On January 28, when many Australians were enjoying the last hurrah of summer holidays and getting the kids ready to go back to school, our northern hemisphere colleagues were celebrating International Data Privacy Day. A day to reflect on privacy challenges, and to applaud the efforts of Privacy Officers, and all who support them. One of the photos doing the rounds on Twitter was a t-shirt bearing the slogan ‘Keep Calm and Trust the Privacy Officer’.
The Privacy Officer’s role is a delicate balancing act – helping your organisation answer the critical question: How can we best realise the value of the data we hold, while still protecting our customers’ privacy?
But for someone whose job involves a complex mix of fighting fires, ticking boxes, holding hands, telling truths, predicting the future and sometimes saying ‘no’, how does the Privacy Officer demonstrate her or his worth? How can organisations be persuaded that there will be a positive return if they invest in a robust privacy management program?
We hear a lot about how customer and citizen trust is essential to maintaining an organisation’s reputation, but … can you quantify it?
I have long been interested in this question. For the privacy officers out there, you need to know that doing good work – championing Privacy by Design for example – will lead to good outcomes for your business or government agency. But where is the evidence?
Some years ago, the UK Information Commissioner’s Office commissioned The Privacy Dividend, which concluded that customer trust, gained through proactive privacy protection, delivers business value. More recently the IAPP published a white paper on the ROI of Privacy, which noted that privacy protection can be used to “secure brand trust, contribute to the bottom line and gain competitive advantage”. And a study released by Cisco found that privacy-mature organisations experience shorter sales delays, fewer data breaches, and smaller losses from cyberattacks. But sometimes I feel like these efforts to quantify the value of privacy protection go unheeded.
Privacy regulators have long sprouted the line that ‘privacy is good for business’, but as my colleague Steve Wilson loves to point out, it ain’t necessarily so. For all we laud Apple and Microsoft’s legal stands against the US Government to protect the privacy of their customers, in fact many of today’s tech giants have thrived on hoovering up personal information and re-purposing it for their own ends.
It is difficult to confidently articulate a positive ROI on protecting personal information, when others seem so hell-bent on finding the ROI in exploiting it instead. Consider this example, from a story explaining how Bluegogo, one of the dockless bike share companies, went spectacularly bust in November 2017, having burnt through almost $120M in venture capital churning out bikes:
“none of the share bike companies have a working business model and are instead burning through venture capital to place their bikes on the street in a race to become the market leader. They hope that the data the GPS-enabled bikes generate could lead to revenue opportunities in the future.”
That’s right, some mugs stumped up $120M on a scheme that might have been able to exploit the personal data of its customers, in some unknown way, at some indeterminate point on the future, to possibly earn some income, which may or may not have been enough to pay them back. (Pssst, hey rich and reckless venture capitalists, let me show you this bridge I’ve got for sale. It’s on the blockchain, so you know it’s gonna be amaaazing.)
Even the recent revelations about Facebook and Cambridge Analytica have simply exposed the brutal truth at the heart of Facebook’s business model. When you consider that the loss of around US$70 billion in share-market value in the first 10 days after the Cambridge Analytica story first broke still only represents around a 13% decline in Facebook’s value, there is clearly oodles of money left in a business model which is predicated on collecting, generating and inferring personal information about individuals, in order to use and sell the data for unrelated purposes.
So as much as I would like to tell you that governments and businesses have all jumped on board the ‘privacy is good for us’ bandwagon, it’s not entirely true.
While smart CEOs will realise that the Privacy Officer can be a source of strategic value for the organisation, others will still only see privacy as a compliance cost, rather than an investment. I know this is a situation that many Privacy Officers are in. For those of you in that boat, focusing on the bad instead of the good may be the only way to get your message through to the C-suite. Case studies about stuff-ups might work better for you than promises about improving customer trust.
A couple of recent examples highlight the importance of ensuring privacy risks are properly considered before projects are rolled out.
In the first example, insurers AAMI and Suncorp launched an online insurance quote tool, which then had to be rapidly shut down when customers began pointing out that the tool could be used to look up whether or not any address had particular safety features like deadlocks or an alarm. The predictable fear was that of burglars, but my first thought was for victims of family violence or other people facing physical safety risks. (By the way I believe that the insurer’s claim that there was no privacy issue because the information related to buildings not people is well off the mark, both in terms of the scope of what is ‘personal information’, and customer expectations about how data will be treated.)
And the second example is that of a change to Vodafone’s IT systems, which “allowed customers to self-select online that their identity had been verified in store, without any further check that this had actually occurred”. More than 6,000 pre-paid mobile phones were sold over a 12 month period, without the identity checks required by law for anti-terrorism and other law enforcement reasons.
If conducting Privacy Impact Assessments (PIAs) is routine in your organisation for all projects (whether big ticket items or minor changes to existing systems or processes), and if your PIA methodology includes mapping out the data flows and testing customer expectations, these are the kinds of errors which should be picked up at the design stage. Preventing costly disasters is a critical way the Privacy Officer can add value to their organisation.
Of course, it can’t be the Privacy Officer’s job alone. Everyone needs to be on board if you are going to tackle privacy risks properly.
We conducted a survey of Privacy Officers in 2017, and asked them an open-ended question: ‘What do you see as your organisation’s biggest challenge?’ We were expecting to hear about hot topics like data analytics, de-identification and artificial intelligence, but instead the majority of responses boiled down to one thing: the need for better staff awareness. Not sexy, but so important.
Employees need to be actively engaged in good privacy practices for a privacy management program to be effective. Staff need training to be able to understand their obligations, know how to implement those obligations in practice, recognise and report privacy near-misses and breaches, know how to handle complaints, and remember where to go for advice. Plus anyone involved in projects, IT or otherwise, needs extra skills-based training to be able to identify and mitigate privacy risks when designing projects or implementing changes.
A Privacy Officer’s job is complex enough. It shouldn’t have to also involve constantly quantifying or justifying the role’s very existence. The value for organisations in having a skilled and dedicated person in charge of a broader privacy and data management program should be self-evident.
But since that message has apparently failed to get through to some organisations, from July 2018 the new Privacy Code for Australian government agencies will make it a legal requirement for those agencies to have a dedicated Privacy Officer, as well as a ‘Privacy Champion’ drawn from their senior executives. (The Code will also make PIAs and staff training about privacy responsibilities mandatory for Australian government agencies.)
So in much the same way as the GDPR is driving demand for more privacy officers in private sector businesses around the world, expect to see a jump in government job adverts coming your way soon. Might be time to polish your CV, or ask for a pay rise to stay put. But meanwhile, keep calm, dear Privacy Officers, and carry on.
PS – If you need a hand walking the tightrope of privacy protection, give us a call, or check out our new Compliance Kits to help you build your privacy management program. They include a swag of template policies and procedures you can quickly customise for your organisation (including a template Privacy Risk Assessment Procedure & Questionnaire to help with PIAs), as well as a staff manual, checklists, online training modules, and eBooks. We’ve updated the Kits recently to include extra resources like a GDPR Compliance Checklist too.
Photograph (c) Anna Johnston