Hi both -
This (emboldened, below) is also the reasoning behind the ethical data handling (EDH) work I'm doing in ISOC at the moment.
My aim is to increase stakeholders' focus on EDH by providing rationales and practical guidance throughout the product/data lifecycle.
Obviously, data subjects ought to like the idea, because it is likely to respect their interests more than the status quo does.
It's trickier to build a compelling case for corporates to adopt EDH (for the reason John suggests below) - but I think there are possibilities:
- stating ethical principles externally gives customers and potential customers an indication of good faith - which should have a reputational pay-off for the business;
- setting ethical principles internally should help foster a culture of ethical behaviour, which is nice and cuddly, but it should also have the consequence of making compliance easier to achieve and demonstrate. That's a hypothesis, but I propose it because I think people behave better when they buy into the reasons for their behaviour... and "because it's in line with our respect for the customer" is a more powerful motivator than "because I have to tick these compliance boxes". (In terms of the layers I described earlier, it builds a stronger link between stated principles and actual behaviour).
If the corporate is both respecting the customer and finding compliance easier to achieve, I believe it is more likely to be effectively mitigating privacy risk, too.
As I say, making this compelling for corporates is one of the tricky bits: if anyone has other ideas/suggestions about building the business case (or building the case for non-commercial data controllers, of course!), please please let me know... I'll be speaking on this at CIS New Orleans, University of Vienna, OIX Rome, EWTI Vienna, etc., and you will get full attribution for any contributions!! (That's naked bribery, I know, but who said I was proud?) ;^)
Best wishes,
Robin
On Thu, May 5, 2016, at 10:55 PM, John Wunderlich wrote:
Criticizing corporations for focusing on compliance and managing liability is kinda like critiquing a lion for being a carnivore. I take your point, but the solution involves citizen/customer/patient activism to change the context - like patient privacy rights is doing.
But in the meantime, some corporations and some individuals in corporations want to do the right thing, and should be supported. I don't want to Brandon the field just yet.
On Thursday, 5 May 2016, Adrian Gropper <
agropper@healthurl.com> wrote:
I find articles like this and most of what IAPP stands for deeply upsetting. Everything is from the perspective of the institution, mostly compliance. There is not a single mention of the subject's perspective, much less sympathy.
My guess is that 90% of Privacy Notices are 90% identical to the Staples example. Why isn't anyone calling for privacy notices to be standardized - with exceptions for the 10% that might be actually interesting or differentiating? Because of IAPP and the entire mini-industry that lives off surveillance capitalism.
Shameful.
Adrian
On Thursday, May 5, 2016, John Wunderlich <
FastMail WARNING: URL text contains a possible JavaScript attack on your machine. URL disabled. Original URL='javascript:_e(%7B%7D,'cvml','john@wunderlich.ca');'. For more information on phishing click here.> wrote:
+1 Robin
And your list's order correctly, I think, captures the inverse relationship between operational privacy and privacy theatre.
On Thursday, 5 May 2016, Robin Wilton <
racingsnake@fastmail.fm> wrote:
+1
Ian Glazer and I wrote about this in our Gartner days (so the results are hidden behind the Gartner paywall, regrettably...).
However, a similar discussion surfaced at the ethical data-handling workshop I ran last Friday, and we distinguished between the following layers:
- Privacy policy statement ( = privacy notice, as defined here); the outward facing doc saying what you want customers to hear.
- Privacy policy: the internal statement of what the organisation thinks it should do
- Business process: the internal statement of what the organisation thinks it does
- Actual behaviour
R