How to prepare your privacy practices for the year ahead
What will we see this year? January is off to a quick start. Family Tree Now and Meitu have already raised privacy fears among consumers. (Image: Meitu)
Looking back at publicly reported breach events and data privacy violations of the previous 12 months, there are trends that Forrester believes security professionals can learn from.
The intersection of privacy and customer experience reminds us of the importance of collecting and managing consent -- whether that involves collecting data to personalize an experience or marketing or another initiative we aim to pursue. We saw notable examples (Verizon Wireles, InMobi, etc) of how Federal Communications Commission (FCC) and Federal Trade Commission (FTC) actions in 2015 and 2016 converged on issues of consumer privacy and consent. In both cases, firms used tracking information to deliver targeted ads.
What can brands learn from this? Securing and protecting data is only one aspect of managing privacy. You must also:
1. Develop core capabilities for privacy oversight and accountability. Designating an individual in compliance or legal to decide what you can do with customer data based on regulatory requirements is insufficient. Instead, your firm will need to develop a set of capabilities to create, enforce, and assess policies and practices and thus manage consumer data privacy cohesively. This not only helps with efforts to meet compliance requirements, but also helps you build internal standards for privacy and data usage that align with corporate culture and values to balance data use innovation and risk.
2. Adopt contextual privacy practices to deliver desired customer experiences. One customer's terrific, personalized experience may feel deeply creepy to another. Individual interpretations of privacy matter. The new privacy is all about context. This means that your firm must allow customers to dynamically negotiate the collection and use of their personal data. As your firm designs its desired customer experiences, you must practice a "no surprises" doctrine (be transparent) regarding data collection and use, give consumers meaningful opt-in and consent options, and treat more data types as personally identifiable.
3. Align functions and procedures to follow through with privacy policies. Your firm's privacy policy is useless -- and a liability -- if you lack enforcement mechanisms. InMobi tracked consumers' locations regardless of whether it gave consent to use their data and ignored those who opted out and used their data anyway. You must document internally how your firm achieves what your privacy policy promises, and you must ensure that security and operations pros responsible for implementing controls understand your data use and handling policies.
What will we see this year? January is off to a quick start. The Obama administration relaxed NSA data sharing rules. The EU released its proposal for ePrivacy regulation. Family Tree Now and Meitu raised privacy fears among consumers. A new CIA director was sworn in despite concerns from privacy advocates. President Donald Trump signed an executive order stripping privacy rights from non-US citizens (and might invalidate Privacy Shield as a result). The year is still young.
With your business priorities and this changing landscape in mind, what are your top privacy concerns going into 2017?
Heidi Shey is a senior analyst at Forrester, serving security & risk professionals. Follow Heidi on Twitter: @heidishey.
Video: The most shocking internet privacy laws