Privacy risk management in the information economy

Consumer concerns about the security of personal information makes privacy risk management a critical aspect of business practice today.

The growth of electronic business has brought forth increasing concerns about protecting the vast amounts of personal information collected and used in the transactions that drive business today. Consumers are concerned about how their information will be used, how it is protected, what process is in place that will allow them to correct erroneous information, who this information will be shared with, and who will have access to this information.

Privacy rights are considered to be, by definition, personal. Personal data are recorded information relating to an identifiable individual, which are organized such that they can be processed or retrieved. Such information includes, but is not limited to, a person's name, telephone number, address, age, occupation, marital status, salary and financial status, religious belief, nationality, credit card numbers, identity card numbers, medical records and employment records.

People simply will not post their personal information on the internet unless they receive some assurance that an entity has proper controls and related privacy disclosures. Without proper controls and proper related disclosure, consumers may choose to do business at another web site where there are appropriate controls.

But assuring privacy anywhere is no longer a simple matter. Years of technological advancement have steadily diminished our zones of personal space. It is now possible to know virtually everything about someone. The question is no longer, "Can we get the information?" Rather, we are asking, "Should we be allowed to gather the information that technology will allow?" And further, "How should we be allowed to use the information we do gather?"

We are on the horns of a dilemma: the vastness of modern databases combined with the aid of instant access threatens to eliminate privacy completely – but that very information is key to realizing the immense potential of e-business.

From human resource systems management to marketing and tracking customer data, managing privacy risk has become a critical aspect of business practice. Failure to respond effectively to privacy issues and risks can result in adverse consequences that range from outright market rejection, to regulatory enforcement action, to loss of data flow, or to costly litigation.

Privacy issues drive or drag the information economy. Without privacy protections there will be no consumer confidence in e-business. So, how can an entity effectively manage its privacy risks?

A systematic approach to privacy risk management should be adopted by your entity to assist the e-business efforts in realizing the full benefits of online commerce. There are three major steps that must be undertaken.

First, develop a privacy policy. In developing a privacy policy you need to consider a number of factors: what customer information needs to collect and the appropriate uses of that information; your current and future business needs; and resources required to comply with its privacy policy statement. The policy must also be flexible in order to provide for strategic changes (such as additional services or mergers). Policies should govern personal data gathered from an individual online, via mail-in forms or faxes, or over the telephone. At a minimum, your entity would need to inform consumers of the following:


  • What information is collected about a user;


  • How information about a user is collected and used;


  • If and how information collected about a user is shared;


  • How a user can control the information collected about the user; and


  • Security measures to protect the security and integrity of personal information collected.

You should avoid cookie-cutter policies or marketing fluff pieces as they are unlikely to meet your needs.

Here in Hong Kong, you should also compare your privacy policy and practices to the Hong Kong Personal Data (Privacy) Ordinance to ensure compliance. It may also be worthwhile to research what your competitors have. Are there gaps in competitor practices that you can avoid, or exploit, to gain an advantage? What privacy failures have occurred in the industry and what are consumer protection groups and privacy advocates saying on the issues? Companies may wish to avoid setting the privacy bar too high. For instance, a policy so strict that it permits no information sharing may prove to be anti-competitive.

Simply having a privacy policy is not enough. The second step is to ensure that your company adheres and is seen to adhere to the privacy policy. A major challenge is making sure your systems and controls can support compliance with your privacy goals. Systems for collecting, transmitting, storing, and sharing information all must be appropriately set up and configured to ensure that you keep your privacy promises. Investing upfront in systems requirements, processes and operational procedures reduces the likelihood of costly changes later.

The third step is to communicate the privacy policy throughout your organization through training and awareness initiative. Employees, contractors, and outsourcers must understand the issues it addresses and be able to comply with the privacy policy on an ongoing basis. Privacy policies and practices must be in place before companies can actually reap the rewards of electronic commerce.

A good privacy policy tells your customers that you value and respect them. An empowered customer who has choices and trusts your company’s practices is more likely to purchase more goods and services and remain open to the benefits of sharing valuable personal information on preferences and usage habits. Ultimately, establishing a good privacy policy affirms the large investment made by your entity to establish and continue to protect your brand and reputation.

Privacy is an emotive ethical issue as much as it is a regulatory and legal concern; hence, an entity also needs to consider the implication of its privacy practices and policies from this perspective. Proactively addressing this issue can be used for competitive advantage in the information economy by building consumer trust. Consumers have shown a desire to enter cyber markets if they have assurances that their privacy will be respected. Companies who can give those assurances and back up their privacy promises with transparent and independent trusted third party verification will engage the greater portion of the market.

As complex as problems of privacy have become, the core issue remains the same: trust. Central to all is the basic perception that consumer confidence will increase proportionally to the degree that e-business entities develop and embrace policies and procedures designed to effectively manage privacy risk and be seen to do so.

Andrew Watkins, partner, Global Risk Management Solutions, PricewaterhouseCoopers. Email: [email protected]

Jennifer Ho, senior manager, Global Risk Management Solutions, PricewaterhouseCoopers. Email: [email protected]

Share our publication on social media
Share our publication on social media