Privacy is Not Dead, It Just Has A Different Personality

Humans are social beings by nature. We enjoy interacting with others; we constantly exchange information, ideas and beliefs. We have always done this through many different channels, whether face-to-face, in writing or by recording our messages on any available media.

An important aspect of modern communications is being able to decide who we want to interact with and when we want to be left alone. This right was established long ago and it has evolved over time. It is what we call privacy.

With the development and evolution of IT, our capacity to communicate and connect with other people and things has grown considerably. The endless stream of data generated through our daily interactions is creating a real-time log of our own lives: who we call with our cell phone, who we talk to on social media, the clothing we like and buy, the causes we support online, the books we download from digital libraries, the movies and songs we watch or listen to, the schools we study at, our consumer profile generated through loyalty programs, even data related to our health.

We are very generous in creating data that can be associated with ourselves, but once a piece of data can be linked to an individual who does it belong to? Who owns our name and every single piece of data that could be associated to it? We do, but we need to understand and recognize that we have obligations as well as rights with regard to data security.

Who is Threatening Our Privacy?

Some people believe that privacy is dead. If that is the case then who killed it?

It’s not news to anyone that social media has totally captured our attention and that our dependence on the Internet has grown enormously. We can now buy almost everything online and an important portion of the services we generally use can be contracted through the web.

As a result it seems we all are preferring comfort over security and privacy. Online tools can make our lives easier and more enjoyable but we definitely need to be cautious when we are developing a life online. By not paying attention to what we share and how we share it we are essentially contributing to the death of privacy.

We must also examine how organizations manage their own privacy policies. A paper released by EY recognizes the following: “Consumers have seized the power to dictate what they want, when they want it, whom they buy from and how much they want to pay. Organizations, eager to please the voracious appetites of these super consumers, seize any opportunity available, often through an ever-emerging array of new technologies, to communicate, build relationships, gather reams of data and sell.”

The pressures of the market have led companies into an endless race to find the right tools to keep their clients satisfied. But the question is: are they able to evolve and adapt their privacy policies and procedures at the same pace? Some organizations may be manipulating personal data and consciously or unconsciously managing privacy issues improperly. Even regulators are having trouble in following this race so companies need to be very cautious and seriously consider the intrinsic privacy issues.

Can We Save Privacy?

Privacy is not yet dead; it is evolving in tandem with the development of new technology. When it comes to saving privacy we must be conscious as individuals of what we are sharing online: be it on the Web 2.0, social media, mobile devices, video games, online shopping or Internet banking. We need to understand that in our virtual lives we can face serious threats just as in the real world and, because of that, we need to avoid being data promiscuous.

So we must be very selective regarding whom we share data with. This involves understanding the regulations of the markets we interact with, reading the contracts of the companies we take services from, selecting the companies we are going to work with to be sure that they have solid and effective privacy policies in place, and using our common sense to avoid risky situations just as we would in the real world.

There is a lot that companies can do as well. The following is a list of recommendations to be considered:

1. Know the geography of privacy. It is mandatory for every single organization to understand their compliance obligations on privacy matters in the different locations where they operate. There are many different regulations around the world that define how privacy must be protected.
2. Properly analyze privacy-related risks. Enterprise risk management is a critical process in any organization but in order to be effective, enterprise risk management needs to be complete and this demands the integration of risks related to privacy. Every business must confirm that privacy matters are included in their current corporate risk management model.
3. The earlier, the better. The future operation of a control will always be cheaper and more effective if it is properly managed in the very early stages of the design of a process or an IT application. This includes privacy controls. To this end, Privacy by Design is an excellent model that corporations can use when defining privacy strategy. This paper by the Privacy by Design team which busts three different myths on privacy, including its “death”, is worth reading.
4. On paper and in life. To become effective, a privacy policy needs to formally exist but I know of different organizations that do not even have privacy policies in place, so an important recommendation for them is to define their policy and bring it to life as soon as possible.
5. You are not alone. It is complicated to find a company that is not somehow dependent on third parties. I have found that many organizations do not take care of how the third parties they are working with are protecting the privacy of the clients, employees, suppliers that they are responsible for. All organizations need to understand the risks that can arise from their relationships with third parties.
6. Dealing with emergencies. Any company can face the embarrassment of having to deal with a privacy breach. In order to properly react to these situations, contingency plans need to be prepared in advance and a clear and concise plan on incident response has to be prepared and regularly tested.
7. Does it work yet? Controls can have a fantastic design but if they are not properly working they will generate no results. Considering this, a program to test the effectiveness sof privacy controls on at least ayearly basis is highly recommendable.
8. Update. Based on the results of continuous monitoring and regular tests of the effectiveness of privacy controls, all companies need to define how their privacy policies will be updated. Remember that privacy is constantly competing with technological advancement.
9. Create Awareness. Privacy controls will never prove effective if people are not aware of the company’s position regarding privacy and the importance that they play in it. An effective awareness program based on the corporate privacy policy needs to be in place.

Privacy is not yet dead but it is passing through a very challenging moment and its survival depends on the way both individuals and organizations deal with it.