implementation of a

justice-based set of non

binding rules such as

the OECDs Fair

Information Privacy

Practises

• Accreditation to Trust

seals. A possible

‘nutritional label’ for

privacy

• The provision of data

protection and privacy

awareness training to

both internal and

external customers

• Published privacy

initiatives in CSR and

Transparency Reports.

• The incorporation of

Privacy By Design

principles ‘baked in’

from the onset of

projects involving

personal information.

Conclusion

• Organisations need to remind themselves that the personal data

that they collect and process, does not belong to them

• Trust is fundamental to the sustainability of the consumer

relationship

• Organisations that can demonstrate how serious they take their

information custodian responsibilities will experience greater

consumer engagement and less privacy breaches

• Organisations need to be cognisant of the proposed EU’s Digital

Ethics Regulation.

Questions?