Conflicting Interests Pose Huge Challenge To Privacy Policies

Building a privacy policy in a large organization would be easy -- if there weren't so doggone many people involved.

That's the gist of a new study on privacy policy development published last month by researchers at Hewlett-Packard (PDF). The study documents the group dynamics involved in creating a corporate privacy policy, and how tensions between the various stakeholders can make it difficult to arrive at a consensus as to what's best for a company.

"The various stakeholders do not form a coherent system, and their needs, wishes, and capabilities/constraints are highly diverse," the paper says. "This diversity leads to many tensions" because different members of an organization have different ideas on how a privacy policy can serve the organization.

For example, the chief privacy officer (CPO) in most organizations is tasked with looking out for the welfare of customers and ordinary citizens. When it comes to collecting personal data, the CPO's inclination is to collect as little data as possible. "On the other hand," the paper says, "marketing organizations like to collect and store as much [customer and prospect data] as possible -- and furthermore, repurpose the information when new marketing and sales campaigns are considered."

Such diametrically opposed positions can make it incredibly difficult to create a privacy policy built through consensus among stakeholders, the paper observes. Both the CPO and marketing organization can legitimately argue that their positions are best for the company, yet those positions are completely opposite. How does the company decide which position to use in its privacy policy?

Similar tension occurs between an enterprise's CIO, whose responsibility is technology, and the CPO, who may not have a technical background, the paper notes. "The CPO is often confronted with a CIO's legitimate inability to implement privacy policies due to a lack of proper privacy-enabling technology, the expense and complexity of implementing privacy policies, and the resulting fragility of current application frameworks," the report states.

In essence, this means that even if the CPO is successful in achieving consensus on the best interests of the company, the resulting policy may not be enforceable because of shortcomings in privacy technology or a lack of budget to implement that technology, the report says.

In some cases, the tensions between stakeholders may be outside the CPO's control, according to the HP researchers. For example, customers and private citizens may be at odds with marketing organizations that share their data with others or that don't make privacy policies clear.

"[The] problem occurs when marketing managers purchase lists from third parties or from their advertising agents," the report states. "Customers in the marketer's database may have opted out, yet still be sent unwanted material via the third party on behalf of the originating party. Customers view this as spam and are provoked by their inability to make an opt-out 'stick.'"

And the tensions go on. The legal department generally believes the company should collect and store as little personal information as possible; marketing generally wants to collect as much data as possible; CPOs seek to keep data available, but private; CSOs often feel that any breach could cost them their jobs; enterprises and citizens seek to keep personal data private; and law enforcement agencies need personal data to investigate and prosecute crimes.

How can companies resolve so many conflicting views and create a single privacy policy? The report doesn't offer an easy answer, but it does encourage privacy policy developers to understand the motivations of each stakeholder, and to focus on the needs of those stakeholders who will most likely be affected by the resulting policy.

"Products that appeal to a CPO, CSO, and the corporate legal department -- and which support the goals of citizens and law enforcement agencies -- have the best chance for success," the report states.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message