Transforming IT Blog
Join us in the Transforming IT HP Blog where we will discuss reinventing IT to overcome obstacles and take advantage of Instant on Enterprise opportunities.

What would happen if a whistleblower told the press about your privacy issues?

We all know about the impact of Edward Snowden’s decision to leak information about the NSA PRISM program. This has had a huge political impact in the USA, the UK and many other countries around the world.

 

The reactions to these leaks have been quite polarized, with some people condemning the leaks and others being just as ardent in their condemnation of the PRISM program. I don’t usually write about political events in this blog, and I certainly don’t intend to comment on which of these responses I think is correct, but I do think there are some important lessons for IT people to learn from what happened.

 

When I think about what happened, I think about how my customers use big data to create value, and how this overlaps with their privacy policies.

 

Privacy-BigData-Venn.png

 

Every IT organization using big data needs to think about privacy issues, and what might happen if the press published articles about what they are doing. Ideally you should feel so confident that you would encourage the press to publish articles about your big data solution, because this would be good publicity that increases your reputation. If you would be worried about the consequences of press articles then maybe you need to review your privacy policy and make sure that you are doing the right thing by your shareholders, your customers and your employees.

If you want to be confident about privacy and big data then you need to follow these steps:

 

  • Create a privacy policy. This should be agreed by executive management as part of your corporate governance. It should be clear, unambiguous and easy for everyone to understand. Depending on your industry, and the countries you operate in, you will have to comply with privacy laws and regulations. It is essential that your privacy policy supports these, but simple compliance may not be sufficient. Think about how all your stakeholders would feel about your policy and make sure that you get the balance right.
  • Communicate the policy. The privacy policy should be communicated throughout your organization. You need to ensure that everyone understands their obligations and buys in to them. This is not just a matter of sending an email to all staff; it requires Management of Change (MoC) to ensure that staff really do take on board their obligations for privacy. 
  • Include privacy requirements in new and changed services. Ensure that privacy considerations are included in the requirements for every project for new or changed IT services. This should be mandated by the tools and processes you use for defining requirements.
  • Implement privacy tools and technical solutions. You will almost certainly need a range of technical solutions and tools to ensure that your big data solution implements and complies with the requirements of your privacy policy. This can include a combination of field masking, data encryption, role based access controls and many other approaches.

If you get this right then you can feel confident that articles in the press will be good for your organization, and that privacy whistleblowers won’t be a threat to your business.

 

Read how HP Big Data Infrastructure Consulting can help your organization get ready for Big Data (pdf download) and how HP Big Data Protection and Compliance Analysis (pdf download) could help your organization manage your big data risk exposure.

 

 

If you want more ideas to help you think strategically about IT services, then read some of my other blogs (most recent blog is at the top):

Follow StuartRance on Twitter.jpg  Tweet about this article.jpg  Share this article on LinkedIn.jpg

Labels: big data| Privacy
Comments
JoeAlbanoPhD(anon) | ‎08-07-2013 04:15 PM

Thorough my career I’ve had the opportunity to work with several financial/securities firms and the general rule of thumb there was “it’s never good to be a cover story on the Wall Street Journal”. My concern is that we can take the Snowden incident and focus all of our attention on issues like: “How do we create compliant policies?” (Like those ever-so-useful EULAs that do more to confuse than clarify) and “How do we improve security so that information we want to keep private information private?

 

These are certainly important question, but as they used to say in math class; these are necessary, but not sufficient. This is an opportunity to also ask “What would happen if our customers really knew the details of your organization’s business practices?” I’m not talking about divulging trade secrets, but what if they really understood the policies to delay accounts payable, accelerate receivables, automatically renew, and misrepresent the value of (financial meltdown anyone?). 

 

Bottom line: how would ALL of your business practices look in the light of day? 

Stuart_Rance | ‎08-07-2013 04:22 PM

Joe,

 

Thank you for that response. You are of course correct. Privacy policy is a governance issue and it is the responsibility of executives to define these things based on how they want the company to be run.

 

GHM(anon) | ‎08-08-2013 10:11 AM

Stuart - you are right in what you say and companies need to be aware of how they secure their critical business information.  Your approach of defining security/privacy policies, communicating them, embedding them into the project implementation lifecycle and then auditing effectiveness and efficiency as part of live services makes common sense.

 

 The challenge, as you hint at, is how you change the culture of the organisation so EVERYONE recognises they are responsible for the security of the organisations information. 

 

In many ways I see this in the same way as the Seat Belt arguement from several years ago where people had to be persuaded to wear a seat belt for their own and others safety.  Nowadays we do this automatically even if we started driving without seat belts and many people have never known anything else apart from automatically belting up. 

 

In the same way as the Government has changed our view on seatbelts over the years organisations need to treat information security as a Business Change activity so they embed responsibility into everyone's working day.

Stuart_Rance | ‎08-08-2013 10:21 AM

GMH,

 

Thank you for your comment. I think you have correctly identified the most difficult, and most critical, step that organizations need to take.

 

Many of the difficult things in IT, security and ITSM come down to attitudes, behaviour, culture and management of organizational change. I suspect it is because so many IT people come from a technical background, so think that fixing the technology issues will make everything alright.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
I help clients use service management to create business value for themselves and their customers. I am a senior ITIL examiner and I have wr...
Featured


Follow Us
Top Kudoed Posts
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.