Security

The shocking truth behind privacy policies in the enterprise

With the fast pace of online consumerism, companies must guarantee what they say in privacy policies is actually what they are doing when protecting the privacy of customer data.

After the recent flurry of data breaches, it is no wonder surveys like the one by GfK, a supplier of consumer and market information, recorded a major uptick in concern about online privacy. Almost half (49%) of the survey participants were "very concerned" about the privacy of their online data. The survey also found:

  • 56% indicated that top organizations, such as social networks and credit-card companies need to take action.
  • 54% believed the U.S. government is not doing enough to safeguard their data.
  • 80% felt the government should implement regulations to prevent organizations from "repurposing personal data for third parties."

So we want to know that organizations are keeping our online data private, but are we willing to meet them halfway and read the company's privacy policy advertised on its website?

Reading privacy policies

A show of hands, how many have read TechRepublic's privacy policy? Or Target shoppers, have you read its privacy policy? I frequent my local Target in Minnesota. I even attempted to read the privacy policy, struggling to get through the more than 3,100 words.

During a recent phone conversation with Dana Simberkoff, attorney and senior vice-president of risk management and compliance for AvePoint, I asked if she thought consumers were reading privacy policies. Simberkoff said, "We don't read them. We avoid reading the lengthy, jargon-filled content so we can begin using the service we downloaded, bought, or installed."

Simberkoff's remark aligned with the GfK survey, which suggested it's business as usual for consumers: "Less than half (48%) of consumers are changing their online habits because of privacy fears." As Simberkoff and I continued talking, something became clear. There were at least four distinct "cause and effects" at play:

  • Consumers don't read a website's privacy policy.
  • If consumers attempt reading the website's privacy policy, most fail to understand the details.
  • Website owner's want to eliminate all possible liability, meaning privacy policies are loaded with legalese.
  • Website privacy policies may not represent what the company is actually doing.

Start with the companies

According to Simberkoff, consumers aren't going to read, let alone trust, privacy policies until website owners get it together. And by get it together, Simberkoff means companies need to make sure that consumers' privacy is protected as dictated by the privacy policy. It seems that is not always the case.

I had to let that sink in. Even with a significant percentage of consumers being apathetic about losing their online privacy, it might come to pass that consumers say "enough is enough." How many Target customers affected by the recent data breach want to go through another episode like that? To prevent that from happening, Simberkoff offers some advice on how companies can improve customer trust.

Use software tools

Because of the high rate of data influx, most companies should look at software tools to help identify risks and provide real-time solutions when it comes to assessing customer data privacy. From experience, Simberkoff has learned that does not mean just any software. The software should have the following attributes:

Say it: After establishing information privacy policies to ensure the security of sensitive or regulated content; be sure your selected process is in accordance with U.S., international, and vertical-specific compliance regulations.

Do it: Determine the risk severity of the captured data using advanced risk calculators. Look for a software tool with options such as highlighting areas that violate the specified compliance standards or guidelines as well as providing multiple perspectives on potential risk.

Prove it: Prove policy compliance with ongoing monitoring, detailed reporting, and incident tracking. Effective tools produce detailed reports of preventative and corrective actions taken to ensure content is uploaded, stored, classified, and secured in accordance with information governance policies.

Simberkoff emphasized that human review of the automated process is still necessary to ensure accuracy, and that the company is abiding by their data-privacy policy.

Last thought

A question to online companies, if they are concerned about visitors reading the website's privacy policy, why is the link to the policy always way down at the bottom of the page in the smallest font possible?

A note on how the GfK survey was conducted: The GfK poll, conducted in the wake of several considerable data breaches of major brands gauged the attitudes of US consumers. GfK conducted the survey from March 7 to March 9, 2014 among 1,000 respondents, all 18 or over.

Create a privacy policy for your company using Tech Pro Research's downloadable template. Tech Pro Research is TechRepublic's premium content sister site.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks