In January 2010, 25-year-old Facebook founder Mark Zuckerberg remarked that in today’s society, privacy does not hold the same value it once did. “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people,” he said. “That social norm is just something that has evolved over time.” Zuckerberg’s comments were controversial, and seen by some as a justification for Facebook’s decision to loosen the privacy controls on its users’ profiles. It might have been more accurate for him to say that society’s conception of privacy – what it means and what it is worth – is in flux, pulled in opposing directions by numerous technological and cultural forces. At the beginning of March, the UK’s privacy and data protection watchdog, the Information Commissioner’s Office, launched a bid to encourage businesses to develop a concrete conception of the value of privacy. In a 90-page report entitled ‘The Privacy Dividend’, the ICO made the case for placing a numerical financial value on the protection of personal data.
Not only will this help businesses to understand the true value of the assets it has in its possession, the report argues, it will also help them to develop a business case for any investment required to improve their privacy protection mechanisms. “There are four perspectives from which personal information draws its privacy value,” the report reads. “These are its value as an asset used within the organisation’s operations; its value to the individual to whom it relates; its value to other parties who might want to use the information, whether for legitimate or improper purposes; and its societal value as interpreted by regulators and other groups.” Based on this analysis, the report estimates the average value of a personal record held by a business amounts to “between £450 and £1,050”. Certainly, by converting the value of privacy into a price, the ICO is talking in terms that business understands. What is less certain is that businesses will accept its system of valuation. Nevertheless, the report was welcomed by privacy advisers as a step in the right direction, towards a corporate approach that recognises privacy as a tangible asset, rather than just a compliance burden. Perhaps Facebook’s Zuckerberg has misread the social norms.
Peter Gooch, senior manager at accountancy firm Deloitte’s security, privacy and resilience practice, says that corporations are increasingly mindful of their customers’ privacy Building a strong business case for a proactive approach to privacy has never been easier. The toughened regulatory environment, significant reputational impact of a breach and competitive advantage of good privacy practices are among the basic drivers. Reaching a position where you can quickly and efficiently identify and mitigate potential issues before they materialise is the ultimate goal. Such a proactive approach is finally being recognised by many organisations as a necessary undertaking, and the issue has reached board level. A reactive response to a breach is no longer the primary rationale.
Toby Stevens, managing director of the Enterprise Privacy Group, welcomes a move away from purely compliance-driven privacy protection ‘The Privacy Dividend’ is a welcome early step towards achieving the vision of ‘Privacy by Design’ – an environment in which organisations respect privacy and go beyond the requirements of the Data Protection Act when they handle personal information. We need to break away from the compliance-driven approach to data protection, and by properly understanding the value of personal data – and the costs of failing to govern it effectively – organisations will have an incentive to invest in privacy management rather than doing the bare minimum to comply with legislation and regulations.