Privacy is proving good for business

It’s an emotional issue, one that raises temperatures and leads to charged arguments, but Ann Cavoukian puts it into terms that even the most profit-minded business manager can understand: “Privacy is good for business.”

That’s why she urges businesses to adopt privacy practices.

“You shouldn’t be protecting privacy because you have to, you should be doing it because it’s good for your own business venture. In my view, privacy will be the next business imperative, and it will distinguish what I call the old-world thinkers and the new-world thinkers,” said Cavoukian, the privacy and information commissioner of Ontario.

The new economy is predicated on information, she said. And, as a result, privacy is increasingly an information management tool. Businesses need to build privacy into their core value, she said.

Though Cavoukian can discuss privacy in business language, she understands the passions surrounding the issue.

“In the public sector especially, we view privacy as a fundamental human right,” she said. “It continues to be that. But in terms of the economic impact it’s having in the private sector…you have to view privacy in economic terms and impact.”

Instead of think about privacy as an obstacle, business managers need to view it as an opportunity, she said.

The Tivoli SecureWay Privacy Manager is designed to help businesses take advantage of that opportunity. The product helps managers control access to information by employees, business partners and customers. It provides a set of pre-defined “best practices” privacy rules and categories of data that can be adapted to an organization’s policy needs.

“Whereas security is an organizational policy that the organization or business has control over…privacy is an individual policy – it’s not an organizational policy. The control resides, in essence, with the individual,” said Bob Kalka, a worldwide security product management executive with Tivoli.

The Policy Manger automates the process of keeping track of permissions in a central repository, along with the rules, said Doug MacPherson, a security sales specialist with Tivoli Systems Inc. in Markham, Ont.

Keeping track of permissions may not be easy, given the rules of federal legislation, which come into effect in 2004.

In Canada, Bill C-6, requires companies to get negative consent from consumers before they can use information they collect from them. If companies collect information for one purpose, they have to get negative consent again from consumers before they can use that information in another way. Negative consent means that consumers are given a choice to opt out rather than asked to opt in. This means, for example, that a company can send out letters or bills informing consumers their information is going to be used in a different way. Companies then are considered to have the permission by default, unless customers check a box and send back a form saying they don’t want their information used in that way.

It’s this type of legislation that’s driving companies to adopt privacy policies, said Jim Hurley, managing director of security at Aberdeen Group in Boston.

“Whether businesses want to do something about it or not, they’re being forced to by regulatory issues and, so yes, they’re having to do something about it,” he said.

But Canadian companies need to worry about more than just Bill C-6.

Companies doing business with consumers in other countries also have to worry about the laws in those countries, Hurley said.

The toughest job for managers is going to be coming to grip with the laws and communicating the impact those laws have to the various business divisions of their company. Technology such as Tivoli’s Privacy Manager is only a small part of the equation, he said.

“I think it requires that kind of understanding and analysis of the implication of the business before they even start thinking about, ‘Do we need any key technology at all in order to help us solve problems?'” Hurley said.

Tivoli understands the larger issues, said Rich L. Ptak, a senior vice-president at Hurwitz Group in Framingham, Mass.

“Rather than just peddling part of a solution, they (Tivoli) want to look at the process,” he said. “Tivoli’s solution is certainly competitive, and in some cases stronger because of integration.”

Companies are being forced to think about privacy because of the threat of legal liability, Ptak said.

“As the level of Internet-based commerce grows, the level of security and privacy become critical,” he said.

Companies need to evaluate the risk/benefit of the level of privacy they want to put into place, Ptak said.

“You have to decide which part of the business you want to sacrifice.”

European laws, for example are very strict, so companies doing a lot of business in countries such as France might want to put more resources into their privacy policy, than firms dealing mainly with the U.S., where privacy laws are more lax.

“The most conservative approach may not be economical,” Ptak said.

“The issue really is around finding the balance between the legitimate need of an organization to collect information about us and the necessity to protect our privacy. There is a balance there,” agreed Jan Duffy, vice-president of solutions research for IDC Canada in Toronto.