Should businesses put a price on privacy?
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
How much is your customers' privacy worth?
Experts react to the Information Commissioner's proposal that businesses place a financial value on their customers' privacy
In January 2010, 25-year-old Facebook founder Mark Zuckerberg remarked that in today’s society, privacy does not hold the same value it once did. “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people,” he said. “That social norm is just something that has evolved over time.”
Zuckerberg’s comments were controversial, and seen by some as a justification for Facebook’s decision to loosen the privacy controls on its users’ profiles.
It might have been more accurate for him to say that society’s conception of privacy – what it means and what it is worth – is in flux, pulled in opposing directions by numerous technological and cultural forces.
At the beginning of March, the UK’s privacy and data protection watchdog, the Information Commissioner’s Office, launched a bid to encourage businesses to develop a concrete conception of the value of privacy. In a 90-page report entitled ‘The Privacy Dividend’, the ICO made the case for placing a numerical financial value on the protection of personal data.
Interesting Links
The Privacy Dividend – Information Commissioner's Office report (.pdf)
Not only will this help businesses to understand the true value of the assets it has in its possession, the report argues, it will also help them to develop a business case for any investment required to improve their privacy protection mechanisms.
“There are four perspectives from which personal information draws its privacy value,” the report reads. “These are its value as an asset used within the organisation’s operations; its value to the individual to whom it relates; its value to other parties who might want to use the information, whether for legitimate or improper purposes; and its societal value as interpreted by regulators and other groups.”
Based on this analysis, the report estimates the average value of a personal record held by a business amounts to “between £450 and £1,050”.
Certainly, by converting the value of privacy into a price, the ICO is talking in terms that business understands. What is less certain is that businesses will accept its system of valuation.
Nevertheless, the report was welcomed by privacy advisers as a step in the right direction, towards a corporate approach that recognises privacy as a tangible asset, rather than just a compliance burden. Perhaps Facebook’s Zuckerberg has misread the social norms.
Peter Gooch, senior manager at accountancy firm Deloitte’s security, privacy and resilience practice, says that corporations are increasingly mindful of their customers’ privacy
Building a strong business case for a proactive approach to privacy has never been easier. The toughened regulatory environment, significant reputational impact of a breach and competitive advantage of good privacy practices are among the basic drivers. Reaching a position where you can quickly and efficiently identify and mitigate potential issues before they materialise is the ultimate goal.
Such a proactive approach is finally being recognised by many organisations as a necessary undertaking, and the issue has reached board level. A reactive response to a breach is no longer the primary rationale.
Toby Stevens, managing director of the Enterprise Privacy Group, welcomes a move away from purely compliance-driven privacy protection
‘The Privacy Dividend’ is a welcome early step towards achieving the vision of ‘Privacy by Design’ – an environment in which organisations respect privacy and go beyond the requirements of the Data Protection Act when they handle personal information.
We need to break away from the compliance-driven approach to data protection, and by properly understanding the value of personal data – and the costs of failing to govern it effectively – organisations will have an incentive to invest in privacy management rather than doing the bare minimum to comply with legislation and regulations.
I am one of the two authors of the ICO's 'Privacy Dividend' report. I agree up to a point with Mark Zuckerberg that in today’s society, privacy does not hold the same value it once did. Privacy used to be about limiting who had access to one's personal information. In these days where personal information is increasingly the fuel that drives the digital society, it is less about who has access to one's information and more about what they do with that information. People might be less concerned about who holds information about them but they remain very concerned about what is done with their information. This explains why people can be willing to share their personal information amongst a wide group of their friends but rightly get upset when non-friends such as reviewers of university applications use that information for unexpected purposes. It is not that people care less about privacy, it is that the meaning of privacy has changed. Its value has changed, but its value has not lessened. Social networking sites need to ensure that they have privacy practices that ensure their users' information is shared only with friends and is not available to bottom-feeders scouring for whatever scraps they can find.
Report this comment »JL