January 1, 2002

Is Privacy No Longer a Priority?

Businesses aiming to succeed must not wait for laws to define how they will treat consumers and their personal information

By Kristin Valente

The American public has long been concerned with the issue of privacy. Often viewed as an inalienable right to be left alone, privacy gets the attention of the most liberal to the most conservative among us. The September 11th terrorist attacks have refocused American priorities on the safety of its citizens. The idea that privacy could be exchanged for personal security became tangible to the public as the search for those responsible for the attacks unfolded. Not quite a month later, FTC Chairman Timothy Muris announced the Commission's plan for increased attention to privacy as a central part of its consumer protection mission. But specific privacy legislation wasn't as big a part of the plan as had been previously suggested by other FTC commissioners. Businesses are now left wondering — is the privacy issue gone?

If consumers are more concerned with personal safety than personal privacy, is there a business case to continue to invest in privacy protection? As businesses await overall economic recovery, this is a valid question. Cash is at a premium and needs to be invested wisely. Market winners will be focused on just that — the market and their consumers. Winners will be those businesses that master the art of delighting the consumer. And although consumers may be amenable to sharing their personal information with government agencies searching for terrorists, they're still very often offended or at least surprised to learn that many other entities share their information for profit.

The new FTC privacy agenda highlights many of these consumer concerns such as telemarketing, spam, and identity theft. And although it doesn't go so far as to call for specific legislation, the agenda does provide businesses seeking to be winners a roadmap of what is likely to be on the privacy horizon — increased enforcement of existing laws; increased scrutiny of privacy policies and supporting practices; and increased FTC resources to act upon consumer concerns and deceptive privacy practices. The privacy agenda clearly seeks to broaden the FTC's focus on privacy investigations and consumer protection activities well beyond the online world. This can become quite troublesome for those businesses that have focused only on Internet-based privacy policies and practices.

WINNING PHILOSOPHY

Leading companies and those seeking to be winners in the economic recovery are taking a proactive, robust, and holistic approach to privacy. Leaders treat the personally identifiable information collected from consumers and employees as a strategic asset. Forward-thinking companies invest in and maintain the processes for this data's collection, protection, and destruction as critical infrastructure processes. Leaders are active in their communication of their privacy policies and practices and are focused on communicating their trustworthiness to their stakeholders as a matter of brand image and demonstrated leadership. Absent specific legislation or requirements, leaders use the following principles to navigate their privacy course.

Balance value and risk. Although every company has a responsibility to maximize value for its stakeholders, leaders balance that desire against the need to manage risk. New and emerging business models are often energized by rich, personally identifiable information. Leaders evaluate these new endeavors in the context of privacy-related risks to determine whether the model is viable.

A hallmark of leading organizations is their ability to link their privacy posture directly to their business strategy through aligned and relevant organization structures and business processes that focus on the customer experience. Successful implementation of a privacy policy will occur through understanding privacy risks throughout the organization and focusing on those posing the greatest threat to your business strategy or the greatest opportunity to support your business strategy.

Develop consumer needs-based policies. Leading companies develop privacy policies that reflect their corporate philosophies, business models, and the needs of their target market. They understand what kinds of information they are collecting, how they use such information, how they share it, and whether they really need it. They benchmark these policies not only against industry-specific laws but also against accepted fair information principles and any self-regulation programs that the company has pledged to meet. Leaders design their policies and practices to attract and retain consumers, not just meet minimum compliance requirements.

Leading organizations don't limit their privacy concerns to consumers, rather they demonstrate their concern for privacy to each of their employees in a manner consistent with the high regard they hold for their consumers. In order for global human resource initiatives to be successful, companies need to address the privacy implications for collecting, transferring, processing, storing, and destroying employee data. Employees need to be afforded the same privacy considerations as consumers: notice, choice, access, and security. Organizations need to develop policies and processes to manage these privacy considerations and ensure that employees have confidence in these processes in order to enable efficient global processes and employee data management.

Implement the necessary enabling infrastructure. Leading companies understand that a privacy policy is only as good as its supporting infrastructure. After companies establish a privacy policy, they deploy an appropriate infrastructure across the enterprise — people, processes, and technologies — to maintain and enforce their privacy policies on an ongoing basis. Leaders implement these three essential components as the foundation of their privacy solution.

Leading organizations incorporate privacy into the fabric of their business processes and tactical operations. Businesses engage in continuous efforts to develop procedures, processes, and ongoing programs to accomplish privacy objectives. And these efforts don't stop at the company's walls. They extend to business partners, service providers, and others who must also uphold the privacy promises in the policy.

Communicate commitment and create internal compliance mechanisms. Once leading companies create policies and implement the necessary infrastructure, they take actions to communicate their commitment to comply with those policies — both internally and externally. Internally, they ensure that all employees understand and follow the requirements of the organization's privacy policies. As business units reorganize, adopt new technologies, or face new regulations, they update their privacy policies and make compliance a business imperative. Externally, leaders communicate their commitment to privacy policies by prominently posting them, joining industry self-regulatory programs, and working with government agencies.

Empower an executive sponsor. Leading organizations understand that sponsorship and communication of privacy policies must come from corporate leadership. They empower a chief privacy officer or other dedicated official to develop and oversee internal compliance processes that ensure privacy is an important part of the company's operating strategies. Chief privacy officers are also responsible for enhancing external stakeholder communication of the enterprise's commitment to privacy.

Prove trustworthiness through robust, independent verification. Leading companies earn consumers' trust by engaging independent third parties to audit their compliance with stated privacy policies. They recognize that consumers' trust isn't built by merely promising to be in compliance. These leading organizations understand that trust is accelerated when auditors routinely test their policies, technologies, and processes to prove companies are doing as they say.

Rate This Article Rating: 1 (best) 2 3 4 5 (worst) Comments: Optional e-mail address:

Leading organizations also recognize the value of proving that they do as they say. Leaders leverage independent third parties to verify and proactively communicate their investment and proof of their leading privacy practices to their stakeholders. They earn independent verification reports to further the trustworthiness and credibility of their brand. And they value the rigor of the ongoing examination process to build discipline around the privacy program.

Clearly, the privacy issue isn't gone. Neither is the threat of privacy legislation. But businesses aiming to be winners aren't going to wait for laws to define how they'll treat consumers and their personal information. They already know that to win they must define their business strategies and privacy policies with the goal of delighting the consumer instead of minimally complying with laws and regulations.

Kristin Valente is a partner in the Innovative Solutions Group of Ernst & Young LLP's Assurance and Advisory Business Services Practice. She is responsible for the global acceleration of Innovative Assurance Solutions that solve complex client needs such as Internet privacy and security, media measurement, regulatory and contractual compliance, and other business trust needs.

• Privacy
• Your California Privacy Rights
• Copyright © 2008 United Business Media LLC