The Privacy House
In a world where consumers desire “hyper-personalized” products and services, corporations must get to know the consumers on a personal level. Hence, these corporations have begun collecting data about the consumers in various ways so they can “get to know the consumers”.
​
Along with the blossoming of the digitization of personal information, new regulations on data privacy are constantly emerging and evolving. This is happening to protect the consumer from being exploited by corporations. However, this entangled web of privacy policies has become a nightmare for corporations to manage – but a complexity that has become necessary.
These regulations restrict and sanction what data can be collected, where it can be used, where that data can be stored, who can access it, who can view the data, as well as a plethora of other actions. The GDPR (General Data Protection Regulation) which affects the EU, is a perfect example of the complexity of data privacy rules as it includes 99 separate articles outlining these regulations.
The Privacy House by Mondial Advisors​
Because of the quantity and intricacy of these policies, IT teams have been behind in dealing with them and not dedicating the necessary focus they require. This lack of attention to these rising regulations is highly problematic for corporations since sanctions for not adhering to these data privacy rules are growing. Violations of the GDPR can result in fines of up to 20 million or 4% of a company’s annual turnover. These non-compliance blunders are therefore costly. For Amazon, this mistake cost them 886 million dollars.​
Evidently, the risk of not complying with these data privacy regulations can jeopardize companies of any scale. So, what is the solution to dealing with these rules effectively?
​
​Mondial Advisors, a small IT consulting company in the USA recommends that companies evaluate their privacy practices using “The Privacy House”. ​
The Privacy House is a highly organized structure created to ensure the following two things: identify areas of focus and then delegate tasks to meet or exceed the needs of the regulations. Firstly, the structure compartmentalizes the places that the IT and Data teams must focus on to ensure they are compliant with data regulations. Second, the privacy house points to tools available in the market for corporations to use. The more corporations can rely on 3rd party processes to administer and adapt their data policies to new regulations, the less they need to constantly reconfigure their organization with each emerging law and regulation.
As seen in the diagram above, The Privacy Home structure consists of the following five elements: the foundation, floor, four pillars, ceiling, and the roof. Each component helps to identify a step in the data collection, processing, and action operation.
At the core of the arrangement rest the pillars, each indicating a different facet of data privacy. The first two are dedicated to consumer-facing policies, dealing with consent management and data collection. Consumers navigating the web from different sides of the planet are faced with inherently different options when it comes to their choice in data collection. This is seen in the distribution of “cookies” for example. In France, users must give their explicit, affirmative consent to cookie tracking, but in Australia, consent is the default, and needs to be explicitly rejected to be withdrawn. There are additional layers of complexity to these consent policies, such as when a French person accesses a site from Australia. Corporations first need to agree on the level of complexity up to which they will follow the policies. Then they must define processes and systems to follow these policies globally.
The second consumer-facing policies pillar focuses on data collection. Identifying which types of data can and cannot be collected is an incredibly important step in adhering to privacy regulations. Once again, corporations need to spend sufficient time on agreeing on the data elements that they can (and will) and cannot (or will not) collect. Then they must make sure the agreement is shared internally with all the global teams in that corporation. Enforcement of these kinds of policies globally is often a challenge that corporations must overcome.
The last two pillars relate to the modification and destruction of collected data. One area where a company might modify, or correct customer data is when a single user owns multiple accounts. Is it possible to use external knowledge (from Google for example) to determine that all these accounts belong to one person and merge these together? Another area and question that needs addressing is whether an enterprise can destroy customer data upon their request. Does the corporation follow the “right to be forgotten” rule?
Supporting these pillars is the “Storage Location Policy” floor, addressing issues surrounding the nature of data storage, encryption, and geography. If data is collected in separate countries, where should it be stored? Should data be stored geographically? These issues could become significant for companies operating globally.
Foundational to the entire structure of data privacy are the processes a company uses to manage and follow through with its policies. Proper governing is required to ensure protocol is followed globally. Who is governing these processes and making sure that each of the policies outlined in the Privacy House are adhered to? A robust company structure can only function if an organized governing body can hold it accountable, especially in the case of a data breach.
Lastly, determining which employees and departments can access the data and who can act on data is primordial to data privacy governing. Some departments, like HR, are only granted access to certain data, like salary information but not employee review information. In the same vein, only some roles can act on data, and determining what action can be enacted is another element to reflect on. If a company has access to a customer’s address, can said company send a flyer to them even if the customer requested “do not send flyers”?
Several issues arise in corporations by not having written down agreements on each of the components mentioned above in the Privacy Home. Hence, our recommendation is to consider each element separately and document the details of each policy. Educating the entire organization on these agreements and then creating incentives and rules for adhering to these rules, will ensure that the organizations are aligned to the data privacy concerns.
There are a few 3rd party tools that can assist in each level of the reinforcement of data privacy. Here are a few that have been used in the past. When it comes to data access, protection, and classification, a 3rd party tool like Bornio can cut the time, cost, and energy of adhering to data privacy regulations. For data storage, services like Microsoft® Azure or Amazon Web Services (AWS) also provide an outside source for reducing the cost and complexity of managing data. Another 3rd party tool called SafeGuard Data Storage aids companies in the governance and processes portion of handling data.
Asserting that data privacy management is complex is an understatement. There are countless areas where issues and roadblocks can arise. Luckily, in two steps, the Privacy House can provide companies with a solution to simplify the process. First, companies must ensure that all the elements presented in the Privacy House are covered by defining their internal policies and processes. Then, companies must identify the appropriate tools for managing data. In the end, buying the solution is far more cost and time effective than building an internal tool for data management. Third-party tools ensure dynamic changes when rules change and delegate day-to-day management processes more effectively. With all these safeguards put in place, getting tangled in the sticky web of data policy can be avoided, preventing potential fines and sanctions.