Request For Research Presentations For the PrivacyCon Conference
Operationalizing Privacy: From Privacy on the Books to Privacy on the Ground In their Stanford Law Review article, Ken Bamberger and Deirdre Mulligan demonstrate that in the European Union and United States, great variance persists between privacy on the books and privacy on the ground. (Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 STAN. L. REV. 247 (2011)). For privacy, principles and legal obligations written in law are not enough; organizations must put in place data governance mechanisms to inventory data collection, trace data flows, classify consumer information, determine permitted uses, manage vendor relations and verify security, accountability and ultimate deletion. To do so, organizations respond to an ecosystem of legal and non-legal incentives, including market forces around brand reputation, consumer expectations, perceived societal values and digital trust. To understand privacy on the ground, therefore, it is necessary to look at the practices of privacy professionals as they respond to an ever-changing technological business landscape. In conjunction with EY, the International Association of Privacy Professionals (IAPP) has fielded a survey of its entire membership of more than 25,000 privacy professionals all over the world. With more than 790 respondents constituting a representative sample of privacy professionals across a broad spectrum of industries, government agencies and geographical locations, the Survey and resulting Report provide a first of its kind insight into how companies and governments implement privacy on the ground. The findings include: 1. Unregulated industries, such as online, software and retail, report a greater investment in privacy programs than regulated industries, as well as a more strategic focus on risk mitigation, brand management and consumer expectations. These businesses place a greater emphasis on global expansion and positioning privacy as a competitive differentiator. As a result, privacy professionals are more likely to have influence over product engineering and senior management. By contrast, regulated industries, such as health care and banking, place greater focus on compliance and accountability processes. Government programs report low budgets and staff shortages, and an approach focused on compliance and preventing data loss. 2. The main concerns identified by organizations of all stripes are brand reputation and the risk of data loss. These risks significantly outweigh the risks of regulatory or individual enforcement. 3. American privacy programs are significantly larger and more mature than those in Europe. There is a close correlation between the maturity of privacy programs and company size. The privacy programs of larger companies are far better staffed and resourced than those of small and medium enterprises. More mature programs are more likely to be risk-based as opposed to focused on compliance. These results offer key insights for policy-makers and privacy professionals on the challenges of privacy management on the ground. They point to the complexity of the relationship between regulation and how privacy is valued by market actors. They offer key benchmarking data and guidance to professionals in government and different industries in responding to the privacy challenge.