7consumer privacy, just as data sharing agreements are an ineffective mechanism for really ensuring the protection of consumer data.We need to think about this in a different way. For now, let's not worry about what the definition of personal information is, or about what controls need to be put in place, or the thousands of tactics that need to be implemented to have an effective privacy and security program. Let's shift for a moment and think about how entities can truly ensure that data is respected. Let's create a principle around respecting data.If a core principle of an entity is "we will treat all data with respect" then all behavior related to that data will flow from that principle. For example, consider the following questions:· Will you encrypt the data when sending to a third party even though it requires two extra steps? Yes.· Will you be sure that you have the appropriate permission to use the data in the way you want to, even if no one will ever find out that you don't know if you have that permission? Yes.Principles are the underpinnings of culture and determine how people decide how to behave. Now more than ever, board members, leaders, and employees of companies, institutions, and government entities have an ethical imperative to treat personal data with respect.Amid the cacophony of media coverage lies the conundrum of how to extract data about people (ideally which inures to their benefit, directly or indirectly), while at the same time both protecting it (security) and not crossing boundaries about context and expectations (privacy). Covered most recently by The New York Times in the Privacy Project this issue has escalated to unprecedented proportions. One columnist suggested that the definition of privacy needs to be expanded in the subject of his column, Privacy Is Too Big to Understand. Perhaps, but we also need to look at what we are doing today. If everyone looks at the conundrum through the lens of the person whose data is being collected, used, processed, and potentially sold, shared, or misused, the conclusion is largely inevitable.From the practical point of view, what if the entire ecosystem operated from the same principle? That principle, simply put, is "We will always protect and respect personal data." Perhaps that is naïve and unrealistic. But why?Why should entities sew a principle of "data respect" into the fabric of their organizations? First, because everything else has limited effectiveness. Treating data respectfully--as part of a culture and ethical purview--is a moral imperative for every organization, and really, for society as a whole.And because when we are talking about personal data, we are talking about information about all of us. It's our data. It's where we live, work, eat, shop, pray, and how we behave while we are awake and also while we are sleeping. It's our health information, our beliefs, our sexual preferences, what we buy, who we vote for, what we read, watch, send and receive. The `new oil' is comprised of trillions of bits of information about each of us. That is why.This change in thinking does not cost money, does not require more people or technology or processes (at least initially), and will not happen overnight. It will, however, require a commitment and probably effort to change some current data collection and use practices and also change minds and hearts. It will also require anyone who believes this to persuade the leadership to have the courage to adopt the principle, begin to think in this way, and be an advocate for this change.Culture, whether it eats strategy for breakfast or not, is important and should never be underestimated. But how does this impact data privacy or security? Culture is a living thing that grows from within; a series of some large decisions that result in many small decisions that beget thousands of decisions made every day within an organization. Creating a culture of respect for data will have a positive net effect within organizations that subscribe to it.So if you are building or advising entities that collect and use personal data, don't forget about core principles, and build a culture of data respect. Like a quarter on the game console shows you respect the culture of the arcade, good privacy and security culture goes a long way to showing respect for data and truly being a trustworthy data steward. Beth Hill, Chief Compliance Officer and Privacy Leader, FordDirect
< Page 6 | Page 8 >