Modern Enterprise – Stewards of Personal Data

Privacy has been rising in the mindset of users lately. More than something abstract, it is having demonstrable and direct economic effects.

For example, according to a recent survey published by Forrester, 43% of US consumers are likely to cancel an online transaction if they read something in the privacy policy that they don't like.

This shows consumers as well as businesses are becoming increasingly concerned about how their private data is being used by others, and enterprises are going to have to learn how to deal with this concern.

Of course, there is the rise of regulatory efforts such as the EU's GDPR to consider as well. Indeed, Article 8 of the EU Charter of Fundamental Rights says, "Everyone has the right to the protection of personal data concerning him or her."

The Internet Society (the organizational home of the Internet Engineering Task Force) with more than 95,000 individual members has now weighed in on the topic. It published last week its Privacy Code of Conduct outlining the nine steps that it thinks all companies should implement to assure data privacy.

The first step is to Become Data Stewards. "Act as custodians of users' personal data -- protect the data, not just out of business necessity, but on behalf of the people who have trusted you with it." This elucidates both the sociological and business imperatives of privacy.

The other eight steps include:

Be accountable
Transparency is needed about privacy including establishing safeguards for handling personal data and showing they are being enforced. Should something goes wrong, companies should be transparent about what happened as well as doing their best to contain the harm.

Stop using user consent to excuse bad practices
Users need relevant information about how their personal data is being collected, used and shared.

Provide user-friendly privacy information
Companies should not rely on user consent to justify their data handling practices. "Shrinkwrap" consent isn't good enough anymore.

Give people control of their privacy
People should be in control of what data they share, and when.

Respect the context in which personal data is shared
People should be able to see when and how their data is being used. Privacy must be the default, not some optional extra that is added on.

Protect "anonymized" data as if it were personal data
The data is could be re-identified or used to single out particular individuals.

Encourage privacy researchers to highlight privacy weaknesses, risks or violations
Experts can help to establish an open, transparent process for responsible disclosure.

Set privacy standards above and beyond what the law requires
Getting ahead of just fulfilling current requirements makes sure that the enterprise will be able to help shape the dialogue that will occur in the future.

While these steps are not guaranteed to be the entire answer to fulfilling regulatory requirements, any business that embraces them will find meeting such regulations to be far more doable than they might have been if the IS advice is ignored.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.