In an increasingly information driven world, the question of how to protect that information in the name of privacy has risen to the top of the corporate agenda. Lynd Morley talks to Toby Stevens, managing director of EPG, about the privacy issues affecting business today
The issues surrounding the privacy of personal information in business are fast moving up the corporate agenda, as organisations begin to recognise that they are caught in a web of rules and regulations at both national and international levels. Understanding and applying the regulations correctly are now as vital to a company's commercial survival as guaranteeing the security of information systems or adhering to correct accounting procedures have become over the past decade.
"Privacy is recognised as one of the key elements of good corporate governance," explains Toby Stevens, managing director of the Enterprise Privacy Group. "Corporate social responsibility demands that you show respect for personal data."
Stevens, who established EPG with Simon Davies – widely acknowledged as one of the foremost privacy experts in the world, and founder of the watchdog group Privacy International – also points out that every commercial relationship is built on trust. "If you misuse someone's personal information, you can destroy that trust instantly. Your customers and employees may forgive an accidental security failure, but they will not forget an abuse of their personal privacy, regardless of the cause."
The post-Enron emphasis on faultless corporate governance, heightened public awareness of privacy issues, and a growing culture of litigation are all contributing to a very real need for organisations, in both the private and public sectors, to understand and implement the privacy requirements being placed upon them.
In the wake of such developments as the introduction of new anti-terrorist legislation across the world, and – specifically in the UK – the forthcoming introduction of ID cards, images of a Big Brother society are beginning to loom in the public consciousness. As a result, organisations are having to respond to privacy concerns, much as they did to the information security concerns that emerged in force during the 90s. A decade ago, information security was still viewed as a drain on the bottom line by most businesses – an optional, value-added service. With the growth of the Internet, the increased public consciousness of hacking, and some high profile security incidents, most companies realised that they had to start offering security, no longer as an optional extra or differentiator, but as a commodity. Indeed, they recognised that they would lose customers if security were not integrated into every aspect of their products and services.
Stevens points out that over the past few years there has been a similar growth in public awareness of how personal data is managed – prompted, in part, by the introduction of EU legislation on privacy.
"Europe has absolutely led the way in this field, with a very strong cultural concept that your personal data is private, and that you have the right to control who sees it, who handles it, what they do with it," he explains. "In the late 80s that concept was translated into the EU Data Protection Directive, and companies were given the burden of actually having to be accountable for how they handled personal data. Back then, most of them saw it as something of an irritation, and couldn't see any commercial value in compliance. Quite often, data protection was fobbed off onto security departments, or junior management, because it was seen as a purely regulatory and legal compliance issue. The attitude was: 'We'll do the bare minimum we need to, and then we'll forget about it'. But this is rarely effective: security professionals are worried about hackers or disgruntled employees, but the biggest privacy threat can come from your best customer or most loyal member of staff. The privacy manager requires a different mindset to the security manager."
Stevens believes that organisations are now becoming all too aware of the fact that, not only is there a considerably heightened awareness of privacy issues among the consuming public – who will no longer accept privacy of information simply as an optional extra – but that there is also a move in Europe towards the US model, where the growth of privacy legislation has been driven by litigation. US organisations are obliged to consider the possible litigation arising from any privacy incident, and this has created a culture of respect for privacy, since it directly impacts the organisation's bottom line. The litigation-driven approach has also created a diverse range of laws to address very specific privacy problems, despite the absence of an equivalent to the EU Data Protection Directive.
The US Video Privacy Protection Act, for instance, was passed by Congress in the wake of the controversy that arose when Judge Robert Bork's video rental records were released during hearings into his Supreme Court nomination. The Act forbids a video rental or sales outlet from disclosing information about which tapes a person borrows or buys, or releasing other personally identifiable information without the informed, written consent of the customer. The Act also allows consumers to sue for damages if they are harmed by any violations of the Act.
But even without possible legal ramifications, Stevens is adamant that, in the information society, proper handling of personal data will become one of the major factors for any client deciding to whom he or she is prepared to divulge personal information.
"Every business handles information, but particularly in the business to consumer environment any company that does not respect personal information will, sooner or later, come unstuck. Not necessarily as a result of legal action, but purely at a commercial level. People simply won't hand over their data."
EPG, whose brief is to understand best practice in privacy management and help their clients implement it successfully is, for example, currently working with a central UK government department to assess its compliance with data protection legislation. EPG is also working with a leading management and systems consulting firm to consider issues arising from the use of Radio Frequency Identification (RFID) tags on pharmaceutical products.
Understanding the detail
Stevens, whose experience spans over 15 years in the management of corporate security and privacy projects, explains that the problem for business now is in understanding the detail, as well as the principles, of handling personal data.
"This can be any personal data," he stresses. "It's not just your customer database, your marketing list, or your employee information. It is anything that can be linked back to an individual in any way. Even if you strip someone's name away from the data, as long as there's still an identifier such as a telephone number, it's personal data.
"I've worked with a great many large organisations – some of them huge – which had absolutely no central control over privacy or data protection," he continues. "I spoke to a wealth of companies who said that they simply had no idea what they were meant to be doing, or who was responsible for doing it.
"The problem with privacy, from a legal perspective, is that every country's requirements are different. Even within the confines of the EU Data Protection Directive, each country has interpreted the law differently. In Spain, for instance, they define the levels of encryption and the types of password to be used to protect different types of personal data, whereas the UK was recently criticised by the EC for deficiencies in its interpretation of the Directive.
"For an international company trying to operate across borders – and the hardest of those borders is the Atlantic – the challenge is in constantly trying to keep up with the legislation, interpret it and then implement it."
He goes on to point out that, in the US in particular, we are now seeing the emergence of the corporate privacy officer – an individual who is dedicated exclusively to working on privacy issues, and reports to a very senior level of management. Microsoft is one example of an organisation using this approach in Europe, publicly demonstrating their commitment to data protection issues with the appointment of a highly respected privacy specialist as the company's EMEA corporate privacy strategist.
Microsoft's approach is to provide a focal point for privacy issues – a 'champion' – who will both advise the organisation's staff and work with third parties to help them resolve and avoid privacy problems. EPG aims to fulfil a similar role for clients.
"By understanding and establishing best practice, we aim to move privacy management away from being a compliance driven process, and help our members to take control of the issues proactively. They will then no longer have to play catch-up with their obligations in whichever country they are operating," Stevens explains."If we can give them an effective infrastructure, and the skills they need, they will be able to turn privacy into a business enabler."
Lynd Morley is editor of European Communications