companies, digital transformation and information privacy: the next steps

A report from The Economist Intelligence Unit

Sponsored by

Companies, digital transformation and information privacy: the next steps

© The Economist Intelligence Unit Limited 20161


The Internet and sovereign privacy laws have

been on a collision course for some time now,

with growing tensions arising in all jurisdictions.

The lack of trust burst into view in October 2015,

with the European Court of Justice’s rejection

of the Safe Harbour agreement, a set of

guidelines that had previously been understood

as providing sufficient security for European

citizens’ private data to be held in or used by

companies in the United States. The ruling about

Safe Harbour’s inadequacy and questions about

the proposed replacement agreement, Privacy

Shield, which had been hammered out by EU

and US negotiators, have created a legal limbo

and have left companies that do business in the

EU uncertain about how to proceed.

Online privacy is not just a subject of

transatlantic debate. Concern about these

issues is gathering steam around the world,

including in Africa, the Middle East and Asia.

What happens between Europe and the US,

however, will shape the global data-sovereignty

debate for years to come—both because of the

prominence of the companies headquartered

in both places and because the EU is the highest

common denominator when it comes to privacy

issues. The outcome of the current dispute may

even prompt companies to rethink the idea—

largely unquestioned in recent years—that

holding on to data is an unqualified good.

To build greater understanding of the state

of play in the development and navigation of

privacy laws, the Economist Intelligence Unit

(EIU) conducted in-depth interviews with legal,

technical and regulatory subject-matter experts

on all sides of the debate. This report explores

the challenges that global businesses face when

addressing the complex and fluctuating policy

environment and offers a set of best practices

that companies can follow to meet evolving

privacy and security demands.

We would like to thank the following

interviewees for their time and valuable

contributions to our research:

Giovanni Buttarelli, European data protection

supervisor

Martin Fanning, partner and data privacy expert,

Dentons

David McCue, senior executive advisor, Xerox

Zoe Strickland, global chief privacy officer,

JPMorgan Chase

Jeb Weisman, chief information officer, Children’s

Health Fund

Eugene Weitz, general counsel, Americas, at SAI

Global

Robin Wilton, director, Trust and Identity team,

The Internet Society

Introduction



Setting the scene

A consumer who reaches the step of agreeing

to a new online privacy policy often has an

instant of doubt. But most consumers just hold

their breath and tap the button that says “Yes,

accept”, to terms and conditions—reasoning

that their financial and personal information

will be carefully guarded, particularly if they

are dealing with a well-respected brand. They

may also assume that what they don’t know (as

a result of not having carefully read a privacy

policy before agreeing to it) probably can’t hurt

them.

Companies can’t make the same decision

not to engage with the details of privacy. The

issues are well-known: the ever growing business

benefits of understanding customers better and

the huge financial and reputational risks of losing

control of the data that allow companies to do

so. But there are many more obscure, and no

less important, risks as well. Customer records are

stored in data centres, often operated by third

parties, all around the world, with the centres

themselves subject to a range of operational,

security and legal risks. In addition, different

customers are typically protected by different

privacy laws depending on their nationality.

The EU, where consumer privacy is seen as

a fundamental right, is moving towards a set of

particularly stiff fines for companies that don’t

protect customers’ private information, as part of

a broad new set of regulations. Within a couple

of years, companies not in compliance with

European privacy laws will face fines of up to

4% of their global turnover. That’s a staggering

amount, putting data privacy penalties on par

with antitrust fines in Europe. And even in privacy

cases where the penalties are more modest,

or there’s no monetary penalty at all—whether

because the questionable privacy practice took

place in a less-regulated region or wasn’t found

to be an actual violation of the law—companies

could certainly face significant backlash in other

ways. “It’s a PR issue,” said Eugene Weitz, general

counsel, Americas, at SAI Global, an Australian

company specialising in solutions and services

that help manage risk and compliance. “It’s the

kind of thing that affects companies up, down

and sideways,” Mr Weitz added.

In the last few years, the ubiquity of cloud

computing has complicated the challenge for

all parties. A government might want to regulate

or sanction a company that has suffered a

breach or failed to protect its citizens’ private

data. But if the company is located outside a

country’s boundaries or if it isn’t clear in what

country or region the compromised data are

being stored or processed, or on whose servers,

regulators can have difficulty taking any sort of

corrective action or even determining which

laws might apply. Companies themselves are

often not much clearer about which jurisdiction’s

laws they need to abide by.

“You are constantly weaving through a

hotch-potch of different rules and regulations,

and they get very, very technical,” said David

McCue, an executive advisor to Xerox’s global

chief information security officer. He likened it

to “the old idea of an information highway”,

the difference being that on this highway, the

laws vary, sometimes confusingly, depending on

whose jurisdiction one happens to be in.

GDPR on the horizon: Europe’s evolving regulationsEurope is developing a sweeping new set of

rules, embodied in what it is calling the “General

Data Protection Regulation” (GDPR), to define

how consumer data need to be treated in

the EU. In theory, the GDPR—which will cover

personal data, including names, photos, e-mail

addresses, medical information and posts on

“You are constantly weaving through a hotch-potch of different rules and regulations, and they get very, very technical.”David McCue, executive advisor to Xerox’s global chief information security officer.



social media sites—will make it possible for

multinational companies to apply a single

privacy policy throughout Europe. But it’s not

expected to take effect until 2018. A long time

to wait for certainty, thus many in Europe and

the US are hoping for a ratification of Privacy

Shield, the transatlantic deal that has been

put forward as a near-term replacement for

Safe Harbour. “We are all suffering because of

the limbo,” Giovanni Buttarelli, the European

data protection supervisor, said in an interview

in his Brussels office. Mr Buttarelli and others

acknowledged that the uncertainty is a

particularly big challenge for smaller companies

that don’t have a lot of resources to devote to

compliance. “We cannot leave thousands of

small and medium enterprises in this position for

another two or three years,” he said.

According to privacy law experts, companies

doing business in the European Economic Area

have a few options to remain in compliance.

First, they can tell a European consumer how

they plan to use and store that consumer’s data

in a simplified privacy policy and ask for the

user’s consent. Second, they can use “model

contracts”, which are European Commission-

mandated contractual terms for dealing with

European consumers’ data. A third option is to

go through a much more elaborate process of

developing “Binding Corporate Rules” (BCRs) of

their own. BCRs apply to all the processes and

policies companies use in all of their operations

and must be approved by European regulators.

But they have the advantage of being custom-

fit to companies’ own processes—not the case

with model contracts.

“You have to invest a huge amount of time

into BCRs,” said Martin Fanning, a partner and

data privacy expert at Dentons, a London-

based law firm. “BCRs can take several months

to complete but, because they are based on

a business’s own governance and policies and

involve dialogue with European data regulators,

they are regarded by many as the platinum

standard for international data transfers within

a multinational group.” Mr Fanning added

that BCRs “live and breathe with a business as

it grows and changes”, a quality that he said

makes them more robust than other legal options

for international transfers. By contrast, he said,

consent can be revoked by an individual, and

the EU Commission-approved model contracts

can be rigid and in need of regular updating.

The complicated role of technology

The cloud is perhaps the best known, but it is

not the only technology that is complicating

matters alongside offering business benefits.

Since technology has vastly increased the

availability of free-flowing personal data, with

all the accompanying benefits and problems, it

might seem reasonable to ask that technology

also provide the necessary solutions. The reality

is more challenging. To be sure, an encryption-

reinforced file server or database (and the use of

other technologies, like tokens and containers)

can prevent consumers’ private information

from being accessed in the first place or from

being compromised if a breach occurs. That can

forestall embarrassment and economic losses

associated with cases of large-scale credit card

theft. However, in the legal environment of the

future, security systems that protect data won’t

necessarily ensure compliance even if they

prevent break-ins.

Increasingly, privacy laws can be interpreted

as requiring companies to exercise greater

control over data and, in some instances, to

follow rules that spell out where data must

be located. Companies are having to make

multiple decisions and position themselves to be

in compliance with laws in many jurisdictions.

Doing this successfully will take judgment and

global awareness—not attributes that can

“We are all suffering because of the limbo. We cannot leave thousands of small and medium enterprises in this position for another two or three years.”Giovanni Buttarelli, European data protection supervisor



necessarily be captured by a straightforward

technology or software system.

Robin Wilton, technical outreach director for

identity and privacy at the Internet Society, an

organisation focused on fostering the Internet’s

growth and preserving its technical standards,

observed that people don’t always recognise

the futility of trying to address privacy issues

through technology alone. He said the Internet

Society sometimes gets calls from people who

want it to sponsor the development of a “privacy

plug-in”—an idea he considers fanciful—not

realising that effective privacy protection is an

ecosystem and human-relationship issue before

it is a software issue. “It’s that ‘Where’s the instant

fix?’ mentality that tends to lead us down the

wrong road,” Mr Wilton said.

The deeper people’s backgrounds in

technology, the more they tend to understand

that a purely digital solution isn’t feasible. As

Jeb Weisman, the chief information officer at

Children’s Health Fund, a New York nonprofit

handling sensitive medical data, put it: “The

technology can’t decide what’s private.”

Instead, he said, the systems that can help

companies with privacy are systems that support

governance. “What I see is a set of human

expectations that need to be met. And in the

case of my organisation or any organisation,

they need to be codified. Once they’re codified,

then we can use software tools and secondarily

security tools. The security tools stop breaches.

But the privacy tools help us understand what’s

private and manage it.”

To be sure, privacy and security are

intertwined—companies can’t safeguard one

without investing in the other. Xerox’s Mr McCue

underscores this with a warning about how

common security breaches are nowadays.

“If you went and spoke to any of the national

law enforcement agencies, whether in the US

or in Europe, they will tell you that, as a whole,

companies underestimate how much of their

data has been lifted, stolen or compromised,”

Mr McCue said. “I have been in meetings where

a particular company has said, ‘No, we’re

good’, and the law enforcement representative

has said, ‘Well, we have a database back at

headquarters that shows two terabytes of your

inside information that we’ve recovered from

someplace on the dark Web. You’ve been

hacked and didn’t know it.’”

Looking towards a North Star for regulation In the future, companies will clearly have to

understand the full range of restrictions that

different localities have placed on how personal

information is used, shared and stored. It’s

possible that the EU’s efforts, including with the

GDPR, will influence what countries in regions

such as Asia and Africa include in their own

privacy regulations. If that happens, GDPR may

end up providing a sort of specific target that

companies worldwide can aim for.

Even today, though, while regulations remain

uncertain, a comprehensive and thoughtful

online privacy policy can be a selling point

in the digitally driven economy. Mr Buttarelli,

the European regulator, said he was reminded

of this when he made a trip to Silicon Valley

last year. Some of the start-ups he visited,

instead of treating privacy as an afterthought,

were making it a core part of their appeal

to customers. He put this in the category of

“privacy by design”, an approach to systems

engineering that is fast catching on. “I don’t

see any dichotomy between privacy and

innovation,” Mr Buttarelli added.

As companies seek their own innovative

ways to build and maintain value from data

despite the confusion of today’s privacy and

“It’s that ‘Where’s the instant fix?’ mentality that tends to lead us down the wrong road.”Robin Wilton, technical outreach director for identity and privacy at the Internet Society



security regulations, the research suggests that

the following approaches will likely help them

navigate:

l Know thyself from a privacy perspective.

Businesses’ first move should be to do an

audit, or mapping exercise, of their data.

What data they have, how they are being

used, where the data are being used

and which third parties might be handling

them are all areas a company must know

cold. “It takes data mapping of an entire

company to understand what the needs and

requirements are,” said Mr Weitz, the general

counsel, Americas, at SAI Global.

l Build a cross-functional privacy team. By

definition, a company is going to have

some competing interests on privacy. The

general counsel is primarily going to be

concerned about protecting the company

from litigation, the chief information officer

about preventing security breaches, the

chief marketing officer about increasing

sales. The privacy function of a company can

only identify the right trade-offs if it includes

some individuals who can parse regulations;

other individuals who understand data and

technology; and still others who possess a

strong knowledge of the business.

l Get rid of unneeded data. In this era of the

cloud, digital information and customer

records have become so cheap to hold on

to that many companies do so as a matter

of course. This is partly a reflection of the

fashion for “big data” and the sense, as

CIO Dr Weisman puts it, “that the insight is

just around the corner”. In fact, a lot of old

customer records are “toxic data assets”, Dr

Weisman said, quoting Bruce Schneier, the

cryptographer and widely followed blogger.

Many privacy experts advocate “data

minimalisation”—having the discipline to

keep only the data you need.

l Find the right partners. Almost every

company these days has at least some

customer data stored on third-party cloud

databases. “You are dependent on these

companies and the services they provide to

include a level of protection for your data,”

said Mr McCue, an executive adviser at

Xerox. As a consequence, companies should

“look for vendors with very strong capabilities

in the protection of data stored with them”,

he said. Finding such companies is likely to

become easier in the future as part of the

GDPR will require IT vendors that previously

bore no direct responsibility for privacy to

comply with data protection laws.

l Apply the “function before form” principle

to your privacy initiatives. To date, the

obligatory nature of how companies

deal with privacy has been evident in the

checklists of their policies. Consumers click

impatiently through the policies because

it’s clear from the way they are presented

that they contain nothing of interest. This isn’t

the way to do it. Long, complicated policy

explanations aren’t integral to protecting

consumers’ personal information. They

don’t make anyone feel more comfortable.

Something simpler and more functional may

well work better.

No matter what happens with Privacy Shield

and the GDPR, the global privacy story won’t

be finished. There will be other twists, perhaps

influenced by developments in regions outside

the EU and US. For now, companies need

flexibility in their approach and options that meet

different requirements in different jurisdictions.

They have to find ways to be in compliance

despite the regulatory uncertainty. The costs of

not doing so are simply too great.

Long, complicated policy explanations aren’t integral to protecting consumers’ personal information. They don’t make anyone feel more comfortable.



Whilst every effort has been taken to verify the accuracy

of this information, neither The Economist Intelligence

Unit Ltd. nor the sponsor of this report can accept any

responsibility or liability for reliance by any person on this

report or any of the information, opinions or conclusions

set out in the report.

Co

ver:

Sh

utt

ers

toc

k

London20 Cabot SquareLondon E14 4QWUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]

New York750 Third Avenue5th FloorNew York, NY 10017United StatesTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: [email protected]

Hong Kong1301 Cityplaza Four12 Taikoo Wan RoadTaikoo ShingHong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]

GenevaBoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: [email protected]

companies, digital transformation and information privacy: the next steps

Technology