I find James McGovern’s feedback always useful and relevant to trigger further thoughts. This is particularly true for his last post (see the “Links for 2007-10-01” part), related to a recent post of mine (on “Privacy Management in Enterprises? It is a matter of Enforcement and Automation …”):
“I really hate posts such as these as they start with technology discussions and abstract notions such as policies while ignoring simple facts of business. Have you ever considered that some industries simply couldn't function if privacy were so pervasive? Consider what happens when you win the Lottery and decide to buy yourself and me a Porsche Boxster. If you spend cash, you will have your privacy violated by the Patriot to ensure that you aren't laundering money. If you pay by credit, folks will be able to see everyone else you have done business with in the past. Likewise, you will need insurance on your Porsche Boxster where they will also check with the Department of Motor Vehicles to tell how many accidents you have gotten into. They will also check into past claims you have filed even if it was with another insurance carrier. How about a conversation that talks about the business model of privacy first?”
Interesting view and position! I think I never said that privacy needs to be “pervasive” and/or should disrupt current businesses (we are talking about businesses that are compliant to laws and legislation as well as legitimate user’s expectations and rights, aren’t we?).
My main message was simply that, to improve current privacy practices, there is a need for more enforcement and automation – as (1) human-based processes and “good willingness” are usually prone to mistakes and (2) an approach entirely based on “compliance checking and remediation” has its own limitations …
Privacy for the “sake of privacy” is indeed pointless, if not by considering it in the overall context – being the business one (important) aspect of it. However, it must not be forgotten, that the perception of “privacy” (and what is important) is not the same everywhere, see the different mentality, philosophy and approaches to privacy in US and EU!
I thought to be clear on this point, when in my previous post I said: “I argue that the decision on the “actual blend” of policy enforcement and auditing/compliance checking should be the outcome of a “risk analysis” process, which must keep into account the specific enterprise context and the assets to be protected.”
Having said this, I disagree on the part of the comment saying “… start with technology discussions and abstract notions while ignoring simple facts of business”.
The requirement of having more “privacy enforcement and automation” is not an invention of mine. It is the (consistent) outcome of various investigative projects, customers’ feedback and related survey reports – keeping into account a variety of aspects and dimensions (including the business perspective).
See for example the EU PRIME project and its outcome, that has kept into account (during its entire duration – almost 4 years) input, requirements and needs coming from business, social, economical, legislative and “personal” sources. Similarly, the outcome of a recent effort in the context of Identity Governance Framework (in particular the MRD use case document) has highlighted the importance of enforcement and compliance, it has been the outcome of a collaborative work involving multiple business groups (including HP) and it has illustrated use cases and business scenarios.
James makes a good point when he says: “How about a conversation that talks about the business model of privacy first?”
James – any input or suggestion, based on your experience and/or needs of businesses and customers you have been interacting with?
What would be, in your view (or in your customers’ view), a suitable business model of privacy? Are there, in your view, any emerging patterns or approaches to be kept into account? Would there be “the business model of privacy” or many of them, depending on the context (e.g. geographical location, legislation, etc.) and the business/organisations? How to reconcile in this model all requirements and needs?
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment