In recent years the media has regularly focused on a variety of stories about internet privacy crimes and misdemeanours, from the hacking of risqué celebrity photos to the tailoring of products and services based on an individual’s online activity. Many are demanding a call to action.
Yet many organisations remain undecided about whether a ‘privacy charter’ is a step too far. They want advice about whether the creation of an internet privacy charter can genuinely protect data from being misused.
To help organisations reach a conclusion, two advisors from KPMG’s Information Protection & Business Resilience team outline the key thoughts aired from both sides of the debate.
Jessica Tay argues that we do need a privacy charter for the internet
As you log into yet another website, have you considered how much trust you are putting in the website owner not only to protect your data, but also to use it in a way which you consider ethical?
A potent mix of social media sites, websites which require you to register personal details for the most basic of services, opaque privacy guidelines and naive internet users is, sooner or later, going to become a recipe for disaster. Why? Simply because privacy, which was once considered a right, appears to now be more of a privilege, limited to those who understand how to protect themselves online.
That is why one way to reclaim this right is to create a privacy charter for the internet. Doing so would empower consumers to be able to make a conscious choice to shop and interact only with companies committed to protect customer data. It would force organisations to offer categorical acknowledgement that they share their customers’ ethical standards regarding the use of personal data.
Of course, some query whether this is genuinely possible. It may seem hard to imagine that there will be no more long and complex legal statements about how your data may be used, no more wondering if your data will be sold on to a chain of third parties because of a complex clause that you have unwittingly agreed to. But just because it has always been this way, doesn’t mean things have to continue without improving.
Imagine the appeal of a simple statement confirming that a company signed up to the charter will not sell any of your data, will do everything reasonable to protect it and will not buy data from sources where your self-published personal information has been analysed.
It could be argued that such a privacy charter risks brand suicide for businesses involved as data will inevitably be leaked or stolen. However, to establish some perspective, no data is ever 100 percent safe and it is certainly true to suggest that most consumers understand this to be the case.
The privacy charter does not purport to be a gold standard of data protection. It is, though, a step in the right direction as there remains a critical need for institutions to build and maintain the security of their information systems and this remains true whether or not a privacy charter exists.
And from a business perspective, there could be great rewards for the organisations that are forerunners in the privacy charter game and are able to use it as a point of differentiation. Surveys have focused in recent years on the ‘tribes’ people belong to, and how they determine our purchasing actions and choices that we make. There is a burgeoning class of consumers who want to make what they feel are the right choices – eating organic and buying British for example. This, savvy, consumer will be willing to pay a little more to shop with a business with an ethical privacy stance.
Susan Sharawi argues that we do not need a privacy charter for the internet
Signing up to a privacy charter might be akin to voluntarily installing a self-destruct button for some businesses. By taking the lead in publically promoting data protection credentials, organisations are doing nothing more than laying down a challenge to would-be hackers. It is as if, by saying ‘we are safe to work with because we respect and protect your data’, an invitation is being given for unscrupulous individuals or groups to try and disprove
But what happens if data leaks happen by accident? Who should take responsibility for accidental customer data loss or misuse? Unfortunately mistakes happen and what we need is a way to deal with them, not something which is punitive, no matter what.
The simple fact is that attempts to secure electronic data in the same way people secure their personal documents are destined to fail. Where once a safe hidden behind a picture frame was considered enough of a deterrent, today’s cyber ‘safe breakers’ have too much of a head start in the sophistication of their methods and technologies.
It is also a misconception that consumer privacy on the internet ever existed. From the moment we started using websites and entering our name, address and date of birth into form fields, the genie was out of the bottle. Creating a privacy charter will not stop this information leaking because, for many people, it is already in the public domain. Much better to focus on how the data is used.
The grim reality is that we are only now slowly realising this, as organisations carve up opportunities to use our data for their benefit and ‘agencies’ who specialise in collecting and selling personal data spring up into existence.
In addition, let’s not forget the importance of balancing the risks associated with the privacy of consumer data with the benefits of the internet, which has undoubtedly enriched our lives in many ways. If we restrict what data is ‘out there’, we restrict the benefits upon which so many of us have come to rely.
Consumer data is forming a new currency on the internet. It will eventually change the way we make transactions. Eventually, it will become a commodity which is traded by ‘enlightened’ internet users who understand its value and how it may be used. A currency of this nature cannot be hidden.