It has been six months since General Data Protection Regulation (GDPR) went into effect and interest in data privacy has never been higher. The trend will continue, and organizations must realize that the lens through which they view data privacy has a major impact on their business. To explore the subject further I spoke with Michelle Dennedy, Cisco’s Chief Privacy Officer (CPO), who works to raise awareness for policy, practice, and tools that protect data privacy and enable business success and innovation.
AA: What has been the general reaction to GDPR?
MD: As I speak with customers and my fellow CPOs, there are two general reactions. One group views GDPR is a compliance exercise. They’ve met the deadline, are exhausted, and are wondering what new directive is coming next.
The other group considers GDPR an opportunity. They now have a map of their primary data sources and a better understanding of the level of control they have over their data. This allows them to identify data privacy gaps, the solutions needed to fill these gaps, and what’s next for their data profile.
When we realize that GDPR is not a deadline at all but the beginning of a new era, we can start to think about how we can serve this data to make it work for the business and the data subject – that is, the employee, citizen, customer or object of observation described by the data.
AA: What are some of the most vexing data privacy challenges of our time for businesses?
MD: On a tactical level, we’re hoarding data without adequate protection. We’ve been sold a bill of goods that data is cheap, storage is cheap, and privacy is dead. Holding onto all the data that’s coming in to organizations beyond its purpose and shelf-life obscures the value and integrity of that data.
Strategically, we’re caught between two opposing forces. There’s the inexorable global push of data – the desire to use the best data from every source to reach every market across business, science, education, and humanity. There is also the push for localization. We are driven to serve the cultures, tastes, mores and moral and ethical codes, locally. But do our laws really contemplate the global infrastructure that is our digital society? Organizations not based in the EU are affected by GDPR and its clones emerging worldwide. The time has come to marry infrastructure, architecture, and privacy engineering with policy.
AA: Where do we go from here?
MD: In the digital world we need to drive toward data curation. This is radically different from the preconceived notion of privacy as encryption and the secreting away or nonuse of data. Curation is about the right information at the right quality level, accessible by the right people so we are respecting and protecting privacy and using data ethically without compounding human biases. This is only possible with data engineering, privacy engineering and ethics engineering that allow us to look at what data is where, touched by whom, in benefit of whom and regulated by whom.
AA: What makes a successful data privacy program?
MD: You have to determine an outcome for your privacy program. That might be compliance only – learning from the past and trying to avoid mistakes and keep people out of jail. But in today’s economy, the way to leverage resources to be competitive and sustainable is to figure out how to curate data to help achieve your business objectives. Untended and uncurated assets turn into liabilities. When we are actively curating our data, we not only achieve compliance, but also efficiency, effectiveness and creativity.
AA: What are the roles of the employee and consumer in managing privacy?
MD: We should look at the data subject as someone who is setting requirements and standards. They have the responsibility to speak up if they don’t like something, for example, if their data is being sold. They can also provide quality control. They should be asking questions that continuously push companies to think about the data they are capturing and storing, and the least amount of data required to provide a service. We can’t rely on algorithms for this type of analysis. Humans must set the tone.
AA: Can you share a few tips to help us strengthen data privacy?
MD: For my colleagues in privacy – stay curious. Don’t just set requirements and create a check list. Stay in the game through the lifecycle of data. Whether you have a technical, legal or policy background, everyone is a “newbie” in this new space that is constantly changing. There are lots of new training opportunities, including our Privacy Sigma Riders podcast where I talk to experts who talk about everything from what’s around the corner to what we might expect 10 years from now.
Business leaders must look at data in a new way – as valuable currency. Don’t look at it as exhaust, or something that inevitably is captured, or that more is better. Think strategically about what data you need to achieve your objective. Asking for as much data as possible is like asking the CFO to give you twice as much budget as you think you’ll need, and you’ll figure out how to spend it later. Data is currency so treat it that way.
Consumers must realize that the notion that you have no controls, or that if you want something then you need to provide all your data, is a fallacy. If consumers are not happy with what they are asked to provide, or don’t understand how to control privacy settings or how data will be used, they should speak up. Consumers have a voice and companies want to hear from them.