Concerns about privacy protection are increasing steadily. With the burgeoning of e-commerce, the growing use of social media, and as more users use the internet for everything from filing their taxes to venting about their employers, there is a large amount of personal information that resides outside the user's protected domain. According to Gartner, data breaches, cloud computing, location-based services and regulatory changes will force virtually all organizations to review, and at least half of all organizations to also revise, their current privacy policies.
But first, let me detour a little bit, to explain the difference between confidentiality and privacy. Confidentiality is the assurance that certain information about a person will not be disclosed without his/her permission. Privacy is a person's desire to control the access of others to themselves. In other words, privacy relates to a person while confidentiality relates to data about a person.
Governments and regulatory authorities are taking steps to regulate the use of personal information, and organizations must execute a top-down approach of privacy impact management. Such an assessment needs to look at all the processes in the customer service delivery function - order handling, sales and service, billing, and call center - and going deeper into CRM, to retention and loyalty and other processes. In a nutshell, it should cover all processes within fulfillment, billing and revenue management as well as fraud management. ERP, email and employee portals should not be overlooked. There are four steps to be conducted during an impact assessment:
1. Define the privacy and the Personally Identifiable Information (PII) elements as well as the drivers
2. Create a PII inventory to match business processes and underlying applications and infrastructure
3. Carry out an impact assessment and determine the critical processes, their boundaries and touch points
4. Enforce privacy management through policies and frameworks to comply with the impacting regulations
Implementing the appropriate enterprise-wide privacy framework and adopting the right technology is critical. For example, it may be necessary initially to ferret out the PII data within the systems and then build the technical options for data protection. Other areas that are equally demanding are user awareness and training as well as privacy enhancing technologies that provide a degree of anonymity (which in turn builds trust and reduces risk), and monitoring and reporting violations. At a higher level, end-user entitlements, data storage at rest and at transit and third party agreements driven through the procurement and vendor relationship cells should not be overlooked.
Maintaining privacy and protecting personal information of the customers and the employees is important for all organizations. Privacy management should go beyond mere regulatory requirements, since it not only impacts an organization's reputation but can lead to financial losses due to loss of revenue and litigation.