Ensuring Business Innovation While Protecting Data Privacy: A Balancing Act
by Amy Brown
Originally published on TriplePundit
With connected devices expected to top 11 billion in 2018, innovative technologies such as the Internet of Things (IoT), big data and artificial intelligence (AI) are increasingly driving business innovation.
An overwhelming 97.2 percent of executives in the annual executive survey published by NewVantage Partners report that their companies are investing in building or launching big data and AI initiatives, including American Express, Capital One, Ford Motors, Goldman Sachs, MetLife, Morgan Stanley, and Verizon.
The boost to the economy is predicted to be huge: McKinsey estimates that linking the physical and digital worlds could generate up to $11.1 trillion a year in economic value by 2025.
But how are companies managing the balance between digital innovation and protecting the privacy of data? Digital technologies enhance convenience, efficiency and economic growth. At the same time, they require complex networking environments and use detailed data about individuals that can make protecting their privacy harder.
Developing a U.S. privacy framework
Unlike Europe, where the European Union’s General Data Protection Regulation (GDPR) became enforceable earlier this year, the U.S. federal government has yet to pass a GDPR-like mechanism.
In the absence of such legislation, the Information Accountability Foundation (IAF) in August released the first draft of a U.S. data privacy framework containing 12 principles that outline individual privacy rights and corporate accountability.
The initiative informs the ongoing collaborative project announced by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) in October to develop a voluntary privacy framework to help organizations manage risk.
In announcing the framework, the nonprofit declared, “Consent is important but not enough.”
The framework recognizes the great potential of data to innovate in sectors ranging from medicine, safety and education, to transportation and product development, while underscoring the responsibility of companies to leverage data responsibly.
“This recognition requires organizations to be transparent about values, to use their values when driving innovation, and to make sure that people are the end and not the means,” the IAF states.
Calling for ethics and transparency
According to Martin Abrams, executive director of the IAF, the principles recognize that “thinking and learning with data is basic to mankind’s progress and that these learnings must be understood and applied in an ethical manner.”
“We’re focused on how you can use information to beneficial effect and do so in a fashion that is protective in world that is increasingly using technologies like artificial intelligence, things that rub hard against data privacy and privacy law,” Abrams told TriplePundit. “We look at how we can think outside box to use data in an innovative fashion.”
Long history of innovating with data
“Thinking and learning with data has been the single most important differentiator that has made American business the world’s data innovators,” Abrams says.
There is a distinction between the two, he explains. “If there is a history of cancer in your family that is detectable from your gene pattern, the research that enables that insight is thinking with data. The decision that doctors make using that gene pattern is acting with data.”
Abrams points out that in every other major privacy regime, every activity touched by data is a form of data processing that requires permission from either individuals or the law. “In the U.S., thinking with data is protected by data security rules but, in most instances, not by privacy rules,” he says.
Data-driven innovation has been the spark that has driven the American consumer economy since the 1970’s, he argues. “This innovation is well worth preserving as we explore new privacy frameworks for the U.S.”
Corporate responsibility for data privacy
The IAF framework’s 12 principles are divided into two parts: Four for individual rights and eight for accountability. It is intended to meet several aims: Preserve America’s innovation engine; be interoperable with other new and emerging privacy regimes; protect individuals’ interests in privacy; and protect all the benefits of the 21st century information age.
The eight accountability principles form the stewardship role of those who must be accountable for the use of data, including companies. That includes ensuring data collection, use and disclosure complies with law; that data is secure; and that is used within an appropriate context and for legitimate uses.
Some companies, Abrams says, are already using these principles around data accountability. That will ease their ability to meet the GDPR requirement of data privacy impact assessments. A survey by HyTrust, Inc., a workload security solutions firm, however, found that only 21 percent of organizations it surveyed were concerned about GDPR or had a plan in place.
The guidance offered by the IAF is a start to try to resolve these issues, Abrams says.
“Back in the 1990s when the Internet became a consumer medium, we made a decision that observing individuals’ behavior online to understand how they behave online was part of the public commons, and that had huge implications for the expansion of observable data,” Abrams says. “It’s a concept we still struggle with. All the decisions we make are still based on the concept that the Internet is like the public commons and extends to putting tracking programs on our devices.
“The question is, as the privacy debate heats up, are we going to conclude that all this observational data is in the public commons or in the private space?” Abrams reflects. “That is a really hard issue to resolve. Yes, the data opens up innovation but it reduces our ability to have privacy and to think and act in a way that is protected. You can say our organization was formed to deal with this conundrum.”
Lawmakers want to protect innovation and consumers
Some members of the U.S. Congress are ready to tackle the thorny issue of data privacy. As U.S. Senator John Thune, chairman of the Senate Commerce Committee, wrote in The Hill:
“The time has come for Congress to work on putting consumer data privacy protections into law. For years, the wizards of the tech world have amazed all of us and helped fuel our economy with innovative products and services. No one wants that to end.
“At the same time, mounting controversies have undermined public trust in the ability and willingness of leading technology companies to regulate themselves and enforce real privacy safeguards for the collection and use of our digital data. The question is no longer whether we need a national law to protect consumers’ privacy. The question is what shape that law should take.”
Thune argues that a successful consumer data privacy law will “help consumers and reward organizations with little to hide, promote innovation, and force shady practitioners to clean up their act or fold up shop.”