Privacy 2.0: An Uncomfortable Compliance

If the GDPR formalized our natural rights to digital privacy, why does so much of the work around data seem so unnatural in regards to privacy?

This new state of discomfort is manifested in both consumer experience and corporations usage of data.  In a future where everything is data driven, companies have to move beyond compliance to solve this awkward state.

Privacy Policy 2.0 – An Awkward Customer Experience

Anyone tired of consent popups and emails asking for consent to receive an email?  How about being redirected to a Privacy Policy to be told how cookies really work?

Privacy Policies are now in clear and understandable language instead of legalese, but you can’t help feeling like it was inspired by a lawyer protecting the company instead of your rights.

Most privacy policies are not being read.  They weren’t being read in Privacy 1.0, and even with clear language, they are still not being read in Privacy 2.0.  So where is the value?  Is this really what was meant by transparent and informed choice?

Privacy Policy 2.0 – Transparency Alone Falls Short

In fairness, it is no easy task to balance the need to be understandable, transparent, and protect your company from being fined in a compelling and interesting manner.  My own Privacy Policy fell short of what I wanted to do, and I am not even collecting data for secondary usage.

It shouldn’t be this hard to respect privacy and use data appropriately.  So why is it?  What are we missing here?

It has been said that data is the new oil.

If data is the new oil, then Privacy is the new dollar

Companies are coming up short on Privacy Capital, and this uncomfortable compliance can’t pay the bill for the data they want to use.

Where Are We on the Path to Privacy?

We are at the necessary, but temporary state of Privacy 2.0 – Privacy as an Afterthought or Compliance.  The initial emphasis of GDPR enforcement of transparency(start@3:46) is resulting in an attempt to do the right thing the wrong way (patching up 1.0 systems not designed for privacy).  Again, it is necessary, but awkward and it is manifested in Privacy Policies 2.0.

We went from Privacy Policy 1.0 – No privacy “get over it” to hefty monetary penalty avoidance on May 25, 2018.  This change created a scramble to compliance illustrated below as Privacy version 2.0 where most companies tried to remediate 1.0 systems instead of redesigning their systems.

The volume of usage should go down from the Wild West days of Privacy 1.0, and this decrease is to be expected.  The goal, however, ought to be the increase in the legitimate use of data, and Privacy 2.0 won’t get us there.

Facebook’s Privacy Capital Deficit Only Grew with 2.0 Transparency

Facebook’s privacy impact stats show the usage effect of exposing Privacy 1.0 practices.  The Cambridge Analytica revelation resulted in ~25% of Facebook users removing the Facebook app from their phone.  GDPR rights giving Facebook users the ability to download the info collected on them resulted in 47% of those users removing the app from their phone.

Facebook has incurred a growing Privacy Capital deficit which has impacted their stock due to a decreased use of data, increased security costs, and as this stock analysis article cites, impending U.S. privacy regulation.

The breach of trust has to be repaired and privacy as an afterthought won’t do it.  Privacy 2.0 begs the question of how do we get to Privacy 3.0 – Privacy by Design?

Identify Self-Defeating Organizational Factors

What’s preventing you from moving to Privacy 3.0 today?  Your legal team could be too busy worrying about being fined instead of privacy that enables data usage.  Your business wants to hide anything which will reduce the amount of data they can collect and use.   IT has to redesign their end to end data flow with privacy as the default while dealing with unclear guidelines, competing interests, and the lack of will/priority to invest in privacy.  Most organizations have not aligned all three of these groups to rationalize how they use data.

Privacy 2.0 is at best a transition phase.  Trying to duct tape privacy as an afterthought may get you compliant on primary data (regardless if it is needed), but it won’t enable you to use data for secondary purposes.  On the contrary, the longer a company puts off Privacy 3.0, the less data they will have to use and the more likely they will be to have consent leakage.  Consent leakage is when a company unwittingly violates consent choices of their customer because they never designed for privacy.  This approach is Lawsuit by Design, and it is the inevitable result of Privacy 2.0 mindsets.

So what does Privacy 3.0 look like?

  1. It understands and respects data privacy.  This is basic Golden Rule stuff as Senator Durbin pointed out in the Facebook hearing –   Mr. Zuckerberg, “Would you be comfortable sharing with us the name of the hotel you stayed in last night?” –senator no.  Well, then, if you don’t want to be tracked, don’t track others.  If you do want to be tracked, fine, but give others the choice just like you have.
  2. When privacy is respected and there is a Golden Rule commitment not to use data for secondary purposes without explicit and narrow consent, then companies must build systems that are designed to respect privacy programmatically and procedurally – Privacy by Design.

Where to Start? Separate Primary Data from Secondary Data

Don’t ask for consent to cover your assets when you already have a legitimate reason to process the data.  I am sure your lawyers have you covered in the EULA and TOS for primary data usage (check with them).  This justification requires that you fully know your DEN and have established a legitimate/legal basis for all collection, processing, and usage of data.  Your documentation and justifications should be sufficient for an audit.

Where your business has tried to sneak in secondary purpose usage of the data, remove it from the EULA/TOS and properly, visibly, and transparently ask for explicit consent.  This removal includes sharing data with “third parties” that is not required to fulfil the primary service.  Be prepared to demonstrate how you value consumer’s privacy and what you have put in place to keep their data secure and private.

You will want to throw in some value in your secondary data usage opt-in program in exchange for people letting you use their data.  Remember that digital privacy means that consumers maintain control over their data, and consent can be removed at any time along with that data.

If your company’s business model doesn’t ever need to use secondary data, then maybe Privacy 2.0 is sufficient since you don’t need consent.  Compliance in security and privacy (CPNI, PII, SPI) may be sufficient in those cases.

Privacy Pays

It is time to re-imagine the Privacy Policy in a way that raises Privacy Capital instead of chasing people away.

Privacy Policy 3.0 could change this dead space into the most read and heaviest trafficked page on your site.  This page should be digital bedrock for the two way dynamic relationship companies will have when their audience has a reason to trust them with their data.   In this oil rush, it is privacy or bust.

Comments are disabled here to consolidate comments here on LinkedIn.

The DPO – Beyond Compliance

Compliance day for GDPR is just over a month away.  I know that your company is fully compliant, so you can probably skip this for yourself, but perhaps you have a friend who might benefit from it. Wouldn’t it be nice if your friend’s company, that might be slightly less than 100% compliant, could prioritize their GDPR efforts?

The good folks at the IAPP have created an info graphic for the European Supervisory Authorities’ Top 8 GDPR Enforcement Priorities that your friend’s company will need have completed to merit a good faith effort in compliance.  The #1 priority – the DPO.

“Have you appointed a data protection officer (DPO) who is responsible for processing activities,” they ask.

Note that the DPO responsibility is for processing activities.  Out of all of the requirements, why are they focusing on processing activities?

The DPO Priority and Focus

Processing data is the most widely ignored pre-GDPR aspect of Privacy by Design.  It is also the foundation of protecting personal data as the eight enforcement priorities go on to describe.  Prior to the GDPR, there was some general awareness of things like data retention.  The Ad Tech world had cookie consent and tag management which dealt with the collection of data.  Marketing departments and their tools had some notion of outgoing contact consent so that people were not sent offers who didn’t want to receive them.

These efforts dealt with data collection and data usage, but they completely ignored the most important part of internal data privacy which is data processing.  The DPO’s job is to fix this gap as he/she systematically and enterprise wide understands and orchestrates the entire flow of data in the enterprise from collection, to processing, and to usage of the data.  This is no small charge especially for medium to large companies with large data assets.

The primary requirement for the DPO role is to fully understand a company’s Data Ecosystem Network (DEN).  The DEN is the network of connected data that flows into, through, and out of the company.  It is the synthesis of data products that form a cohesive system that includes the collection, engineering, analysis, presentation, and action of or upon data.

Prior to the advent of Big Data, most data was siloed in applications.  While it might have been consolidated in a Data Warehouse, this data was not networked and combined on an ongoing basis to feed a data driven organization.  With the increase in machine learning, IoT, automation, and AI, the networking and combination of data will multiply.  The DPO must be the master of this Data Ecosystem Network and that mastery starts with understanding how data is processed in the DEN.

The DPO must be Independent

The DPO will face many issues in moving a company to compliance.  Not the least of these challenges will be the native tension between The Business, The Legal Team, and IT.  For this reason, the GDPR Recital 97 states that:

the DPO “should be in a position to perform their duties and tasks in an independent manner.”

This tension is illustrated in the following diagram showing the connected relationship between these three groups and the data.  All three have to be aligned to succeed in Privacy by Design and all three will have competing interests that will work against Privacy by Design.

The DPO’s job is to align all three divisions so that Privacy by Design is institutionalized.  Success means that the DPO by aligning these three groups enables the Business to profit from data while enforcing the requirements from Legal in a way that can be rationalized in a cohesive IT architecture in the DEN.  To pull off this balancing act, the DPO will need to understand the business enterprise, the legal regulations, and the technical IT architecture.  The DPO will also have to have authority over how data flows into, through, and out of the company which is why the position has to be independent of Business, Legal, and IT.

The following diagrams show the pitfalls of not having an independent DPO vs. creating an organizational structure with an independent DPO that can implement Privacy by Design.

The green and red examples are not the only way to position the DPO, and there may be other ways to achieve an independent DPO.  The Legal Team and IT need to ultimately be enabling the Business and all three have to be aligned around data protection.  The point is, if you want Privacy by Design, then you need to find a way to give independent authority to the DPO so that the other three can’t derail the DPO’s mandate.  Otherwise, the DPO will be caught in the middle of the three groups, and the company will be the loser.

The DPO Must Know your Data

The IAPP lists the second priority as Data Inventory and Mapping.  A lot of IT departments have been in the process of inventorying their data for the purpose of identifying their data assets for additional use in a Big Data environment.  I think what may be new with the DPO role is the need to classify data not in terms of technical or business meta data, but in terms of ontology.

The DPO will need to find a scalable way to rationalize legitimate processing from non-legitimate processing before privacy can be enforced in the DEN.  Classifying data based on the nature of the data and the purpose of its processing will need to be done alongside the data inventory and mapping.  In my previous post “Modifying the GDPR”, I discuss the difference between Primary Data and Secondary Data and suggest that this is the starting point for an ontological classification of personal data usage.

The DPO – Beyond Compliance

Most of the work being done for GDPR privacy preparations at this point is probably better labeled as Privacy as an Afterthought.  Going beyond May 25, the DPO needs to influence the company culture to move privacy into the business planning stage.  Privacy that enables companies to use Secondary Data will need to be part of the corporate strategy.  The DPO should be sitting at the table with the strategy team.  It only makes sense that with the central role data plays in IoT, automation, and AI, that the DPO becomes a thought leader that drives new revenue while respecting your customer’s privacy rights.

Some of you are saying to yourselves “this guy just blew his credibility as a privacy advocate, privacy and business shouldn’t mix”(Article 38#6).  In response, I would suggest that unless privacy moves beyond compliance and is seen as both a foundational right and as a strategic asset, privacy could become a back office checklist to be ignored or worked around.  I would rather have a DPO sitting at the table changing the mindset around privacy than for privacy to be forgotten after the GDPR anxiety passes.

Beyond changing the business mindset, privacy needs to be inserted into the design process.  The DPO will need to insert data privacy into the Dev/Sec/Ops cycle.  Data driven companies in the middle of digital transformation have to become data centric and as such, must start with data Privacy by Design.   The DPO will need to forge the path to Sec/Priv-Dev/Ops to ensure that privacy starts before development begins.

Who is ready for GDPR?

Well, this was probably a review for you because you have had your DPO in place for a long time, and they have implemented privacy by design beyond just good faith.  You know what the DPO should be doing and are ready for May 25th.  The rest of us should probably review those GDPR Enforcement Priorities.

Comments are disabled here to consolidate replies on Linkedin.  Email comments to dpobeyondcompliance@DataEDEN.BlahDeeYada.com

photo credit: stockcatalog