Building Trust Into COVID-19 Recovery: Privacy, Data Protection and Trust
The second installment of our “Building Trust Into COVID-19 Recovery” series took place on June 11, 2020. Michael Scherman (McCarthy Tétrault, Associate) sat down with Beth Dewitt (Deloitte, Canadian Leader, Data Protection and Privacy) to discuss current trends and best practices with respect to privacy and data protection. As a part of the discussion, Beth shared some valuable insights on how COVID‑19 has accelerated the adoption of stronger information security and privacy practices, as a means for organizations to build trust by making smart choices with respect to their information security and privacy practices. Below are our key takeaways from the presentation:
- How can companies build trust with customers in the digital environment?: Moving from the physical to the digital environment requires that you rebuild trust with everyone in your organization’s ecosystem (suppliers, vendors, customers etc.). This gives rise to a multitude of questions and issues for privacy professionals to address. To be able to make consistent decisions, an organization should develop privacy principals, or “rules of the road”, which inform its approach to privacy governance, including how the organization should use and protect personal information in view of the organization’s business strategy, customer base, and risk tolerance. When developing such rules, organization should leverage existing standards, such as the Ontario Information and Privacy Commissioner’s “Privacy by Design: The 7 Foundational Principles” or the NIST Privacy Framework. These “rules of the road” will then provide the organization with guardrails to ensure that decisions involving the digital space are made in a manner that is respectful of individual privacy and consistent with the business’ objectives.
- COVID-19 implications on trust: The pandemic has accelerated the notion of living in an era of digital complexity. Long term plans for digital transformation have been reduced from years to weeks. Almost overnight, the world transitioned to remote work, remote transactions and communications, supply chain management, and the digital delivery of core services (i.e. health and education). These transitions have resulted in an increase in privacy and information security risks. For example, personal information held by an organization is now likely being used in employee’s homes, where it could be exposed to individuals who are not authorized to access it or accessed through an unsecure internet connection. The “points” susceptible to cyber-attack have also increased from one centralized location, to an entire network of remote work locations. Cyber-attacks, phishing scams, ransomware and malware have all adapted to exploit these new opportunities for attack, and have added significant challenges for security and data protection teams. One key preventative measure that organizations can use to mitigate such risks is increased cybersecurity education. Remote workers need to be aware of these cybersecurity threats and how they may present themselves. Moreover, an organization’s policies with respect to the protection of personal information should be reinforced with remote workers, and adapted to the remote work environment to the extent possible.
- The importance of ethical data use: Organizations have access to more personal data than ever before, and there is a constant desire to turn that data into insight. However, what if personal data is used to develop insights that lead an organization to act in an unethical way? Organizations need to draw an ethical line around how they will use data and the insights derived from it. This comes back to the accountability principle; an organization should be accountable for the personal information it collects and uses, the insights it derives from the personal information, and the outcomes of those insights (including through the use thereof). As Canadian privacy laws are based on obtaining consent from the individual to whom personal information relates, an organization needs to be transparent about how personal information is used in order for that consent to be meaningful. An organization may be legally permitted to use information where it has obtained meaningful consent. However, a permitted use does not imply that there is no risk associated with such use. Some research shows that an organization’s privacy policies are not a priority factor when a customer is choosing who to do business with. However, when customers learn that an organization has used data unethically (even with consent), trust erodes quite quickly and customers are more likely to “punish” the organization and choose to take their business elsewhere. Accountability will be a driving factor for customer satisfaction as we continue to transition to a digital based economy.
- Best practices to build trust: The following are some best practices that an organization can take to build greater public trust with respect to the use of personal information:
- Organizations should determine what its most important data assets are, and implement ways to protect them.
- Organizations should consult their “rules of the road” each time a new opportunity for how to use personal information is presented to them and make sure that use aligns with their rules.
- Organizations should educate its employees about the implications of improper or unethical data use. By teaching employees the “why”, they will better understand how to implement proper privacy practices into their work environment.
- Organizations should take the time to regularly revisit how transparent its personal data use is to customers, vendors, suppliers etc. and its key stakeholders should ask themselves how they would feel if an organization used their personal information for the same purpose, and what they would want to know about such use?