Most Stringent Common Denominator

Doing business in the global marketplace will increasingly force businesses to provide privacy protections geared toward the most stringent requirements covering those operations.  Recently, the Canadian Courts cleared the way for the Canadian Privacy Commissioner to investigate potential violations of US Companies with Canadian Nationals’ personal data. (See Privacy law emerges as the latest Canadian export).  The investigations, involving Abika.com and Facebook, illustrate not only that US Companies must yeild to Canadian authorities, but more importantly, that global companies need to provide privacy protections compliant with the most stringent requirements in all of the markets they may pursue.

Risks are Multi-Dimensional

The risks, or denominators, are multi-dimensional and the consequential risk matrices need to account for every dimension simultaneously.  Multiple disciplines need to be considered along with multiple jurisdictions and the approaches need to account for input and output necessities in multiple structural directions.

Risks are Multi-Jurisdictional

The most basic inquiry to consider in determining the risk denominator is geographical.  The problem, however, can be a bit more complex.  The assessment is complicated by the necessity to examine  the procedural jurisdiction as well as the personal jurisdiction.  That is, where are you processing the data and, as a result, without regard to the personal jurisdictional inquiry, are you subjecting that data to local privacy expectations?  The personal jurisdictional questions relate to the subject of the data itself.  As in the Canadian example, Canada has exerted regulatory oversight as a result of Facebook’s and Abika’s control over personal information of Canadian citizens.  Similarly, the new Massachusetts privacy regulations assert jurisdiction over any person if they own, use or control personal information of a Massachusetts resident, no matter where the organization is located.

Risks are Multi-Disciplinary

Regulatory schemes are only part of the picture.  In fact bigger risks associated with data flow are business-related risks.  Negative publicity from data breach, or even perceived data vulnerability can destroy a brand.  Moreover, data vulnerabilities can deter and prevent business-to-business development opportunities.  The triumverate includes regulations, business risks, and private rights of legal action.

This triumverate, of course, needs to be placed on top of the multi-jurisdictional process and subject matter risk assessment.

Risks are Multi-Directional

Risks to data come from many directions.  I have advocated consistently that the biggest threat to data come from ourselves, and, from an organizational standpoint, that means from our employees.  This can be from intentional acts such as an attack by a disgruntled worker or recently let-go employee, to unintentional consequences related to sloppy attention to privacy protocols.

We need, therefore, to assess risks related to internal processes, policy development and implementation, corporate and regionalized societal custom, and common industry usage and expectations.  The risks associated with all of these are most insidious as they are most influenced by human error, emotion and inattention.

Risk Response Infrastructure is Industry and Genesis Dependent

The corporate assessment regime and response to the data privacy challenges seem to follow different patterns depending on industry and on the genesis of the organizational scheme devised to respond. The finance industry responds generally through DPO’s staffed and run by former operations compliance experts.  Technology-based organizations approach the compliance regime through the development of strong technological safeguards.  Others place the responsibility in the legal compliance realm.

Each of these may suffer from a preference or skew toward assessment and response which emphasizes, or over-emphasizes one risk dimension over another.

I think its crucially important to maintain a inter-dimensional approach that lets the risk assessment determine the risk denominator.  It is a more complex approach but, unfortunately, it is the only approach that can properly protect an organization in an ever-evolving risk atmosphere.

Popularity: 4% [?]

Related posts:

1. European Commission approval of reforms on Europe’s telecoms markets European Commission welcomes European Parliament approval of sweeping reforms to strengthen competition...
2. Verizon Issues Data Breach Report Profiling 15 Most Common Data Attacks The latest in the Data Breach Investigations Report series by Verizon Business...
3. Privacy in the Era of Social Media and Cloud Computing Peter Cullen, Micorsoft’s Chief Privacy Strategist recently posted this piece on the...
4. New Massachusetts Privacy Laws – Who is Regulated [Updated October 15, 2009 for compliance with new amendments to the regulations]...
5. Regulator heal thyself – Massachusetts Data Privacy Regulations hardly proactive It is an axiom of organizational compliance – awareness of compulsory policies...
6. Senate Judiciary Committee approved Personal Data Privacy and Security Act The Senate Judiciary Committee today approved the Personal Data Privacy and Security...