Doing something right is not the same as doing the right thing – especially when it comes to privacy and data protection. Many in the world of data management and marketing are rather selective when it comes to what they will admit to and what they don’t want to face up to.
Two separate initiatives by the Information Commissioner’s Office highlight this gap – the latest Code of Practice on Privacy Notices and the handbook on Privacy Impact Assessment (PIA). Both show how keen the ICO is to make it as easy as possible for companies to understand how to be compliant and especially to communicate what measures they are taking.
Privacy notices are the frontline as far as data collection is concerned. They are the point at which a company says what it intends to do with data that has been collected. What the ICO wants is for notices to be clearer and more informative for data subjects, rather than being written from the point of view of giving the data controller legal protection.
There is no reason for these two things to be mutually exclusive. Indeed, the vast majority of practitioners are confident that they already get it right. When Acxiom hosted an event for privacy experts in marketing to discuss the new Code of Practice, it asked participants about their current procedures – 90 per cent believed they were already protecting personal information adequately through regular improvements to security measures and privacy policies. Forty-five per cent did not expect the new guidance to have an impact because of what they already had in place.
That is encouraging and should also reassure customers about what happens to their data when it is collected. Except that the ICO’s other publication about PIAs is not only far more challenging, it is also barely being talked about.
Designing for privacy is a concept that the ICO has been promoting strongly and assessing what impact a data security breach would have on the data subject is part of that drive. To reduce the downside risks, there has been a strong emphasis on limiting what data is collected and for how long.
Those are key principles in the Data Protection Act, yet they are probably the least acted on. Organisations have a ravenous appetite for data and are eager to collect all they can get. The idea of actually deleting data simply does not feature in most data management routines.
So you can tell an individual all you like how safe their data will be. That is not the same as accepting limits on how much of their data is needed. Until that changes, data subjects are right to mistrust the industry.