When I work with clients to build their privacy programs, one of my first questions is, “What’s your privacy philosophy?”
Most often, the response is, “Isn’t that what we hired you for?”
OK, so I walked right into that one.
I ask because even if you haven’t previously called it “privacy,” you’ve likely already developed a privacy philosophy. It shows up in the design and practices already built into your services and applications.
So, what does a privacy philosophy look like?
As a starting point, I like Jaap-Henk Hoepman’s description of three privacy paradigms:
- “Soft privacy,” which achieves privacy through increased controls available to data subjects (in the B2B context, these may be controls available to your customers for managing end-user privacy)
- “Hard privacy,” which achieves privacy through increased controls and restrictions applied by the company
- “Contextual privacy,” which is the “in-between,” varying the approach based on the context
In conjunction with assessing the paradigms, I encourage companies to think about their privacy program’s goal. Again, this can be a strange question to answer. Most companies will jump straight to “compliance with X or Y law.”
And there’s nothing wrong with that. Stating the goal is the key to guiding decision-making.
One final question that deserves an honest answer is, “who does our privacy program benefit?” And while many would reflexively say that it benefits consumers, this is not always a realistic response.
Again, honesty is the goal here. The true beneficiaries may be investors or business partners. Each will have different expectations for a privacy program.
Risk3sixty’s privacy program
As one example, risk3sixty has defined its privacy philosophy as such:
To act as a data fiduciary in that risk3sixty will exercise the duties of care, loyalty, and confidentiality with respect to the data it collects and to utilize data only when it is in the best interest of the consumer.
When we wrote this philosophy, we wanted to make it abundantly clear that our goal is to serve not just our customers but any consumers whose data we may hold.
Putting it into practice
Now, let’s examine three common privacy decision points and how each paradigm might approach them.
The additional clarifying questions asked in the first section help build a thorough approach to addressing risks. When examining data collection, for example, a program that prioritizes end-user privacy will assess its legitimate interests differently than one which focuses on partner enablement. Then, the preferred paradigm guides the control strategies to be applied to support the data collection.
Defining a privacy philosophy will help you make consistent decisions around privacy. It is also a great method to establish a collective understanding across the organization of how to approach privacy from the earliest stages of potential change in the business.
Want to hear more? Contact us.