Signs of this malpractise can be found in how your organisation;
- gains access to data and identifying the data's owners
- enables the owner to control of current and future use of their data
- uses the data in respect of those express wishes
The result of not appropriately managing the control owners have over their data can have a profound impact on your clients and partners e-trust in you and their future behaviours. These malpractices have been erroneously labelled the Privacy Problem, by regulators and politicians. Worse some EU politicians have gone down the path of legislating the "Right to be forgotten" In truth the problem is far simpler, it is a control problem, one that sociologists label as our natural desire and capacity for "agency".
How does your organisation stack up in the race to attain and maintain e-Trust in an increasingly Outside-In world?
Some Diagnostic Questions
Does your Company sell or acquire lists containing external data to or from outside organisations?
Warning most such lists will contain toxic data, are you clear on how you can filter out such toxic data?
Eg A customer whose data was on such a list despite their express intent for it not to be used or re-used.
Personal example, I passed my contact details to a Jamie Oliver website having unchecked/checked all the do not share boxes. I gave an email address that uniquely identified the Jamie Oliver website. In less than a month the email address was being spammed. I no longer trust Jamie Oliver or his companies and no longer visit his restaurants.
Do you give your data owners direct control over their own data, and how you may use it?
Warning this is not a trivial activity. Do not answer this question lightly. Sadly the Digital Fabric is not yet in place to give a clear affirmative to this question. But that's another topic!
Do you gather the express wishes of data owners?
When you acquire others data do you only use it having established and stored the express wishes of the owner, as to how it may be used, now and in the future?
Do you give the owner a simple means of changing these wishes? That is, can the owners view and change your entitlement to use their data? And I don't just mean their email address!
Do you give data owners the ability to classify their data?
By establishing from the data owner the regard in which they hold their data, you can decide more effectively how you wish to protect it and even if you want to store it.
Are you transparent with all your sharing controls/settings?
Warning: Hiding such controls deep in a system, or obfuscating them in anyway, can reduce e-Trust.
Apple's latest iOS has a setting found at the end of this chain:
Settings/Privacy/Location Services(scroll to the bottom)/System Services/Frequent Locations
Not only is it placed deep within the iOS control panel, but when the facility was first enabled the user was not directly asked whether it should operate, and it is by default set to "Collect and store times and locations visited".
Do you comply with the express wishes you have collected?
eg LG Smart TV had a setting that ostensibly disabled the collection of personal information. The collection took place whether or not the box was checked.
Are you using the Identity of your Customers, or do you require them to use your identity for them?
Having a very effective Identity, Entitlement and Access Management system is key. NB This is not the traditional Access Control List or Active Directory approach. An Outside-In IdEA system needs to be architected as such. Would you trust a person who choses to give you a new name and refuses to use your own?
When contacting a Customer do you demand from them information that assures their identity or do you first give them information that assures yours?
Do you have a means of identifying and authenticating yourself to your partners & customers and then vice-versa?
Personal Example: I was phoned by an Insurance company, they demanded that I give them personal details to authenticate myself, and gave me no way of authenticating them. The banks also currently operate this practise, especially after they have discovered a fraudulent transaction. Potential Solution : Your Google Authenticator should currently be showing this pin for us...
Who in your Organisation owns ensuring that your customers are, and remain in control of their own data?
The answer to this question can give you a clue to your organisation digital agency maturity.
5* Office of Co-Creation
4* Office of Information Asset Management, Chief Data Officer
3* CISO or Compliance Manager
2* Privacy Officer **
1* Someone in IT
0* The Marketing Department
**(Position of this role depends upon the mindset of the encumbent, too often they see their role as protecting their organisation from litigation, instigating practices such as the wholesale deletion of evidence of malpractice which they laughingly name the Retention Policy. Those Privacy officers who see their role as protecting the Privacy of the their Customers and even better giving their Customers control over their data could achieve 3* or 4*. Sadly too many fall into the lower position)
Your organisations e-Trust is founded upon your capacity to deliver agency to your customers.
On the journey to Outside-In, your ability to deliver digital agency will be a key organisational capability, it needs developing, but be warned it is not a muscle that most enterprises are used to using, for it involves giving control to Customers, not wresting it from them.
However, by far the more important question is; How you can build on your capacity to give digital agency to your customers, by adding value to you and your customers? The answers to that question lie in the Clockwise Security topic, a discussion of how security can be used to create value, not just avoid risk, and in this direction lies Co-Creation.