Ever since I created my first social media account I have been asking myself who is responsible for protecting my privacy. I always come back to the same answer, “I am”. Ultimately, I choose who I provide information to, who I use my credit card with instead of cash, and what I post to various web sites.
Taking my passion for this subject and beginning to work in the privacy office for a major corporation, the question I was asking changed. Now I ask, “when someone entrusts a business with their personal information as a customer or employee, what is my responsibility to protect the information?” This question has led to several conversations with diverse points of view presented. I hope (and expect) that there will be many more conversations.
Coming out of these discussions, a framework that has severed me well has three levels of protection requirements: Legal, Policy, and “The Right Thing To Do”.
Legal requirements are readily available. Be it the Massachusetts Privacy Law, HIPAA, the EU Directive, or an industry requirement like PCI DSS, these requirements are proscribed for you by others. They are the low water mark, the must-haves, for every business. It often surprises me how frequently mid-size and small businesses ignore or avoid these requirements.
Often a situation arises that is not covered by the law nor have your policies haven’t anticipated the situation. You can essentially do what you want (within reason) or you can take a step back to figure out what is the Right Thing To Do. Thinking about what you would like to happen if it was your personal information in question may drive you to a decision and, potentially, a new policy that you had not anticipated. Believe me, the result could provide an outstanding experience for the customer or employee involved.
A year or so ago I was working with a team developing a mobile application that would access the user’s current location to help them find a nearby store or to check into a store. Accessing geolocation data was a new undertaking for the business I was working with so we applied the framework discussed above.
At the time there were no legal requirements for protecting geolocation information, so the low water mark was met. There was no policy defined, so there was no expectation of privacy set with the customers. We held several discussions to define the Right Thing To Do eventually resulting in a new policy for the firm. As a side note, Senator Al Franken proposed legislation that matched the new policy the day after the policy was approved.