Companies, digital transformation and information privacy: the next steps

Transcription

1 A report from The Economist Intelligence Unit Companies, digital transformation and information privacy: the next steps Sponsored by

2 Introduction The Internet and sovereign privacy laws have been on a collision course for some time now, with growing tensions arising in all jurisdictions. The lack of trust burst into view in October 2015, with the European Court of Justice s rejection of the Safe Harbour agreement, a set of guidelines that had previously been understood as providing sufficient security for European citizens private data to be held in or used by companies in the United States. The ruling about Safe Harbour s inadequacy and questions about the proposed replacement agreement, Privacy Shield, which had been hammered out by EU and US negotiators, have created a legal limbo and have left companies that do business in the EU uncertain about how to proceed. Online privacy is not just a subject of transatlantic debate. Concern about these issues is gathering steam around the world, including in Africa, the Middle East and Asia. What happens between Europe and the US, however, will shape the global data-sovereignty debate for years to come both because of the prominence of the companies headquartered in both places and because the EU is the highest common denominator when it comes to privacy issues. The outcome of the current dispute may even prompt companies to rethink the idea largely unquestioned in recent years that holding on to data is an unqualified good. To build greater understanding of the state of play in the development and navigation of privacy laws, the Economist Intelligence Unit (EIU) conducted in-depth interviews with legal, technical and regulatory subject-matter experts on all sides of the debate. This report explores the challenges that global businesses face when addressing the complex and fluctuating policy environment and offers a set of best practices that companies can follow to meet evolving privacy and security demands. We would like to thank the following interviewees for their time and valuable contributions to our research: Giovanni Buttarelli, European data protection supervisor Martin Fanning, partner and data privacy expert, Dentons David McCue, senior executive advisor, Xerox Zoe Strickland, global chief privacy officer, JPMorgan Chase Jeb Weisman, chief information officer, Children s Health Fund Eugene Weitz, general counsel, Americas, at SAI Global Robin Wilton, director, Trust and Identity team, The Internet Society 1

3 You are constantly weaving through a hotch-potch of different rules and regulations, and they get very, very technical. David McCue, executive advisor to Xerox s global chief information security officer. Setting the scene A consumer who reaches the step of agreeing to a new online privacy policy often has an instant of doubt. But most consumers just hold their breath and tap the button that says Yes, accept, to terms and conditions reasoning that their financial and personal information will be carefully guarded, particularly if they are dealing with a well-respected brand. They may also assume that what they don t know (as a result of not having carefully read a privacy policy before agreeing to it) probably can t hurt them. Companies can t make the same decision not to engage with the details of privacy. The issues are well-known: the ever growing business benefits of understanding customers better and the huge financial and reputational risks of losing control of the data that allow companies to do so. But there are many more obscure, and no less important, risks as well. Customer records are stored in data centres, often operated by third parties, all around the world, with the centres themselves subject to a range of operational, security and legal risks. In addition, different customers are typically protected by different privacy laws depending on their nationality. The EU, where consumer privacy is seen as a fundamental right, is moving towards a set of particularly stiff fines for companies that don t protect customers private information, as part of a broad new set of regulations. Within a couple of years, companies not in compliance with European privacy laws will face fines of up to 4% of their global turnover. That s a staggering amount, putting data privacy penalties on par with antitrust fines in Europe. And even in privacy cases where the penalties are more modest, or there s no monetary penalty at all whether because the questionable privacy practice took place in a less-regulated region or wasn t found to be an actual violation of the law companies could certainly face significant backlash in other ways. It s a PR issue, said Eugene Weitz, general counsel, Americas, at SAI Global, an Australian company specialising in solutions and services that help manage risk and compliance. It s the kind of thing that affects companies up, down and sideways, Mr Weitz added. In the last few years, the ubiquity of cloud computing has complicated the challenge for all parties. A government might want to regulate or sanction a company that has suffered a breach or failed to protect its citizens private data. But if the company is located outside a country s boundaries or if it isn t clear in what country or region the compromised data are being stored or processed, or on whose servers, regulators can have difficulty taking any sort of corrective action or even determining which laws might apply. Companies themselves are often not much clearer about which jurisdiction s laws they need to abide by. You are constantly weaving through a hotch-potch of different rules and regulations, and they get very, very technical, said David McCue, an executive advisor to Xerox s global chief information security officer. He likened it to the old idea of an information highway, the difference being that on this highway, the laws vary, sometimes confusingly, depending on whose jurisdiction one happens to be in. GDPR on the horizon: Europe s evolving regulations Europe is developing a sweeping new set of rules, embodied in what it is calling the General Data Protection Regulation (GDPR), to define how consumer data need to be treated in the EU. In theory, the GDPR which will cover personal data, including names, photos, addresses, medical information and posts on 2

4 We are all suffering because of the limbo. We cannot leave thousands of small and medium enterprises in this position for another two or three years. Giovanni Buttarelli, European data protection supervisor social media sites will make it possible for multinational companies to apply a single privacy policy throughout Europe. But it s not expected to take effect until A long time to wait for certainty, thus many in Europe and the US are hoping for a ratification of Privacy Shield, the transatlantic deal that has been put forward as a near-term replacement for Safe Harbour. We are all suffering because of the limbo, Giovanni Buttarelli, the European data protection supervisor, said in an interview in his Brussels office. Mr Buttarelli and others acknowledged that the uncertainty is a particularly big challenge for smaller companies that don t have a lot of resources to devote to compliance. We cannot leave thousands of small and medium enterprises in this position for another two or three years, he said. According to privacy law experts, companies doing business in the European Economic Area have a few options to remain in compliance. First, they can tell a European consumer how they plan to use and store that consumer s data in a simplified privacy policy and ask for the user s consent. Second, they can use model contracts, which are European Commissionmandated contractual terms for dealing with European consumers data. A third option is to go through a much more elaborate process of developing Binding Corporate Rules (BCRs) of their own. BCRs apply to all the processes and policies companies use in all of their operations and must be approved by European regulators. But they have the advantage of being customfit to companies own processes not the case with model contracts. You have to invest a huge amount of time into BCRs, said Martin Fanning, a partner and data privacy expert at Dentons, a Londonbased law firm. BCRs can take several months to complete but, because they are based on a business s own governance and policies and involve dialogue with European data regulators, they are regarded by many as the platinum standard for international data transfers within a multinational group. Mr Fanning added that BCRs live and breathe with a business as it grows and changes, a quality that he said makes them more robust than other legal options for international transfers. By contrast, he said, consent can be revoked by an individual, and the EU Commission-approved model contracts can be rigid and in need of regular updating. The complicated role of technology The cloud is perhaps the best known, but it is not the only technology that is complicating matters alongside offering business benefits. Since technology has vastly increased the availability of free-flowing personal data, with all the accompanying benefits and problems, it might seem reasonable to ask that technology also provide the necessary solutions. The reality is more challenging. To be sure, an encryptionreinforced file server or database (and the use of other technologies, like tokens and containers) can prevent consumers private information from being accessed in the first place or from being compromised if a breach occurs. That can forestall embarrassment and economic losses associated with cases of large-scale credit card theft. However, in the legal environment of the future, security systems that protect data won t necessarily ensure compliance even if they prevent break-ins. Increasingly, privacy laws can be interpreted as requiring companies to exercise greater control over data and, in some instances, to follow rules that spell out where data must be located. Companies are having to make multiple decisions and position themselves to be in compliance with laws in many jurisdictions. Doing this successfully will take judgment and global awareness not attributes that can 3

5 It s that Where s the instant fix? mentality that tends to lead us down the wrong road. Robin Wilton, technical outreach director for identity and privacy at the Internet Society necessarily be captured by a straightforward technology or software system. Robin Wilton, technical outreach director for identity and privacy at the Internet Society, an organisation focused on fostering the Internet s growth and preserving its technical standards, observed that people don t always recognise the futility of trying to address privacy issues through technology alone. He said the Internet Society sometimes gets calls from people who want it to sponsor the development of a privacy plug-in an idea he considers fanciful not realising that effective privacy protection is an ecosystem and human-relationship issue before it is a software issue. It s that Where s the instant fix? mentality that tends to lead us down the wrong road, Mr Wilton said. The deeper people s backgrounds in technology, the more they tend to understand that a purely digital solution isn t feasible. As Jeb Weisman, the chief information officer at Children s Health Fund, a New York nonprofit handling sensitive medical data, put it: The technology can t decide what s private. Instead, he said, the systems that can help companies with privacy are systems that support governance. What I see is a set of human expectations that need to be met. And in the case of my organisation or any organisation, they need to be codified. Once they re codified, then we can use software tools and secondarily security tools. The security tools stop breaches. But the privacy tools help us understand what s private and manage it. To be sure, privacy and security are intertwined companies can t safeguard one without investing in the other. Xerox s Mr McCue underscores this with a warning about how common security breaches are nowadays. If you went and spoke to any of the national law enforcement agencies, whether in the US or in Europe, they will tell you that, as a whole, companies underestimate how much of their data has been lifted, stolen or compromised, Mr McCue said. I have been in meetings where a particular company has said, No, we re good, and the law enforcement representative has said, Well, we have a database back at headquarters that shows two terabytes of your inside information that we ve recovered from someplace on the dark Web. You ve been hacked and didn t know it. Looking towards a North Star for regulation In the future, companies will clearly have to understand the full range of restrictions that different localities have placed on how personal information is used, shared and stored. It s possible that the EU s efforts, including with the GDPR, will influence what countries in regions such as Asia and Africa include in their own privacy regulations. If that happens, GDPR may end up providing a sort of specific target that companies worldwide can aim for. Even today, though, while regulations remain uncertain, a comprehensive and thoughtful online privacy policy can be a selling point in the digitally driven economy. Mr Buttarelli, the European regulator, said he was reminded of this when he made a trip to Silicon Valley last year. Some of the start-ups he visited, instead of treating privacy as an afterthought, were making it a core part of their appeal to customers. He put this in the category of privacy by design, an approach to systems engineering that is fast catching on. I don t see any dichotomy between privacy and innovation, Mr Buttarelli added. As companies seek their own innovative ways to build and maintain value from data despite the confusion of today s privacy and 4

6 Long, complicated policy explanations aren t integral to protecting consumers personal information. They don t make anyone feel more comfortable. security regulations, the research suggests that the following approaches will likely help them navigate: l Know thyself from a privacy perspective. Businesses first move should be to do an audit, or mapping exercise, of their data. What data they have, how they are being used, where the data are being used and which third parties might be handling them are all areas a company must know cold. It takes data mapping of an entire company to understand what the needs and requirements are, said Mr Weitz, the general counsel, Americas, at SAI Global. l Build a cross-functional privacy team. By definition, a company is going to have some competing interests on privacy. The general counsel is primarily going to be concerned about protecting the company from litigation, the chief information officer about preventing security breaches, the chief marketing officer about increasing sales. The privacy function of a company can only identify the right trade-offs if it includes some individuals who can parse regulations; other individuals who understand data and technology; and still others who possess a strong knowledge of the business. l Find the right partners. Almost every company these days has at least some customer data stored on third-party cloud databases. You are dependent on these companies and the services they provide to include a level of protection for your data, said Mr McCue, an executive adviser at Xerox. As a consequence, companies should look for vendors with very strong capabilities in the protection of data stored with them, he said. Finding such companies is likely to become easier in the future as part of the GDPR will require IT vendors that previously bore no direct responsibility for privacy to comply with data protection laws. l Apply the function before form principle to your privacy initiatives. To date, the obligatory nature of how companies deal with privacy has been evident in the checklists of their policies. Consumers click impatiently through the policies because it s clear from the way they are presented that they contain nothing of interest. This isn t the way to do it. Long, complicated policy explanations aren t integral to protecting consumers personal information. They don t make anyone feel more comfortable. Something simpler and more functional may well work better. l Get rid of unneeded data. In this era of the cloud, digital information and customer records have become so cheap to hold on to that many companies do so as a matter of course. This is partly a reflection of the fashion for big data and the sense, as CIO Dr Weisman puts it, that the insight is just around the corner. In fact, a lot of old customer records are toxic data assets, Dr Weisman said, quoting Bruce Schneier, the cryptographer and widely followed blogger. Many privacy experts advocate data minimalisation having the discipline to keep only the data you need. No matter what happens with Privacy Shield and the GDPR, the global privacy story won t be finished. There will be other twists, perhaps influenced by developments in regions outside the EU and US. For now, companies need flexibility in their approach and options that meet different requirements in different jurisdictions. They have to find ways to be in compliance despite the regulatory uncertainty. The costs of not doing so are simply too great. 5

7 Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this report or any of the information, opinions or conclusions set out in the report. Cover: Shutterstock 6

8 London 20 Cabot Square London E14 4QW United Kingdom Tel: (44.20) Fax: (44.20) New York 750 Third Avenue 5th Floor New York, NY United States Tel: (1.212) Fax: (1.212) Hong Kong 1301 Cityplaza Four 12 Taikoo Wan Road Taikoo Shing Hong Kong Tel: (852) Fax: (852) Geneva Boulevard des Tranchées Geneva Switzerland Tel: (41) Fax: (41)