In a recent article published in Harvard Business Review, I discussed the growing capabilities of analytics technologies, and the need to be conscious of the privacy implications that accompany them. Though I believe the piece to be of general interest, it also offered focused advice for a management audience. Now, I would like to take a step back and expand the data privacy conversation, as well as provide some insight for the executive level.
Decoding Data Privacy
When I published the initial article, several of my colleagues responded that they believe data created at work necessarily cannot constitute personal information, and therefore belongs solely to the employer. Though I may have at one point agreed with this statement, my thinking has shifted in recent years. The influx of new data sources has given rise to more personal data being created—at work, at home, everywhere—while it simultaneously becomes harder to separate personal data from corporate data. In light of these changes, it could be time we rethink what privacy in the workplace really means.
In a corporate context, some might define privacy as meaning no organizational knowledge of sensitive, personal information. Due to regulatory and legal requirements to collect and preserve data, and the increasing rate at which such data is created, this is quickly becoming unrealistic. Do organizations then do their best to ignore this data, until it’s needed by Legal or Compliance? In today’s age, turning a blind eye to sensitive information and pretending it doesn’t exist is akin to the philosophy of “see no evil, hear no evil, speak no evil”: The problem is that just because sensitive information goes untouched, doesn’t necessarily remove any or all privacy concerns.
Because it’s near impossible for us to keep personal data out of the organizational reach, more reasonably, modern privacy might simply come to mean that personal data cannot be improperly utilized, processed, or accessed. Although counterintuitive, in order for this type of system to work, an organization must have complete command over its data. In other words, rather than knowing as little as possible, this new information governance approach seeks to know more in order to exert control over data.
The following insight highlights this paradox: The CIA’s system of managing classified information could arguably be very intrusive because of the oftentimes private nature of the content it manages, and the expansiveness of its reach. However, thanks to classification schemes and access privileges, data can only be accessed for its intended purposes, thus ensuring privacy is maintained.
Privacy by Design
Although it can be extremely effective, the governance approach to privacy is easier said than done. Privacy can’t just be an afterthought. It must be instituted by design, at the architectural level of an organization’s information strategy.
Before going down this path, organizations should consider convening an information governance committee to determine what kind of compliance and ethical values they want the latest information technologies to usher in. The committee can help define corporate policies on gathering, handling, managing and analyzing what is perhaps the most significant asset of the modern enterprise: information.
Concurrently, begin internal assessments of employee values on privacy, ethics, and fair use of data. You may need to account for significant cultural and regulatory variations across different regions and countries. Such findings can then inform and guide the information governance committee in creating policies down the line.
The Road Ahead
When I published the original article in Harvard Business Review, I hoped to jumpstart the information privacy conversation. When compared to Europe, it’s hard to ignore the fact that the U.S. perspective towards privacy is less developed. However, with data growth only increasing, and new ways to track, monitor, and analyze individuals springing up all the time, it’s a conversation that’s getting harder to avoid, within living rooms and boardrooms alike.
These reasons alone might not be enough to get the U.S to rethink privacy. But if money talks, fines of up to 4% of global sales should be at least enough to get the ball rolling once the GDPR hits next May. Let’s just hope that for companies who wait until then to start planning, it’s not too little, too late.