Privacy policies by organizations will need overhaul soon: Report

New technologies and changing privacy regulations will require businesses to define new privacy policies, according to Gartner.

As many as half of all organizations will need to revise their privacy policies by year end 2012, says a recent Gartner report. Reasons cited include continued security breaches, the emergence of new technologies and corresponding regulatory changes, and the difficulties of quantifying privacy.

At the same time, privacy protection budgets look likely to remain low. Privacy officers will need to open communications within the organization and with outside regulatory authorities when framing suitable privacy policies. Gartner has identified the top five privacy issues that organizations will need to keep an eye on going forward:

Security breaches

Security breaches remain the top privacy concern for organizations. Gartner recommends that organizations compartmentalize personal information, restrict access, encrypt data when transmitting it across public networks, encrypt data on portable devices, and encrypt data in storage to protect it from users who have been given too much privilege, from rogue administrators and from hackers. Also recommended are data loss prevention tools, tokenization, data masking and privacy management tools.

Gartner estimates that about 10% of privacy officers' time will be spent on solving privacy issues from security breaches.

Location-based services

The proliferation of GPS and other positioning tools, cell towers, wireless access points, and IP addresses now allow location information to be collected on an unprecedented scale. The vast quantities of information thus collected by various service providers are a grave privacy risk.

Privacy officers will need to spend around 5-20% of their time on privacy policies for location-based services.

Cloud computing

Cloud computing opens up a privacy policy can of worms. While privacy laws vary between countries, public clouds aim to be the same across countries. Matters are complicated by laws which prevent certain kinds of information from being taken out of the country, owing to export controls or national security concerns.

However, most privacy laws have some flexibility, and there are legally acceptable solutions in most cases. Also, privacy compliance does not mandate in-country storage except in the case of specific countries known for their privacy violations. Privacy issues around cloud computing are likely to take up 20-30% of a privacy officer's time.

Difficulties in defining or quantifying privacy values

Personal information becomes a privacy issue only in the context in which it is used. Laws and regulations cannot provide a clear answer to what is right and what is wrong because they tend to lag behind changing technologies and cultural norms.

The research firm recommends that privacy officers instead design their business process after consulting the stakeholders involved. Once the process has been created, no more than 10% of time need be spent in monitoring these privacy issues.

Regulatory changes

Emerging technologies such as smart meters, indoor positioning, facial recognition, vehicle and device locators, presence detection, body scanners, etc, and all of them correlated with each other using databases. This will soon allow much private information to be gleaned from one or two starting points. Gartner foresees new privacy regulations and laws being created to answer the new needs.

However, Gartner suggests that these new privacy regulations will show their impact only in the mid- to long-term. For the short term, organizations can continue using the existing, generic privacy laws when framing their policies. Monitoring regulatory changes and adjusting the organization's privacy policies are estimated to take up around 5-10% of privacy officer's times.

According to Carsten Casper, research director at Gartner, “The remaining 15-50% of the privacy officer's time should be spent executing the privacy program, managing relations, steering the privacy organization, reviewing applications, revising policies, document controls, draft privacy terms for contracts, consulting with legal, responding to queries, following up on incidents and supervising the privacy training program.”

Read more on IT governance