Four hundred and fifty years after the birth of Shakespeare, in a comfortably modern room overlooking the Museum of London, the conversation at the IAPP Europe Data Protection Intensive on Tuesday started with the not-so-obvious connection between Hamlet and Paypal. It turns out the Bard of Avon’s longest play has fewer words than Paypal’s privacy notice.
“That’s the basis of much of the privacy world,” said Richard Thomas, adding, “This creates a world of liars.”
Thomas, former UK information commissioner from 2002-2009 and current global strategy advisor for Hunton & Williams’ Centre for Information Policy Leadership, listed several companies that have cheekily placed conditions in their privacy notices to demonstrate that consumers simply do not read them. One example included the Mephistophelian condition of agreeing to give up one’s immortal soul.
More than 7,000 customers unknowingly did so.
This “bureaucracy of data protection” is something Thomas, and a panel of experts at the Data Protection Intensive, argued needs to be eliminated. The solution? Well, according to Thomas, there’s no one, single solution, but a risk-based approach is the needed step in the right direction.
So what is the risk-based approach exactly?
“Consensus is still emerging,” Thomas conceded. “None of us yet have the fine-tuned answers. I’m not sharing settled thinking.”
There are some demonstrable trends, however, brought on by several privacy regulators. The French data protection authority, the CNIL, has published a Methodology for Privacy Risk Management, while the UK Information Commissioner’s Office has issued a code of practice for conducting privacy impact assessments (PIAs) and commissioned a research study on PIAs and risk management.
More recently, the Article 29 Working Party issued a new opinion on legitimate interests of the data controller. In the past, various European jurisdictions have shied away from the legitimate interest conversation, while regulators refused to encourage it, said Hunton & Williams Partner Bridget C. Treacy. “Read this opinion,” she added, “it really is talking about risk and about balancing your organization’s rights to process data against an individual’s right to privacy.”
The risk-based approach “helps us understand how to work through and calibrate how principles will apply in context,” Treacy said, but warned, “this is not a substitute for legal compliance.” This approach can help organizations decide how to prioritize risks, determine and allocate budgets and make good decisions on the kinds of issues on which they need to focus.
What, exactly, is the risk-based approach trying to achieve?
Louise Thorpe, vice president, global privacy at American Express, gave business-world examples of the risk-based approach in practice. She said planning for risk management might often depend on how your organization manages operational risk.
For Thorpe, there are three lines of defense. This first line comprises those who come across risks first, which could include customer service representatives, for example. Expecting your privacy team to identify all the risks is unreasonable, so training and communicating to employees across the organization potential risks will help in identification. The second line is the privacy office, compliance team and/or risk oversight function, and the third is the internal audit team.
Once a risk has been identified, asks Thorpe, what type of risk is it? Does it pose immediate or long-term risk? Is it internal or external? A one-off or recurring risk? From there, be prepared to articulate the identified risk. “This is often overlooked,” said Thorpe. “At the end of the day, are you able to document your risk assessment? Break it down. For example, if we don’t obtain consent, what will happen? Tell me.”
She also stressed the importance of identifying “risk outliers” or worst-case scenarios. Regulators and the media often look at the worst-case scenarios, so having an articulated report is essential.
Thomas recommends using a matrix with threats on one axis and harms on another. How likely and how serious is each component? He then breaks harms up into three categories: tangible harm, intangible distress and societal harm. Likewise, threats include inappropriate use and data in the wrong hands, whether stolen data or data that’s unjustifiably accessed or shared. Then, once the risks are laid out, what are the benefits created by collecting that data? Can they be demonstrated? What, if any, are the benefits to the individual? Can they be identified, articulated or justified? All are significant questions privacy teams should be asking as they assess products and services in a risk-based approach.
Yet, as harms move away from tangibility toward more ephemeral concepts such as potential secondary use or perceived creepiness, demonstration of harm becomes more subjective. Thomas said that “just because some areas are difficult, doesn’t mean you shouldn’t try,” adding, “you can’t have a completely scientific, objectifiable approach” in the risk-based model.
Critics, however, often contend that the risk-based approach sacrifices the will of the individual to the ethics of an organization. Accountability takes center stage, while notice and consent get the hook.
In a recent post for Privacy Perspectives, privacy expert Stuart Shapiro, CIPP/US, warned of the risk of the risk-based approach, writing, “as the narrative goes, since notice and consent don’t work very well as is, and will work less well in the brave new world of Big Data and the Internet of Things … we (the enterprise) will take over most of the responsibility for your privacy.” Shapiro opines that one privacy model—the one based on the Fair Information Privacy Practices—is being exchanged for another.
“We need to augment our existing risk models,” Shapiro argued, “to reflect the increased responsibility of enterprises rather than using poor execution as an excuse to undermine a model that might cramp the style of Bid Data masters of the universe.”
But, for Thomson Reuters VP and Senior Privacy Officer Nicola McKilligan, CIPP/E, the risk-based approach is about a focused approach.
Assess what products or services pose the greatest risk and scrutinize those the most. Have a quick turnaround for any data requests or consumer complaints. “For example,” she said, “organizations spend too much time crafting privacy policies—which ultimately do not prevent privacy harm—instead of preventing truly harmful outcomes.”
Though the risk-based approach may be unsettled, Thomas noted, it is a proactive attempt that includes—but goes beyond—mere compliance.
Ah, but if only Shakespeare crafted the modern privacy notice … in sonnet form, of course.