Welcome to the SecAware blog

I spy with my beady eye ...

22 Oct 2019

NBlog Oct 22 - a business case for privacy

This week I'm slugging away at the coal face to complete the management materials for November's privacy awareness module - an update on our previous coverage to reflect current issues, recent incidents and so forth.

As always, we'll be providing a set of goodies specifically aimed at management from which customers can pick and choose to suit their purposes:
1.      Diagrams for privacy - the topic in pictures
2.      Management seminar on privacy - see below
3.      Board agenda on privacy compliance - I blogged about this on Friday
4.      Elevator pitch on privacy - sums up the key points in about 150 carefully-chosen words
5.      Model policy on privacy compliance - a template to customize
6.      Model policy on privacy inquiries, complaints & incidents - another policy template
7.      Executive briefing on privacy - a high-level one-pager 
8.      Management briefing on privacy - a more in-depth briefing/discussion piece
9.      Model job description for Privacy Officer - outlines the typical role and responsibilities
10.  Privacy metric - suggesting how to measure what matters most in this area

I've made solid progress on the management seminar slide deck today, laying out the key messages and telling the story through engaging graphics with enough supporting content to make managers sit up and take notice.

The other day I blogged about substantial penalties for GDPR noncompliance. Today, in writing the speaker notes to accompany a slide about privacy risks from the organization's perspective, I wrote this about the impacts:
The organizational consequences of privacy incidents can include penalties (potentially huge fines under GDPR plus class action) and other consequential business impacts (bad publicity and reputational damage, customer defection, loss of trust and respect, more rigorous scrutiny by the authorities) on top of the direct costs (incident investigation and resolution, hurriedly improved information security, credit reporting and compensation for those affected etc.).
... and, with hindsight, it occurred to me how negatively that comes across, emphasizing the costly nature of being held to account for privacy fails.  

So, how about something more positive to balance that out, emphasizing the gains arising from privacy wins? "Nice idea, Gary, but what are you on about?"

I'd like to elaborate on the business benefits other than the obvious intent to avoid or reduce those costs. Are there any? Well, yet there are, but to be honest they are not exactly overwhelming - things such as establishing a trustworthy, ethical reputation among customers and others (including employees, by the way. Cogitate on that for a moment. Does it matter to the business if employees don't trust their employer to protect personal information, not least their own? I believe it does, but it would be hard to prove or substantiate).

It might not be possible to build a business case for privacy purely on the positives, which perhaps explains why this is such a heavily compliance-driven area in practice. Still, I'll see what I can come up with. I enjoy that sort of challenge.

No comments:

Post a Comment