Back to all blog posts

Legal requirements, policy & the right thing to do

Ever since I created my first social media account I have been asking myself who is responsible for protecting my privacy. I always come back to the same answer, “I am”. Ultimately, I choose who I provide information to, who I use my credit card with instead of cash, and what I post to various web sites.

Taking my passion for this subject and beginning to work in the privacy office for a major corporation, the question I was asking changed. Now I ask, “when someone entrusts a business with their personal information as a customer or employee, what is my responsibility to protect the information?” This question has led to several conversations with diverse points of view presented. I hope (and expect) that there will be many more conversations.

Coming out of these discussions, a framework that has severed me well has three levels of protection requirements: Legal, Policy, and “The Right Thing To Do”.

Legal requirements are readily available. Be it the Massachusetts Privacy Law, HIPAA, the EU Directive, or an industry requirement like PCI DSS,  these requirements are proscribed for you by others. They are the low water mark, the must-haves, for every business. It often surprises me how frequently mid-size and small businesses ignore or avoid these requirements.

Policy is something an organization defines as a requirement for itself. A privacy policy allows you to set expectations for your customers and employees as to how you will protect their personal information.It says something about the values of your organization. Many organizations use their policies to show that they exceed the Legal requirements.

However, an organization’s policy can simply say they will meet the Legal requirements; those companies are missing an opportunity. A privacy policy can be used as a marketing tool to differentiate your practices from those of your competitors. As a consumer, would you rather do business with an organization that states “we will not share your personal information” or one that is silent on the subject?

One caution about a privacy policy…no matter what your policy says, you must be sure that these policies are actually being applied. If they are not  your business practices are deceptive. A good internal awareness and compliance program can go a long way to ensuring you are doing what you are saying.

Often a situation arises that is not covered by the law nor have your policies haven’t anticipated the situation. You can essentially do what you want (within reason) or you can take a step back to figure out what is the Right Thing To Do. Thinking about what you would like to happen if it was your personal information in question may drive you to a decision and, potentially, a new policy that you had not anticipated. Believe me, the result could provide an outstanding experience for the customer or employee involved.

A year or so ago I  was working with a team developing a mobile application that would access the user’s current location to help them find a nearby store or to check into a store. Accessing geolocation data was a new undertaking for the business I was working with so we applied the framework discussed above.

At the time there were no legal requirements for protecting geolocation information, so the low water mark was met. There was no policy defined, so there was no expectation of privacy set with the customers.  We held several discussions to define the Right Thing To Do eventually resulting in a new policy for the firm. As a side note, Senator Al Franken proposed legislation that matched the new policy the day after the policy was approved.