Privacy makes good business sense. We’ve heard this over and over, and particularly since the principles of ‘Privacy by Design’ became a focal point for businesses over the last decade as they set out to demonstrate their commitment to privacy protection. Over the years, we’ve seen a healthy movement towards becoming a model privacy proactive corporate citizen. Many businesses shifted their message – focusing positively on business ethics and a trusting customer relationship rather than simply avoiding risky data breaches.
But the fear of breaches and privacy incidents has power. Steering clear of reputational damage certainly remains persuasive when convincing senior management that proactive privacy work (such as developing a strong privacy training program or developing strong privacy policies and procedures) is an important priority. In my own work, I am able to use real examples of breaches experienced by one client to inform another client what could go wrong if they don’t establish a better security control. For example, a client I recently worked with decided to conduct a complete privacy and security assessment because their e-mail server became the target for a successful hacking incident whereby e-mail messages across the organization were compromised. Unfortunately, this client was using e-mail to transfer unencrypted credit card authorization forms completed by customers. Using this example and the details of how the data breach occurred were extremely helpful in convincing another client of the importance of perimeter security testing, strong passwords and ensuring e-mail is not used to transfer and store sensitive data.
James Clear, author of bestseller, Atomic Habits speaks of inversion as a powerful thinking tool (visit https://jamesclear.com/inversion), he encourages us to put a spotlight on errors and roadblocks: “Instead of asking how to do something, ask how to not do it.” This seems counterintuitive, especially given the positive thinking movement and the ‘do what’s right’, ‘be good’ messages we are all familiar with. But as clearly stated by Clear (pun intended), “You can learn just as much from identifying what doesn’t work as you can from spotting what does. What are the mistakes, errors, and flubs that you want to avoid? Inversion is not about finding good advice, but rather about finding anti-advice. It teaches you what to avoid.” Practically speaking, fear has an intelligence we must tap into.
A balanced approach is most appropriate – we need both the value-based and fear-based message to get governments, organizations and individuals approaching privacy proactively.
Take for example our privacy laws themselves. I am all for making decisions about privacy protection from a deeper place. Generally speaking, balancing of rights and responsibilities requires that we ask, ‘What feels true and right?’. I respect the Canadian privacy statutory framework of principals/pillars of best practice with room for interpretation. But this only works if we can all take the gaps, the spaces for interpretation in the laws and fill them with ethical decision making that supports important privacy concepts such as transparency and consent. Since it is not possible to ensure businesses operate with such a common good in mind, we naturally move to fear-based laws, stricter standards and rules that if broken, result in hefty penalties, such as those outlined in the GDPR that privacy regulators and lawmakers around the world have turned their attention to. We can expect Canada’s laws to move in this direction as well. But ideally, an approach that is more balanced than the ominous approach taken in Europe would help advance privacy without stifling innovation.
If we can achieve balanced thinking, the advice and anti-advice for developing effective privacy management frameworks will set organizations up for managing their data holdings more securely and strategically in the long run.
To obtain expert privacy advice, and anti-advice for your business, contact PRIVATECH.