Gartner: Corporate privacy policy requirements demand urgent review

The research firm says corporate privacy policy requirements are outdated, due to new technology and legislation, and should be revisited now.

Changes in technology and legislation are exposing weaknesses in the way organisations manage sensitive personal data, and as a result, many of them are now carrying out urgent reviews of their privacy policies.

The policy needs to be more than just a piece of paper.

Carsten Casper, Gartner

According to research group Gartner, 50% of all enterprises will revise their corporate privacy policy requirements before the end of 2012 in order to reflect changes in business practices, such as the use of cloud computing and location-based services available on smartphones. Gartner’s forecast is based on interviews with its clients.

Carsten Casper, privacy research director for Stamford, Conn.-based Gartner, said changes to laws on privacy and mandatory breach disclosure are also forcing companies in the UK and around the globe to review their security policies.

“We are seeing new privacy laws around the world in places like South Africa, Mexico and Asia-Pacific,” Casper said. “There is general pressure on organisations to look at the existing approaches to privacy, not just in the UK, Germany and the rest of Europe, but also the rest of the world.”

He said it used to be enough for companies to tell customers their information was protected, but now the general public is much more aware of data breaches and the importance of privacy, and in turn require greater reassurance and information about how their data is managed.

“Companies need to explain how they deal with these challenges, about who they are engaging with, and their approach to social media and mobile devices,” Casper said. He also said, in the wake of so many recent data breaches and losses, especially in the UK, companies must emphasise the importance of regaining consumer trust, being clear about the information organisations collect and how they handle it.

He added that corporate privacy policies alone are not the answer. Companies must be clear about who is responsible for data privacy, and senior management needs to understand why privacy is important and communicate that to their staff.

“The policy,” Casper said, “needs to be more than just a piece of paper.”

Gartner identified five key issues of concern for privacy officers over the next two years:

  • Data breaches: They are easy to control if organisations compartmentalise personal information, restrict access, encrypt data going across public networks, encrypt data on portable devices, and encrypt data in storage, in order to protect it from rogue administrators or hackers. It says companies should consider data loss prevention (DLP) tools, tokenisation, data masking and privacy management tools.
  • Location-based services: Some organisations collect vast amounts of location information, often without a clear plan of what to do with it, thus violating a fundamental privacy principle, namely to collect information only for the purpose for it is needed.
  • Cloud computing: The problem is privacy laws apply to one country, while the public cloud straddles national boundaries. Privacy officers should insist on knowing where data will be kept. Gartner said privacy laws have some flexibility, that guidance is evolving slowly and, in many cases, there are legally acceptable solutions. It said organisations should focus on the location of the legal entity of the provider, rather than on the physical locations of its operation centres.
  • Assessing the value of privacy: Organisations will struggle to find a balance between "not enough" and "too much" protection, and striking this balance needs to be an ongoing process. Gartner suggests corporate privacy officers should set up a process to identify stakeholders for personal information, gather requirements from them, and use it to influence the design of the business process and applications.
  • Interpreting the law: Since laws usually lags behind technological developments, organisation need to interpret generic privacy legislation for a whole raft of emerging technologies, such as smart meters, facial recognition on smartphones linking to photo databases, vehicle and device locators, presence detection and body scanners.


Read more on Security policy and user awareness