Despite GDPR coming into effect in Europe a year and a half ago, privacy continues to be the most important aspect of data management, while consumer concerns regarding the privacy and security of their personal information still remain. But what exactly has been done surrounding data privacy since GDPR? Ken Mortensen, data protection officer at Intersystems, finds out.
Research has found that more than half of European respondents are concerned about the internet eroding their personal privacy and 60% worry about how their personal information is being used by companies. While GDPR was introduced to safeguard consumer data, it also seems to have increased awareness of the misuse of data with 70% of internet users in the UK and US surveyed in September 2018 found to be more concerned about their online privacy than they were 12 months previously. Consequently, consumers are frequently demanding greater control over their information and many are unwilling to give up that information, particularly as they recognise the value and importance of this information to businesses.
Although organisations already have a structure in place to comply with GDPR, they must acknowledge this consumer trend and continue to enhance their processes and policies to sustain a data privacy programme and ensure the proper protections and safeguards. Failure to do so could be costly, not just in terms of fines from regulatory agencies, but it could also cost them the trust of their customers. As companies get to grips with this, the concept of information ethics is coming to the fore. So, what have businesses done since GDPR to provide for continuous improvement around the issue of privacy? And, where does information ethics come into it?
Introducing a culture of accountability
A growing number of businesses are putting data privacy on the radar of their entire employee base, not just those at the top. In these organisations, it is becoming everyone’s mission to have an understanding of provenance and the use of information, with everyone taking accountability for how the organisation collects, uses, and shares personal information. The idea of accountability is that “we say what we do and we do what we say” and, importantly, “we stand by doing what we do.”
This culture of accountability is also being extended to how organisations talk to their customers about data privacy. Increasingly, businesses are being open and inclusive, telling customers about what they are doing with personal information and how they are protecting it.
Some businesses recognise the need to close the gap in terms of the expectations, responsibilities, and actions relevant to privacy protections and information ethics. With big data breaches, such as recent ones that exposed the data of almost 400 million people, it is no wonder fewer people are willing to part with their personal information. That said, it may be possible to overcome the distrust these occurrences tend to inspire, by taking an open and honest approach to talking to customers about how their personal information is used, stored, and shared. The issue of trust is something that organisations have been coming back to time and again since the introduction of GDPR and is echoed by leaders like Shell CEO Ben van Beurden who believes that transparency and ethical behaviour are integral to gaining public trust.
Creating new positions
As organisations begin to look beyond compliance to drive competitiveness through the governance of personal information, the issues of trust and ethics pertaining to that information become more crucial to the success of the business. More enterprises are beginning to treat personal information as a critical asset like they would treat money and are appointing senior people to lead the governance and ethics roles.
One of the most effective ways businesses are doing this is by developing new roles with the sole purpose of protecting privacy. Organisations like InterSystems are appointing either a data protection officer, a trust and ethics officer, or a chief ethics officer to ensure they maintain both compliance and trust through the ethical use of personal information. The creation of these roles sends a strong message that trust, and by extension, privacy, security, and ethics, are at the forefront of the culture of an organisation. But more than that, this approach moves the discussion on from businesses purely being interested in being compliant, to focusing more on operating ethically and doing the right thing.
Implementing a governance framework ensures appropriate behaviour in the creation, storage, use, and deletion of information through the integration of processes at all levels of a company. A governance framework can be used to look at the issues of privacy and security and how the related business processes can be consistently and reliably implemented across an organisation. Within such a framework, both privacy and security matters are examined. The former focuses on the collection, use and disclosure of personal information, while the latter looks at the confidentiality, integrity and availability of that information. As organisations implement a governance framework, they may seek outside auditors to demonstrate that they are trustworthy.
Overall, high profile data breaches in the time since GDPR’s introduction suggest some organisations could be doing more in these areas. So, although the initial work to achieve compliance may now be a distant memory, businesses must continue to improve their efforts in this area as the narrative moves beyond mere compliance and towards trust and ethics. Ultimately, maintaining data privacy is an ongoing battle. As a result, companies must not only implement new processes and ways of working, but also develop a culture of accountability that supports the company’s efforts to maintain a data privacy programme led by someone in a role dedicated to data and trust.