Wednesday, September 10, 2014

Privacy Engineering: How Researchers Can Protect Consumers and Companies

By Marc Dresner, IIR

Those of you who follow this blog know I’ve been a little hung up on privacy lately. 

My last two posts, respectively, have dealt with data brokers and the relatively unchecked accumulation of people’s personal information on- and offline by companies nowadays.

Today I want to look at the privacy engineering movement that’s been gaining traction in the IT community and why researchers ought to take note.

But first, just to refresh, in my previous posts I’ve echoed a growing sentiment among experts that we may be on the brink of a privacy backlash in response to a perceived lack of informed consent and transparency with regard to Big Data collection and use.

In a nutshell, there’s mounting consumer anxiety over what some characterize as a sort of Big Brother-style corporate surveillance.

It’s a worrisome trend at a time when trust in brands and companies—particularly among younger cohorts—is already abysmally low.

A Consumer Trust Crisis

Coca-Cola’s Global Director of Human and Cultural Insights, Tom LaForge, summed up the trust situation well in a speech I attended earlier this year:

“Whether or not a competitor will steal share is not what you should worry about. Worry instead about whether or not people will allow you to stay in business, because ‘big’ is on probation,” said LaForge.

“Worry about whether or not people will allow you to stay in business, because ‘big’ is on probation.” 
– Tom LaForge, 
The Coca-Cola Co. 

“People do not trust big entities,” he added. “They don’t trust governments. And global corporations are often bigger than governments. Corporations are about as big as it gets.”

How bad is this trust crisis? LaForge said “corporations are losing the social license to operate” as a result.

In such a climate, it’s not implausible that a well-publicized privacy breach (note that’s privacy breach, not data security breach) might cause serious, even irreparable damage to a brand, company or other institution’s credibility and relationship with the public.

Privacy: It's About Ethics Not Compliance

Accordingly, experts are advising companies to think about privacy not in terms of compliance, but in terms of ethics.

Indeed, the reason privacy is getting so much attention these days is arguably because current legislation and regulation don’t go far enough and may not be able keep pace with technological change.

In lieu of statute, companies must sort out privacy ethics on their own. That’s a complicated affair in which the research community can be an invaluable resource.

But first, I humbly suggest that researchers get acquainted with “privacy engineering.”

What is Privacy Engineering?

An increasingly popular approach with the tech set, privacy engineering endeavors to systematize privacy and embed it in the products and processes companies use, buy, create and sell. 

I conducted a podcast interview on the subject with one of its pioneers, Michelle Dennedy, VP and Chief Privacy Officer at McAfee, back in April.

Dennedy, whose credentials straddle the legal and technological aspects of data security and privacy, is also co-author of “The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value.”

“Privacy engineering is a way to build respect for information about people back into our infrastructure.” 
- Michelle Dennedy, McAfee 

“Privacy engineering is a way to build respect for information about people back into our infrastructure and to think about data from the consumer perspective,” Dennedy told me.

It’s particularly important for researchers to familiarize themselves with this approach, I think, in part because companies are increasingly looking outside the research function to data scientists to manage Big Data.

You don’t need to be an IT specialist to understand “The Privacy Engineer’s Manifesto” and it may be just the blueprint consumer researchers need to insinuate themselves in the fundamental discussions that shape not only privacy policy and practice, but the manner and extent to which companies harness Big Data moving forward.

See Also: Privacy by Design

I would also advise researchers to familiarize themselves with another, similar concept: Privacy by Design” (PbD).

PbD is both an approach and a landmark resolution approved by international data protection and privacy commissioners in Jerusalem in 2010.

The PbD framework sets out seven foundation principles aimed at ensuring that privacy is embedded into new technologies and business practices from the outset and boils down to three key tenets:

-          Trust and control

-          Freedom of choice

-          Informational self-determination

According to Dr. Ann Cavoukian, former Privacy and Information Commissioner of Ontario, Canada, and architect of PbD, privacy policies are becoming meaningless to people and companies should not hide behind them.

“If your company does something with people’s information that might raise ethical questions, stating it in a privacy policy—even if it isn’t buried in jargon—does not equate to informed consent. People check the box without reading all the time,” Cavoukian told a room full of consumer researchers back in May.

“Privacy isn’t something people think they should have to ask for; it’s a presumption.” 
– Privacy and Information Commissioner
Ann Cavoukian

“Privacy isn’t something people think they should have to ask for; it’s a presumption,” Cavoukian added.

Bottom line: A privacy policy may protect a company in a lawsuit, but it won’t help in the court of public opinion, where the stakes may be much higher.

To illustrate just how serious the threat of a public backlash has become, Cavoukian cited a variety of survey data, most notably a January 2014 AP-GfK poll in which more than 60% of respondents said they value their privacy over anti-terror protections.

PbD and privacy engineering offer a compelling safeguard to companies because they’re inherently proactive. You’re embedding privacy protection in everything you do and design—right down to the code—from the get-go.

While it may seem expensive to take the necessary steps to ensure that all current and future products, systems, etc., meet standards that may not be mandated by law, the cost may be infinitely higher to implement, revise and rebuild after a privacy breach.

How does this apply to researchers?

We tend to think of this stuff as falling under the purview of a Chief Privacy Officer, but it’s both an imperative and an opportunity for researchers.

Consumer researchers are probably the last people who require a lecture on the ethical collection and use of data or the sanctity of trust—without it, we have no respondents—but as you well know, research today is neither confined to direct response methodologies nor gathered exclusively from opt-in panels and communities.

Moreover, a research department typically isn’t the only entity in a company engaged in the collection of consumer data, its sole repository or the arbiter of its use.

In short, there’s plenty of room for an unintentional breach of privacy ethics in most organizations today. And given the stakes, this represents an unacceptable risk.

So, the time has come for internal research functions to get involved in privacy discussions outside departmental walls and to have a hand not just in crafting policy and protocol, but to make the case to management for building a company-wide culture that understands and respects consumer privacy.

So start by paying a visit to your colleagues in IT to talk about privacy engineering. Privacy oversight will need to cover marketing, R&D, sales, etc. 

This is a chance for research to assert influence over all of a company’s present and future consumer information assets. It’s a natural fit.

Marc Dresner is IIR USA’s sr. editor and special communication project lead. He is the former executive editor of Research Business Report, a confidential newsletter for the marketing research and consumer insights industry. He may be reached at Follow him @mdrezz.

No comments: