Like it or not, the requirement for privacy management is going to get greater, rather than less. That could present problems in a business environment which has only rarely recognised privacy as a benefit, rather than an obstacle, says Peter Galdies, director of DQM.
In most businesses today, privacy management simply does not exist. There, I said it. I’m sure many privacy professionals would strongly disagree, quoting chapter and verse as to why their particular approach to controlling the requirements of the Data Protection Act was comprehensive and thorough.
Superficially at least, this may appear to be true. But it hides a sad reality that the common view of privacy compliance is that of a tactical necessity, rather than a strategic business winner. All too often, privacy functions are relegated to the barest minimum of reviewing preference statements and dealing with subject access requests, instead of really helping organisations gain the most value from the privacy process.
Privacy is rarely present in business processes and only sometimes has real business processes of its own. The Information Commissioner’s Office, with its often emphasised focus on “Privacy by Design”, has long recognised that the only real way for privacy to be well managed is by embedding firmly the fundamentals of privacy management within the day-to-day operational processes of organisations.
This has now been further emphasised in the proposed new European Data Protection Regulation with an emphasis on both “Privacy by Design” and “Privacy by Default”. Embedded within the proposals are requirements for larger businesses to implement documented privacy processes, measure and test such processes, allocate individual responsibility and provide all necessary resources - all of which require a good, strong set of business procedures to manage successfully.
While these new proposals are being challenged heavily and are unlikely to be enacted in their entirety as proposed, it is almost certain that increased and more stringent data privacy legislation will arrive. All of this means that the strongly tactical, “bare minimum” approach to compliance in most organisations will have to change. This will present significant challenges.
The Skills Gap
Assuming much of the new regulations arrives intact, there will be an increased privacy-related burden on most businesses employing over 250 staff. Implementing the required privacy solutions will require detailed knowledge, yet the numbers of suitably-skilled privacy professionals in the UK are not sufficient. According to the latest government statistics (BIS-2011), there are approximately 8,500 organisations in the UK with more than 250 employees, employing almost 16 million staff and generating over £17 billion in revenue. Estimates for the number of equivalent full-time privacy professionals are hard to find.
The IAPP (International Association of Privacy Professionals), which is probably the largest association of its type, has only around 900 members within the whole of the European Union. Even assuming they are all UK-based, this would still be only a small fraction of the numbers that will be required to service the likely requirements of UK business under the new laws.
It’s pretty apparent that the number of skilled individuals needs to increase considerably to meet likely future demand - something that is unlikely while privacy and governance roles are often not given the seniority or priority required to deliver strong business processes.
Recent data breaches have done much to build awareness of data security and, to a lesser extent, privacy at board level. However, it’s still unlikely that privacy issues get much, if any, time at the “top table”. Data is beginning to be seen as the important asset that it should be, but current trends for “big data” and increased analytics are being seen as valuable differentiators for business, making privacy issues like data retention very challenging for boards to buy into and promote.
Changes likely within the privacy regulatory landscape require business managers to take more responsibility and provide more resources. Combined with a likely increase in the level and likelihood of financial penalty this may promote the issue, but perhaps in the wrong way. Enlightened boards will understand that respecting and embracing customer demands for privacy can and will help build loyalty among increasingly fickle customers.
“Privacy by Design” and “Privacy by Default” both require mainstream business processes, such as sales, marketing and product development, to incorporate privacy practice. Currently, this is probably an alien thought to many business managers and only likely to really change with the support and impetus provided by board sponsorship, which in itself is unlikely to change without expert input.
Lack of vision - what does good look like?
Currently it’s pretty hard (even for professionals) to understand what good looks like. There are only a few good examples of current privacy practice - Think Privacy! provides the best template (and is available via the ICO web site) - and probably none that would provide a solid benchmark against the proposed new legislation, leaving privacy professionals with the odious job of translating complex legal requirements into acceptable working practice, with no guarantee that their solutions would pass muster with the ICO.
Without clear measurement and benchmarking, it’s hard for both privacy professionals and senior managers to really understand how to progress and to build compelling arguments for investment and support.
So what needs to change?
Undoubtedly the pool of suitably-qualified, skilled data privacy practitioners is too small. The legal profession and the general business consultancies both help provide skills, but often at high cost, with little long-term involvement, small amounts of knowledge transfer and with conservative interpretations. This leads to a policing approach rather than using privacy as an enabler of the business.
By contrast, skilled privacy professionals will also need to raise their game. The demands of “Privacy by Design” mean helping more mainstream business functions, such as sales and marketing, become privacy-enabled. Increasing that pool of suitably experienced talent will require an increased understanding of the real value of privacy at board level within organisations.
The risks of non-compliance are becoming more evident, but the benefits of clearly articulating the value exchange of data with consumers are still often hidden. Privacy professionals need to become adept at talking about the positive aspects of compliance and building support at high levels – even amongst the more commercial disciplines of business.
In the short to medium-term, businesses will have to adopt more flexible approaches to filling this skills gap, perhaps sharing resources or even outsourcing parts of the process. Building competitive benchmarks, models of good performance and case studies of the successes and benefits of ongoing privacy management will be important. Those businesses that get truly “privacy-enabled” first will become the benchmarks to which others will aspire - and in the process, they will gain customer trust and brand benefits too.
Standardisation has a part to play in this development. Commercial standards for privacy management are few. BS:10012 is a laudable attempt, defining a measurement standard for a personal information management system or PIMS, but is only half the story as it doesn’t help businesses actually determine what privacy controls they need. Future standards and commercial models can only help make adoption more straightforward for organisations.
Most importantly, organisations need to fully recognise that privacy requirements and practices need to be incorporated into day-to-day operations and that privacy is not a one-off fix, but as fundamental to business practice as any other operational processes. One day, I really hope that we might see privacy professionals valued by organisations in the same way as finance and legal experts are today - as business enablers, not preventers.