Discussions in the #CIOChat are always insightful with each member of the group bringing a fresh perspective to a variety of interesting data-driven topics. Increasingly in these forums and as I talk with CIOs and other business leaders, the conversation comes back to protecting privacy.
Recently, in light of Data Privacy Day, Sharon Pitt, CIO of the Binghamton University, started off an interesting #CIOChat by saying how really important it is to think about safeguarding personal data. Peter Salvitti, CTO of Boston College, agreed, but then asked whether one day a year alone is really enough to safeguard data and maintain privacy awareness. Echoing Protegrity’s CEO Suni Munshani’s sentiments, Stephen diFilipo, CIO of the Institute for Transformational Learning, responded to Pitt and Salvitti by saying that, “Every day should be data privacy day.”
Isaac Sacolick, former Global CIO for Greenwich Associates, said in turn that, “Organizations that define proper use of data drive greater business benefits and earn customer trust.” At this point Theresa Rowe, CIO of the University of Oakland, added to the discussion by asking everyone about new sources of data saying, “We need to help people understand how beacons and other sensor technologies may end up compromise privacy.” Salvitti suggested that we also should not forget the metadata created: “We need to remember that everything we are doing is being tracked.”
Individuals’ awareness of this kind of digital surveillance in light of their Right to Privacy is at the heart of the EU’s General Data Protection Regulation (GDPR). When asked about the Regulation, Pascal Viginier, CIO of the European telecom company Orange, said that for them it “is a top initiative and a real opportunity for building customer trust.” He went onto to say that data privacy and opt-in are the most respectful ways to support customer privacy and freedom and begged the question, “How to make it the main stream in all regions?”
“On the flipside,” said David Chou, Chief Information and Digital Officer at Children’s Mercy Hospital, “people are willing to give up some privacy for a great experience.” This lead to a discussion on what marketers at firms like Nordstrom or services providers like Uber are doing with data and the steps they will take to meet customers’ expectations that personal information be protected. For example, Uber masks phone numbers and complete names from both drivers and users.
Ed Featherston, VP Principal Architect at Cloud Technology Partners, said at this point that privacy is, “a huge challenge in today’s world, a delicate balance of privacy vs. convenience, walking tightrope over shark tank.” He added that “privacy is the rules, security is the mechanism to (try) and enforce the rules.” I could not agree more with his contextualization of security and privacy, especially with respect to the GDPR.
Larry Larmeu, Managing Director L2 Digital, said that the GDPR is hugely important because most technology is not built for consumption by IT. Larmeu argues here that as technology always has a business purpose, privacy should always be considered during implementation. Brian Katz, Office of the CTO at VMWare, suggested that compliance can be easy when security is part of the “DNA or culture of organizations” but equally, it is difficult when this is not the case. Tim Crawford, former CIO and CIO Strategic Advisor, suggested that too often compliance strategy is a knee jerk reaction to the symptom, not the problem. Larry Larmeu said often responses are all about the bottom line – managing cost versus risk.
Josh Olson, CIO of Michigan Tech and Ed Featherston both suggested education about risk is essential for organizations to effectively meet their responsibilities under regulation. Brian Katz warned that “only those that study GDPR will be ready,” complaining that it “shouldn’t have to be just EU citizens” whose privacy is respected.
Clearly data privacy needs more attention than one day a year; it needs to be part of an organization’s DNA and culture. I agree that more education is needed for brands to meet their custodial obligations to privacy. It is important that IT organizations focus their attention upon protecting data itself, rather than just protecting infrastructure; especially under the terms of the GDPR. If this is important to you, here is a nice summary of how to overcome GDPR challenges.
Finally, as I have said before, the bad guys will get in, the question is what will happen when this occurs.