Mais conteúdo relacionado Semelhante a Companies, digital transformation and information privacy: the next steps (20) Mais de The Economist Media Businesses (20) Companies, digital transformation and information privacy: the next steps1. A report from The Economist Intelligence Unit
Sponsored by
Companies, digital
transformation and information
privacy: the next steps
2. © The Economist Intelligence Unit Limited 2016
1
Companies, digital transformation and information privacy: the next steps
The Internet and sovereign privacy laws have
been on a collision course for some time now,
with growing tensions arising in all jurisdictions.
The lack of trust burst into view in October 2015,
with the European Court of Justice’s rejection
of the Safe Harbour agreement, a set of
guidelines that had previously been understood
as providing sufficient security for European
citizens’ private data to be held in or used by
companies in the United States. The ruling about
Safe Harbour’s inadequacy and questions about
the proposed replacement agreement, Privacy
Shield, which had been hammered out by EU
and US negotiators, have created a legal limbo
and have left companies that do business in the
EU uncertain about how to proceed.
Online privacy is not just a subject of
transatlantic debate. Concern about these
issues is gathering steam around the world,
including in Africa, the Middle East and Asia.
What happens between Europe and the US,
however, will shape the global data-sovereignty
debate for years to come—both because of the
prominence of the companies headquartered
in both places and because the EU is the highest
common denominator when it comes to privacy
issues. The outcome of the current dispute may
even prompt companies to rethink the idea—
largely unquestioned in recent years—that
holding on to data is an unqualified good.
To build greater understanding of the state
of play in the development and navigation of
privacy laws, the Economist Intelligence Unit
(EIU) conducted in-depth interviews with legal,
technical and regulatory subject-matter experts
on all sides of the debate. This report explores
the challenges that global businesses face when
addressing the complex and fluctuating policy
environment and offers a set of best practices
that companies can follow to meet evolving
privacy and security demands.
We would like to thank the following
interviewees for their time and valuable
contributions to our research:
Giovanni Buttarelli, European data protection
supervisor
Martin Fanning, partner and data privacy expert,
Dentons
David McCue, senior executive advisor, Xerox
Zoe Strickland, global chief privacy officer,
JPMorgan Chase
Jeb Weisman, chief information officer, Children’s
Health Fund
Eugene Weitz, general counsel, Americas, at SAI
Global
Robin Wilton, director, Trust and Identity team,
The Internet Society
Introduction
3. © The Economist Intelligence Unit Limited 2016
2
Companies, digital transformation and information privacy: the next steps
Setting the scene
A consumer who reaches the step of agreeing
to a new online privacy policy often has an
instant of doubt. But most consumers just hold
their breath and tap the button that says “Yes,
accept”, to terms and conditions—reasoning
that their financial and personal information
will be carefully guarded, particularly if they
are dealing with a well-respected brand. They
may also assume that what they don’t know (as
a result of not having carefully read a privacy
policy before agreeing to it) probably can’t hurt
them.
Companies can’t make the same decision
not to engage with the details of privacy. The
issues are well-known: the ever growing business
benefits of understanding customers better and
the huge financial and reputational risks of losing
control of the data that allow companies to do
so. But there are many more obscure, and no
less important, risks as well. Customer records are
stored in data centres, often operated by third
parties, all around the world, with the centres
themselves subject to a range of operational,
security and legal risks. In addition, different
customers are typically protected by different
privacy laws depending on their nationality.
The EU, where consumer privacy is seen as
a fundamental right, is moving towards a set of
particularly stiff fines for companies that don’t
protect customers’ private information, as part of
a broad new set of regulations. Within a couple
of years, companies not in compliance with
European privacy laws will face fines of up to
4% of their global turnover. That’s a staggering
amount, putting data privacy penalties on par
with antitrust fines in Europe. And even in privacy
cases where the penalties are more modest,
or there’s no monetary penalty at all—whether
because the questionable privacy practice took
place in a less-regulated region or wasn’t found
to be an actual violation of the law—companies
could certainly face significant backlash in other
ways. “It’s a PR issue,” said Eugene Weitz, general
counsel, Americas, at SAI Global, an Australian
company specialising in solutions and services
that help manage risk and compliance. “It’s the
kind of thing that affects companies up, down
and sideways,” Mr Weitz added.
In the last few years, the ubiquity of cloud
computing has complicated the challenge for
all parties. A government might want to regulate
or sanction a company that has suffered a
breach or failed to protect its citizens’ private
data. But if the company is located outside a
country’s boundaries or if it isn’t clear in what
country or region the compromised data are
being stored or processed, or on whose servers,
regulators can have difficulty taking any sort of
corrective action or even determining which
laws might apply. Companies themselves are
often not much clearer about which jurisdiction’s
laws they need to abide by.
“You are constantly weaving through a
hotch-potch of different rules and regulations,
and they get very, very technical,” said David
McCue, an executive advisor to Xerox’s global
chief information security officer. He likened it
to “the old idea of an information highway”,
the difference being that on this highway, the
laws vary, sometimes confusingly, depending on
whose jurisdiction one happens to be in.
GDPR on the horizon:
Europe’s evolving
regulations
Europe is developing a sweeping new set of
rules, embodied in what it is calling the “General
Data Protection Regulation” (GDPR), to define
how consumer data need to be treated in
the EU. In theory, the GDPR—which will cover
personal data, including names, photos, e-mail
addresses, medical information and posts on
“You are
constantly
weaving
through a
hotch-potch of
different rules
and regulations,
and they get
very, very
technical.”
David McCue,
executive advisor to
Xerox’s global chief
information security officer.
4. © The Economist Intelligence Unit Limited 2016
3
Companies, digital transformation and information privacy: the next steps
social media sites—will make it possible for
multinational companies to apply a single
privacy policy throughout Europe. But it’s not
expected to take effect until 2018. A long time
to wait for certainty, thus many in Europe and
the US are hoping for a ratification of Privacy
Shield, the transatlantic deal that has been
put forward as a near-term replacement for
Safe Harbour. “We are all suffering because of
the limbo,” Giovanni Buttarelli, the European
data protection supervisor, said in an interview
in his Brussels office. Mr Buttarelli and others
acknowledged that the uncertainty is a
particularly big challenge for smaller companies
that don’t have a lot of resources to devote to
compliance. “We cannot leave thousands of
small and medium enterprises in this position for
another two or three years,” he said.
According to privacy law experts, companies
doing business in the European Economic Area
have a few options to remain in compliance.
First, they can tell a European consumer how
they plan to use and store that consumer’s data
in a simplified privacy policy and ask for the
user’s consent. Second, they can use “model
contracts”, which are European Commission-
mandated contractual terms for dealing with
European consumers’ data. A third option is to
go through a much more elaborate process of
developing “Binding Corporate Rules” (BCRs) of
their own. BCRs apply to all the processes and
policies companies use in all of their operations
and must be approved by European regulators.
But they have the advantage of being custom-
fit to companies’ own processes—not the case
with model contracts.
“You have to invest a huge amount of time
into BCRs,” said Martin Fanning, a partner and
data privacy expert at Dentons, a London-
based law firm. “BCRs can take several months
to complete but, because they are based on
a business’s own governance and policies and
involve dialogue with European data regulators,
they are regarded by many as the platinum
standard for international data transfers within
a multinational group.” Mr Fanning added
that BCRs “live and breathe with a business as
it grows and changes”, a quality that he said
makes them more robust than other legal options
for international transfers. By contrast, he said,
consent can be revoked by an individual, and
the EU Commission-approved model contracts
can be rigid and in need of regular updating.
The complicated role
of technology
The cloud is perhaps the best known, but it is
not the only technology that is complicating
matters alongside offering business benefits.
Since technology has vastly increased the
availability of free-flowing personal data, with
all the accompanying benefits and problems, it
might seem reasonable to ask that technology
also provide the necessary solutions. The reality
is more challenging. To be sure, an encryption-
reinforced file server or database (and the use of
other technologies, like tokens and containers)
can prevent consumers’ private information
from being accessed in the first place or from
being compromised if a breach occurs. That can
forestall embarrassment and economic losses
associated with cases of large-scale credit card
theft. However, in the legal environment of the
future, security systems that protect data won’t
necessarily ensure compliance even if they
prevent break-ins.
Increasingly, privacy laws can be interpreted
as requiring companies to exercise greater
control over data and, in some instances, to
follow rules that spell out where data must
be located. Companies are having to make
multiple decisions and position themselves to be
in compliance with laws in many jurisdictions.
Doing this successfully will take judgment and
global awareness—not attributes that can
“We are all
suffering
because of the
limbo. We
cannot leave
thousands of
small and
medium
enterprises in
this position for
another two or
three years.”
Giovanni Buttarelli,
European data protection
supervisor
5. © The Economist Intelligence Unit Limited 2016
4
Companies, digital transformation and information privacy: the next steps
necessarily be captured by a straightforward
technology or software system.
Robin Wilton, technical outreach director for
identity and privacy at the Internet Society, an
organisation focused on fostering the Internet’s
growth and preserving its technical standards,
observed that people don’t always recognise
the futility of trying to address privacy issues
through technology alone. He said the Internet
Society sometimes gets calls from people who
want it to sponsor the development of a “privacy
plug-in”—an idea he considers fanciful—not
realising that effective privacy protection is an
ecosystem and human-relationship issue before
it is a software issue. “It’s that ‘Where’s the instant
fix?’ mentality that tends to lead us down the
wrong road,” Mr Wilton said.
The deeper people’s backgrounds in
technology, the more they tend to understand
that a purely digital solution isn’t feasible. As
Jeb Weisman, the chief information officer at
Children’s Health Fund, a New York nonprofit
handling sensitive medical data, put it: “The
technology can’t decide what’s private.”
Instead, he said, the systems that can help
companies with privacy are systems that support
governance. “What I see is a set of human
expectations that need to be met. And in the
case of my organisation or any organisation,
they need to be codified. Once they’re codified,
then we can use software tools and secondarily
security tools. The security tools stop breaches.
But the privacy tools help us understand what’s
private and manage it.”
To be sure, privacy and security are
intertwined—companies can’t safeguard one
without investing in the other. Xerox’s Mr McCue
underscores this with a warning about how
common security breaches are nowadays.
“If you went and spoke to any of the national
law enforcement agencies, whether in the US
or in Europe, they will tell you that, as a whole,
companies underestimate how much of their
data has been lifted, stolen or compromised,”
Mr McCue said. “I have been in meetings where
a particular company has said, ‘No, we’re
good’, and the law enforcement representative
has said, ‘Well, we have a database back at
headquarters that shows two terabytes of your
inside information that we’ve recovered from
someplace on the dark Web. You’ve been
hacked and didn’t know it.’”
Looking towards
a North Star for
regulation
In the future, companies will clearly have to
understand the full range of restrictions that
different localities have placed on how personal
information is used, shared and stored. It’s
possible that the EU’s efforts, including with the
GDPR, will influence what countries in regions
such as Asia and Africa include in their own
privacy regulations. If that happens, GDPR may
end up providing a sort of specific target that
companies worldwide can aim for.
Even today, though, while regulations remain
uncertain, a comprehensive and thoughtful
online privacy policy can be a selling point
in the digitally driven economy. Mr Buttarelli,
the European regulator, said he was reminded
of this when he made a trip to Silicon Valley
last year. Some of the start-ups he visited,
instead of treating privacy as an afterthought,
were making it a core part of their appeal
to customers. He put this in the category of
“privacy by design”, an approach to systems
engineering that is fast catching on. “I don’t
see any dichotomy between privacy and
innovation,” Mr Buttarelli added.
As companies seek their own innovative
ways to build and maintain value from data
despite the confusion of today’s privacy and
“It’s that
‘Where’s the
instant fix?’
mentality that
tends to lead us
down the
wrong road.”
Robin Wilton,
technical outreach
director for identity and
privacy at the Internet
Society
6. © The Economist Intelligence Unit Limited 2016
5
Companies, digital transformation and information privacy: the next steps
security regulations, the research suggests that
the following approaches will likely help them
navigate:
l Know thyself from a privacy perspective.
Businesses’ first move should be to do an
audit, or mapping exercise, of their data.
What data they have, how they are being
used, where the data are being used
and which third parties might be handling
them are all areas a company must know
cold. “It takes data mapping of an entire
company to understand what the needs and
requirements are,” said Mr Weitz, the general
counsel, Americas, at SAI Global.
l Build a cross-functional privacy team. By
definition, a company is going to have
some competing interests on privacy. The
general counsel is primarily going to be
concerned about protecting the company
from litigation, the chief information officer
about preventing security breaches, the
chief marketing officer about increasing
sales. The privacy function of a company can
only identify the right trade-offs if it includes
some individuals who can parse regulations;
other individuals who understand data and
technology; and still others who possess a
strong knowledge of the business.
l Get rid of unneeded data. In this era of the
cloud, digital information and customer
records have become so cheap to hold on
to that many companies do so as a matter
of course. This is partly a reflection of the
fashion for “big data” and the sense, as
CIO Dr Weisman puts it, “that the insight is
just around the corner”. In fact, a lot of old
customer records are “toxic data assets”, Dr
Weisman said, quoting Bruce Schneier, the
cryptographer and widely followed blogger.
Many privacy experts advocate “data
minimalisation”—having the discipline to
keep only the data you need.
l Find the right partners. Almost every
company these days has at least some
customer data stored on third-party cloud
databases. “You are dependent on these
companies and the services they provide to
include a level of protection for your data,”
said Mr McCue, an executive adviser at
Xerox. As a consequence, companies should
“look for vendors with very strong capabilities
in the protection of data stored with them”,
he said. Finding such companies is likely to
become easier in the future as part of the
GDPR will require IT vendors that previously
bore no direct responsibility for privacy to
comply with data protection laws.
l Apply the “function before form” principle
to your privacy initiatives. To date, the
obligatory nature of how companies
deal with privacy has been evident in the
checklists of their policies. Consumers click
impatiently through the policies because
it’s clear from the way they are presented
that they contain nothing of interest. This isn’t
the way to do it. Long, complicated policy
explanations aren’t integral to protecting
consumers’ personal information. They
don’t make anyone feel more comfortable.
Something simpler and more functional may
well work better.
No matter what happens with Privacy Shield
and the GDPR, the global privacy story won’t
be finished. There will be other twists, perhaps
influenced by developments in regions outside
the EU and US. For now, companies need
flexibility in their approach and options that meet
different requirements in different jurisdictions.
They have to find ways to be in compliance
despite the regulatory uncertainty. The costs of
not doing so are simply too great.
Long,
complicated
policy
explanations
aren’t integral
to protecting
consumers’
personal
information.
They don’t
make anyone
feel more
comfortable.
7. © The Economist Intelligence Unit Limited 2016
6
Companies, digital transformation and information privacy: the next steps
Whilst every effort has been taken to verify the accuracy
of this information, neither The Economist Intelligence
Unit Ltd. nor the sponsor of this report can accept any
responsibility or liability for reliance by any person on this
report or any of the information, opinions or conclusions
set out in the report.
Cover:Shutterstock
8. London
20 Cabot Square
London
E14 4QW
United Kingdom
Tel: (44.20) 7576 8000
Fax: (44.20) 7576 8476
E-mail: london@eiu.com
New York
750 Third Avenue
5th Floor
New York, NY 10017
United States
Tel: (1.212) 554 0600
Fax: (1.212) 586 0248
E-mail: newyork@eiu.com
Hong Kong
1301 Cityplaza Four
12 Taikoo Wan Road
Taikoo Shing
Hong Kong
Tel: (852) 2585 3888
Fax: (852) 2802 7638
E-mail: hongkong@eiu.com
Geneva
Boulevard des
Tranchées 16
1206 Geneva
Switzerland
Tel: (41) 22 566 2470
Fax: (41) 22 346 93 47
E-mail: geneva@eiu.com