The Challenge of Public Expectation
When dealing with privacy and security, everyone jumps straight onto the compliance bandwagon. There are set laws, frameworks, regulations, standards and other checklists that allow you as a business to proudly state that you are compliant. But does ‘to-the-letter’ compliance match the public’s expectations? We at Bamboo think not, along with others out there that you’re bound to encounter!
Consumers and their public expectations are a core foundation of trust in a business, and at the end of the day, privacy and security compliance is an exercise in that trust. If you’re not trusted, your compliance doesn’t matter (to the consumer). Consumer advocacy groups are well aware of the challenges companies face in terms of privacy, and sadly, the shortcuts many companies take in order to claim compliance in the name of an internal audit instead of the consumer’s protection.
Many businesses look at consumer advocacy groups with some disdain, with unexpected challenges and publications that can totally derail your day to day, or even land you in hot water with a regulator. That said, as business owners we should view these groups as a good thing; they are there to keep everyone on their toes! We have had the opportunity of responding to such groups and providing evidence in terms of consumer trust, and it was, dare I say, an exciting experience in terms of privacy consulting!
One of the most fascinating parts of these engagements are the questions they ask and the evidence they look for as part of their frameworks. These frameworks (such as The Digital Standard) have developed independently of regulators and enforcement bodies, and instead consider a consumer-first approach in terms of privacy and security.
This results in a set of criteria that goes above and beyond a checklist of compliance in terms of an official standard or regulation, and instead focuses on what a discerning consumer would be looking for in terms of publicly available information when considering purchasing or taking up services.
An example of the type of control expected that is not present in privacy legislation, is that of making your privacy notice available via a stable and static URL, one that doesn’t change given updates or a change to your website. This is not required by law, but has a distinct benefit to the consumer and for backwards compatibility with any devices, services, or documentation you provide.
As interesting as this is, it poses a few challenges to businesses. The first is that your compliance exercises and programs may be perfectly aligned with regulations like PIPEDA, Law 25, or GDPR, with green checks across the board, yet still, you can score poorly in an assessment by a consumer group. The second challenge is that some of the criteria in these consumer frameworks may be a corporate risk to publish publicly, such as internal processes that are part of your competitive advantage or processes that may result in external business and security threats.
An example of this is the disclosure of actual examples of your responses to lawful access requests. While it may be beneficial towards transparency, this type of information may be restricted to your legal department and may not something that should be shared (in terms of ongoing investigations or court orders that prevent disclosure).
Another example of a difficult control to meet is that of the ability for a user to register under a pseudonym that in no way identifies their offline identity. This can be incredibly difficult, impractical, or even impossible when it comes to billing and other required business reporting and regulation.
In the end, if you are a business-to-consumer (B2C) company, there’s a good chance you’re going to have to respond to a consumer group at some point. This is not a bad thing, as a client of ours mentioned, it means you’re growing and being noticed! That said, you need to be prepared and also be able to make the right information available publicly to show your worth. Bamboo can align your privacy notices and internal practices to consumer frameworks, and also help you develop a public-facing privacy and security “trust center” to transparently and responsibly disclose your practices. For our current clients, many of the requirements are already included in our programs, so you can rest easy.
Striking a balance between publishing information, meeting the consumer’s expectation, and complying with legislation can be a challenging concept, but rest assured there are consultancies like Bamboo Data Consulting that can help you and your privacy office address these challenges proactively (and reactively if necessary!).