Privacy by design is enjoying a revival as a concept, thanks to new efforts to help companies understand how to re-engineer themselves around better data controls. David Reed finds out about the new agenda building better data protection into systems.
Is privacy a standalone activity or should it be seen as inter-dependent with data and its management processes? Privacy could be considered to be a variable within a record with a tick or cross showing whether that data item can be used. Or it could be part of a whole suite of processes ranging from data security through to customer relationship management.
However simple or complex your view of the issue, one thing is certain - if you do not already have privacy embedded within your organisation’s data management, then you will have to re-engineer to do so. Both through consumer pressure and regulatory change, Privacy by Design is a concept whose time has most certainly come.
To ensure this new requirement gets realised, companies will start by asking where they will find a return on the investment. Despite the high profile which privacy has as an issue, relatively little work has been done to prove that it is financially beneficial. One of the few published works, the ICO’s “The Privacy Dividend”, struggled to get beyond the theoretical competitive advantage which could be gained.
Michael Bryan, vice-president, enterprise data management at Hilton Worldwide, understands the pressure for ROI all too well. “In a privately-owned business, they want to know what the quarterly yield is. You have to justify any investment and show it grows the bottom line.”
In the face of cost-cutting, restructuring and downsizing, asking for investment into an abstract concept like privacy may look like a struggle. “I have been that nuisance who says to the board, ‘I want a million dollars to do a project’. You may get their backing, but you can’t stand in front of the same people the next year and demand it again.”
That is a challenge for privacy by design since it is not a one-off programme - there may be one-time changes to processes and technology involved, but every year will see a continuing need for attention and support in this area. “You can’t use that one-time cost argument twice,” points out Bryan.
Organisations will not question the ongoing cost of employing lawyers to ensure compliance. They may also accept a one-off hit to get data protection notices up to the right standard - Bryan points out that many global businesses based in the United States are levelling up to European standards to reflect tightening regulations around the world.
That does create an opportunity to embed privacy by design as part of a compliance project and at the same time win ongoing benefits. “In the CRM space, rather than just saying, ‘do you want to opt out’ - because everybody will - you should present a range of options so it becomes a marketing activity,” he says.
Amtrak undertook this type of cultural change when Bryan worked there previously. It decided that privacy was not a separate subject but central to the service it provided and how it engaged with travellers. “They put it into the heart of how customers wanted Amtrak to engage with them, not something that was stop/start,” says Bryan.
Historically, the company had seen 85 per cent opt-out rates when privacy was just a tick box in the loyalty programme. Instead, it switched to a list of options relating to the customer’s journey, from time of departure, destination, class of carriage, and including whether they wanted to receive marketing messages. As a result, Amtrak achieved a 40 per cent opt-in rate.
Arguing that increasing permission-to-market rates from 15 to 40 per cent has a financial benefit is straightforward. But it does require taking on some cultural challenges. As Bryan notes, “the personality of the people in privacy and compliance functions is very legalistic. They are used to doing things that are Yes/No, so privacy is not an enabler, it is a burden.”
Another critical shift he achieved was adopting the same metrics for privacy as are deployed to measure ROI on TV advertising. “Companies and agencies know how to measure the impact of that. If you ask them to prove the value of an opt-in within advertising, people in that function know how to measure it,” argues Bryan.
An important benefit of using this metric is that it aligns the privacy ROI with identical measures being used by marketing. That also makes the measure appear objective, rather than subjective and gains buy-in from legal and financial departments, too.
Bridging that gap is far from easy, not least because there are few established links between them. Marketing tends to talk to lawyers only to resolve specific issues, such as writing new privacy notices, and to finance only to resolve budgets. If data sits in a standalone function, it adds a further layer of complexity to any attempt to build in privacy by design.
One data governance source is only too familiar with these problems, since his company operates both in High Street retail and financial services. One side of the company is used to highly-regulated data, the other is far more permissive. “In my world, we won’t allow anybody to see data unless they are inside the organisation and allowed by contract to see it. We make marketing data private because we are required by the Data Protection Act to do so,” he says.
Showing a direct return from this approach is difficult, not least because the company does not monetise its customer list through rental, so there is no revenue stream to demonstrate. “Data security is just a cost of doing business. We have put controls in place to reduce the risk of being found guilty of anything by the regulators,” says the source.
This is the classic business case made by privacy professionals - that meeting the costs can be offset against potential fines. Those are not insignificant, such as the £2.8 million levied by the FSA on Scottish Equitable when it experienced a range of problems, including with customer data when it was unable to trace 200,000 policyholders who had moved. That fine might seem high, but the company also had to pay £60 million in redress to its customers.
“Compliance and avoiding fines is what we get reported on. We measure every month across seven different themes, such as policies, business intelligence and even statement completeness. We never trend on zero for any of those,” admits the source, but some of the negatives are inevitable because of how data is operationalised.
So during statement printing, for example, it is possible for two letters to stick together and be inserted into one envelope, revealing sensitive information about one customer to another. That gets measured closely and has an acceptable level of tolerance (even though the business is always aiming to get to zero) and any changes provide a clear indicator of problems in procedures which are then addressed. “If there are errors in 20 or 30 pieces of mail, that is bad, but is still minute across millions of customers. If we had an issue that affected 100 customers, however, we wouldn’t be happy,” says the source.
His organisation is in the process of trying to bring the two parts of its business together, but this does require a significant levelling-up of privacy standards within the non-regulated, retail part of the company. It is a bold ambition driven from the top and according to this data governance professional, “I don’t think it will ever fully integrate together.”
That underlines one problem with privacy by design - most companies are not starting with a clean sheet, but are having to try to bring together pre-existing structures. Some of these may already have privacy at their heart, such as data, legal and possibly marketing. Others may be far less familiar with the whole idea.
At a recent event hosted by Linklaters, the original architect of Privacy by Design, Dr Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada spoke to a packed room about her forthcoming whitepaper, “Operationalising Privacy by Design: A Guide to Implementing Strong Privacy Policies”. Its focus is precisely on this question of how to re-engineer the business in this way.
“Two years ago I was in Arizona talking to American Express,” recalls Cavoukian. “They already have a lot of systems in place which are mature. They asked what they can do to address the privacy area? That’s when I came up with the concept of ‘privacy by re-design’.
”Working with Arizona State University, she began to look at transformation programmes to bring privacy principles into play within existing legacy systems and structures. “We have looked into redesigning systems to help future-proof them. That has been welcomed by a lot of organisations and it is only just beginning,” she says.
Some of the data-originating technologies and businesses are still discovering privacy for the first time and are struggling to understand the ROI. Smart metering by utilities is an example. Says Cavoukian: “I was at a dinner with a senior utility executive who asked, ‘what’s it going to cost me?’ I said that is the wrong question - you need to ask, what’s it going to make me?” Providing customers with services to help them manage their energy consumption and understand the patterns within their household is likely to keep them more satisfied and loyal, for example.
“It is a very good message to give you a competitive advantage because it gives your customers confidence. That is the ‘privacy pay-off’ for businesses that are smart about it,” she says. (One corollary might be that some service providers have so far used data only to their own benefit, rather than their customers, as with mobile telcos reviewing tariffs monthly where changes are only ever towards more expensive packages.)
Nonetheless, Cavoukian argues strongly that privacy is not only essential, it is also beneficial. “I always tell people that privacy doesn’t stand in the way of innovation, it is an enabler. You have to start developing systems that are user-centric by involving those users from the beginning in what you do. Leading companies, like IBM, Microsoft, Intel, Hewlett-Packard are all moving to privacy by design,” she says.
It is a message that is gratefully repeated by Jonathan Bamford, head of strategic liaison at the Information Commissioner’s Office. “This is culturally-driven - somebody in your organisation knows whether it is right for a person to access data and if they have permission to do so. The HMRC data loss proved that a simple control could have stopped somebody copying 25 million records onto two DVDs. Don’t take that risk.”
Privacy by Design should introduce those sorts of controls and be measured by how well they have stopped the business from being liable for fines and remediation. If a more positive ROI can be identified on top, so much the better. But no business will be able to succeed by trying to design systems without privacy any more.