The growth of electronic business has brought forth increasing concerns about protecting the vast amounts of personal information collected and used in the transactions that drive business today. Consumers are concerned about how their information will be used, how it is protected, what process is in place that will allow them to correct erroneous information, who this information will be shared with, and who will have access to this information.
Privacy rights are considered to be, by definition, personal. Personal data are recorded information relating to an identifiable individual, which are organized such that they can be processed or retrieved. Such information includes, but is not limited to, a person's name, telephone number, address, age, occupation, marital status, salary and financial status, religious belief, nationality, credit card numbers, identity card numbers, medical records and employment records.
People simply will not post their personal information on the internet unless they receive some assurance that an entity has proper controls and related privacy disclosures. Without proper controls and proper related disclosure, consumers may choose to do business at another web site where there are appropriate controls.
But assuring privacy anywhere is no longer a simple matter. Years of technological advancement have steadily diminished our zones of personal space. It is now possible to know virtually everything about someone. The question is no longer, "Can we get the information?" Rather, we are asking, "Should we be allowed to gather the information that technology will allow?" And further, "How should we be allowed to use the information we do gather?"
We are on the horns of a dilemma: the vastness of modern databases combined with the aid of instant access threatens to eliminate privacy completely but that very information is key to realizing the immense potential of e-business.
From human resource systems management to marketing and tracking customer data, managing privacy risk has become a critical aspect of business practice. Failure to respond effectively to privacy issues and risks can result in adverse consequences that range from outright market rejection, to regulatory enforcement action, to loss of data flow, or to costly litigation.
Privacy issues drive or drag the information economy. Without privacy protections there will be no consumer confidence in e-business. So, how can an entity effectively manage its privacy risks?
A systematic approach to privacy risk management should be adopted by your entity to assist the e-business efforts in realizing the full benefits of online commerce. There are three major steps that must be undertaken.
- What information is collected about a user;
- How information about a user is collected and used;
- If and how information collected about a user is shared;
- How a user can control the information collected about the user; and
- Security measures to protect the security and integrity of personal information collected.
You should avoid cookie-cutter policies or marketing fluff pieces as they are unlikely to meet your needs.
Privacy is an emotive ethical issue as much as it is a regulatory and legal concern; hence, an entity also needs to consider the implication of its privacy practices and policies from this perspective. Proactively addressing this issue can be used for competitive advantage in the information economy by building consumer trust. Consumers have shown a desire to enter cyber markets if they have assurances that their privacy will be respected. Companies who can give those assurances and back up their privacy promises with transparent and independent trusted third party verification will engage the greater portion of the market.
As complex as problems of privacy have become, the core issue remains the same: trust. Central to all is the basic perception that consumer confidence will increase proportionally to the degree that e-business entities develop and embrace policies and procedures designed to effectively manage privacy risk and be seen to do so.
Andrew Watkins, partner, Global Risk Management Solutions, PricewaterhouseCoopers. Email: [email protected]
Jennifer Ho, senior manager, Global Risk Management Solutions, PricewaterhouseCoopers. Email: [email protected]