The current privacy discourse is shaped around the question: “Is your organization compliant with privacy regulations such as the EU General Data Protection Regulation (GDPR), the US State of California Consumer Privacy Act (CCPA) or the US Health Insurance Portability and Accountability Act (HIPAA)?”. However, addressing privacy as a compliance issue does not allow for the consideration of other pillars of privacy that are equally important (e.g., privacy as a human right, an ethical and social concern a political issue). Shifting from a compliance lens, to include these additional pillars of privacy moves the conversation beyond “doing privacy rights”, and more toward “doing privacy right.” This more holistic approach to privacy recognizes that feasible, useful or profitable does not equal sustainable and emphasizes responsibility over compliance. Designed to reflect “doing privacy right,” Privacy by Align (PbA) is a novel approach to addressing the multiple pillars of privacy. The pillars of PbA are summarized in figure 1.
Figure 1—The 6 Pillars of PbA
What Is the PbA Approach?
Much of the current privacy landscape, such as CCPA and GDPR, presents risk-based approaches that mandate additional measures to protect personal data where risk demands it. However, the ethical, political and social dimension of privacy is often absent in these risk-based approaches1 because data privacy legislation is largely focused on how organizations process personal data rather than what organizations do to extend or shape conditions for that processing. The PbA approach addresses this gap through 6 pillars of privacy:
- Legislative and regulatory privacy
- Privacy incident management
- Enterprise ethical privacy
- Enterprise social privacy
- Enterprise political privacy
- Privacy communications
The PbA approach urges organizations to address the legal/regulatory and incident management pillars as a baseline, and then to address the discretionary pillars where they apply to the organization. The 6 pillars of PbA and their associated privacy activities are summarized in figure 2.
Figure 2—The 6 Pillars of PbA and Their Associated Privacy Activities
|
Pillars of PbA |
Consists of |
|
Legislative and Regulatory Privacy (Mandatory) |
Local, national and international legislative landscape |
| Data processing agreements, third party | |
| Binding corporate rules | |
| Standard contractual clauses | |
| Privacy by design product/service life cycle involvement | |
| Data protection impact assessments (DPIAs), transfer impact assessments | |
| Supervisor authority interactions | |
| Data subject access request (DSAR) | |
| Stakeholder training | |
| Senior management meetings | |
| Privacy advisories and consulting | |
|
Privacy Incident Management (Mandatory) |
Data breach management and notification |
| Supervisory authority channel | |
| Customer communications management | |
| Media management and press releases | |
| Remediation management and legal proceedings | |
|
Corporate Ethical Privacy (Discretionary) |
Data ethics, digital ethics |
| Privacy as a human right | |
| Ensuring no surprises policy | |
|
Corporate Social Privacy (Discretionary) |
Interactions with privacy forums and advocacy groups |
| Attending and hosting privacy conferences | |
| Privacy sponsorships | |
| Extending stakeholders to include parents, employees, families, customers, suppliers and society | |
| Implementing discretionary standards | |
|
Corporate Political Privacy (Discretionary) |
Lobbying for and against privacy |
| Writing open letters regarding position on privacy matters | |
| Stating the chief executive officer’s (CEO) position on privacy | |
| Funding and joining lobbying groups and political forums | |
|
Corporate Privacy Communications (Both Mandatory and Discretionary) |
Collaborating with marketing and corporate communications |
| Privacy policies, notices and statements | |
| Privacy reporting in corporate social responsibility (CSR) reports, corporate reports | |
| Lobbying documentation | |
| Corporate emails and correspondence |
Legislative and Regulatory Privacy
This pillar consists of all the privacy activities an organization must undertake as directed by their own privacy legislative landscape (e.g., their consumer, privacy and cybersecurity legislation).
Incident Management Privacy
When a privacy incident occurs, the affected organization must first determine if the incident needs to be reported to supervisory authorities, regulatory bodies or stakeholders. The organization then needs to remediate the incident (e.g., by introducing new hardware, software, processes or training to ensure the issue does not recur). The organization may also have to manage the process of lawsuits, financial penalties or increased oversight or audits that result from incidents.
Privacy Ethics
Privacy ethics consist of data ethics, digital ethics and privacy as a human right. Privacy ethics concerns the way technology is shaping political, social, environmental and moral existence. Privacy ethics addresses the questions of how technology should be employed, what privacy risk new or updated technology may bring, and what the arrival of these new futures means to society. Mantelero’s work combining the Human Rights, Social and Ethical Impact Assessment (HRSEIA) with the privacy impact assessment (PIA), can be a useful starting point.2 With privacy ethics comes the added variable of the ethical implications of what may not yet exist, and risk that cannot be predicted. The UK Data Ethics Framework3 and the Omidyar Network’s Ethical OS4 provide useful tools for addressing this privacy risk.
Socially Responsible Privacy
The competitiveness of an organization, and the well-being of the communities around it, are mutually dependent. In this pillar, organizations reach out to multiple stakeholders, including employees, suppliers, consumers and surrounding communities, to understand their privacy concerns. Although privacy is often a stakeholder expectation, its importance can vary greatly. For instance, taxpayers in countries such as Finland, Norway and Sweden have little expectation of financial privacy as income tax records are publicly available online. The process of reaching out to stakeholders to determine what matters most to them is called a materiality assessment.5
Political Privacy
Political privacy is associated with political concepts such as national surveillance, freedom of speech, lobbying, voting and democracy. Organizations invest millions of US dollars lobbying governments to favorably shape privacy legislation. For example, they may lobby to reduce privacy compliance costs or to retain data for longer/further use. VpnMentor recently analyzed all the lobbying reports that were submitted to the US House of Representatives between 2005 and 2018 by the 5 largest big tech organizations. It found that privacy was the most frequently used word in the lobbying submissions and was in the top-5 lobby interests of all 5 organizations (figure 3).6
Figure 3—Big Tech Lobbying Between 2005 and 2018
Source: vpnMentor, “The Issues That Matter to the Big Tech Lobby.” Reprinted with permission.
Privacy Communications
Each pillar of privacy in the PbA approach is reported in a corporate communication form that is accessible to key stakeholders. The legal pillar of privacy is reported in privacy policies, transparency reports and privacy statements, the social pillar of privacy is reported in corporate social responsibility (CSR) reports and the political pillar is reported in various lobbying databases. Fundamental stakeholder trust and reputational issues arise when these communications reveal nonalignment (e.g., when an organization reports “contributing to privacy advocacy groups” in their CSR reports and then reports “lobbying for weaker privacy for consumers” in its lobbying submissions). When an organization aligns these pillars of privacy and demonstrates that alignment, it can result in increased consumer trust, consumer loyalty and revenue.
Organizations need to view privacy with a broader lens that extends beyond just privacy rights and recognizes the ethical, social and political pillars of privacy.
Aligning the Pillars
The PbA approach highlights the need for organizations to not only address these additional pillars of privacy but to also align them. The first alignment process consists of aligning activities across privacy pillars (i.e., “to walk the talk”). Organizations that undertake collaborations with privacy advocacy groups (reflecting the social privacy pillar) should ensure that their lobbying submissions (reflecting the political privacy pillar) are aligned. In its CSR reports, Cisco, for instance, states that it is leading the development of the EU Cloud Code of Conduct (reflecting the social privacy pillar) while also lobbying for more comprehensive privacy laws that respect privacy as a fundamental human right.7 Its social privacy and political privacy pillars are thus aligned. Misalignment of these pillars can result in reduced stakeholder trust, increased concern for privacy and negative reputational effects.
The second alignment process consists of ensuring that the privacy activities in the pillars reflect stakeholder expectations toward privacy (in materiality assessments). Again, using Cisco’s most recent materiality assessment as an example, it shows that “data security and privacy” are of significant importance to the stakeholders and the organization.8 In this way, its privacy pillars are aligned with stakeholder expectations and will likely result in appeasing its privacy concerns.
Conclusion
Organizations need to view privacy with a broader lens that extends beyond just privacy rights and recognizes the ethical, social and political pillars of privacy. Organizations also need to determine the privacy expectations of the wider stakeholder community. The PbA framework enables organizations to more holistically address privacy and advocate for the alignment of the pillars to engender increased consumer trust, reduced concern for privacy and enhanced reputation.
Endnotes
1 Mantelero, A.; “AI and Big Data: A Blueprint for a Human Rights, Social and Ethical Impact Assessment,” Computer Law & Security Review, vol. 34, iss. 4, 2018
2 Ibid.
3 UK Government Digital Service, Data Ethics Framework, United Kingdom, 13 June 2018
4 Omidyar Network, "How Not to Regret the Things You Build"
5 Global Reporting Initiative (GRI), “Materiality and Topic Boundary”
6 vpnMentor, “The Issues That Matter to the Big Tech Lobby”
7 Storer, K.; “Cisco Calls for Privacy to be Considered a Fundamental Human Right,” CISCO, 7 February 2019
8 CISCO, “Materiality Assessment”
Valerie Lyons, CDPSE, CISSP
Is the chief operations officer with BH Consulting, an international cybersecurity and privacy consultancy organization based in Dublin, Ireland. She is also a lecturer at Dublin City University’s Business School (Dublin, Ireland). Previously, she was the head of information and risk management at KBC Bank, Ireland, for 15 years. Lyons is a frequent speaker on all things privacy, and her key motivation is to change the industry’s approach to privacy so that privacy is the baseline rather than the goal and to bring an understanding of privacy that extends beyond legislative dimensions.