Security and privacy professionals have been taught to respect the confidentiality, availability and accuracy of data that we collect and create — particularly when it includes sensitive information.
Most security models are built on this framework. Privacy extends these guidelines further with concepts of notice, choice and consent of an individual data subject.
However, a rather insidious factor is creeping into our increasingly interconnected world — and Chief Privacy Officers are tasked with curbing its reach.
The Dark Side of Data-Driven Technology
Some large technology companies and social media platforms are feeding consumers information (based on automated algorithms) that simply confirm their previously held beliefs, even when that information may be false. This could be through targeted newsfeeds, based on previous items you have clicked. It could be advertising suggested to you based on previous searches. It could even be political ideas based on opinions you or your friends have expressed.
Targeting technology is a direct result of the experiences consumers have come to expect from online retailers, where a book is recommended based on a previous purchase.
While book recommendations may be benign, on the other end of the spectrum is where organizations are influencing our very ideas and understanding of facts. The suggestive power of social media platforms and seemingly endless stream of targeted online advertising and political commentary flooding our inboxes may soon shape our ability to think independently.
While social media companies are providing a free service to consumers, they are being paid by their advertisers. Those advertisers are literally paying for consumers’ likes and dislikes, and the ability to sell products based on them.
But what about the sale of this data for an idea or a political opinion? What if it begins to infiltrate not only the public trust, but also the technology we use inside of our companies? What is that ethical line, and how much should we be expected to accept?
I joined over 3000 privacy professionals gathered in Washington, DC last month at the Global Privacy Summit, an annual conference run by the International Association of Privacy Professionals (IAPP) to discuss questions like these and explore the risk, opportunities and ethical implications of privacy and security in our increasingly data-driven world.
I walked away with a fresh perspective on the influence of targeted, data-driven technology in our personal lives and behavior, and ideas on how Chief Privacy Officers can positively impact this area.
Who Is Watching the Watchers?
As these concepts enter the workplace, what is the role of Chief Privacy Officers? Are they simply data stewards and advocates for the privacy rights of our employees, customers and citizens of the world?
The reality is companies are in business to make money — and it the job of compliance professionals to help them do so. They must therefore balance the need to help their company realize the potential of its data, while making sure they also protect that information.
Chief Privacy Officers are tasked with validating any data the company collects, and ensuring it is used and shared appropriately within societal boundaries and according to legislation — such as the upcoming European Union General Data Protection Regulation (GDPR). Chief Privacy Officers must help their organizations navigate a world where individuals face a paradox with personal privacy — knowing information placed on the internet and available publicly can be used in unintended ways, regardless of the company’s original intent.
At the same time, they must ensure their organizations work to establish trust with their customers who share their information every day. Once lost, trust is very difficult to regain. This is true for public sector organizations, businesses and individuals alike.
The ethical role of companies rarely comes up in conversation. But in many ways companies are replacing our traditional media outlets as arbiters of the truth, to accurately share the news and influence public opinion. So, in our data-driven society, who will be the new guardians of our information and the ways it is used?
I suggest the Chief Privacy Officer will be that person. Chief Privacy Officers' role is intended to balance the collection of data. However, it typically does not cover the flow of data from a company to a customer or the algorithms used to make automated decisions about individuals — aside from testing whether they are acceptable within the boundaries of a given law.
The GDPR mandates companies be transparent about the reason they collect data, give their customers a true choice about providing it and then follow through by ensuring that data is used within the boundaries a consumer provided.
This provides an opportunity for the role and responsibilities of the Chief Privacy Officer to expand with the regulation.
From Data Guardian to Business Enabler
When it’s collected, used, shared, maintained and disposed of both ethically and lawfully, information can provide great use throughout a business.
For effective data management and collaboration to turn into a competitive advantage for the business, timely access to information as well as multi-directional communication flow — with the right risk management filters in place — is essential. Data remains available to those who should have access and kept away from those who should not.
An empowered Chief Privacy Officer can help his or her organization repurpose its compliance program to turn previously untapped information into a business asset. This not only creates a quantifiable return on investment for data security and privacy programs, dispelling the view that they are cost centers, but also helps the organization increase productivity and ensure continued trust among its clients and constituents.