I am a a big believer in privacy, and regularly blog about privacy-related issues, so I am a bit surprised James has called me out again on the issue.
So let me push back.
I care about privacy as a citizen.
I care about privacy as a father.
I care about privacy as a business owner.
I care about privacy as a customer.
But the question is – should UK enterprises care enough about privacy that they don’t use production data for test purposes? The answer has to be no, from a cost/benefit perspective.
There is no reason to worry about said legislation in the UK, because it is not enforced. There is no data protection enforcement in the UK, and so no point in complying.
The UK Information Commisioner has powers to:
* conduct assessments to check organisations are complying with the Act;
* serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
* serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
* prosecute those who commit criminal offences under the Act;
* conduct audits to assess whether organisations processing of personal data follows good practice; and
* report to Parliament on data protection issues of concern
We have an Information Commisioner who is good at making headlines once a year, but evidently does little other than talk the rest of the time. FUD won’t cut it though Mr Thomas, if you really want to make a difference.
Perhaps I am being unfair- the Commissioner is now asking for new legislation which would mean jail time for those that illegally sell private information. But what is the point of asking for new powers when you don’t use existing powers?
The government largely ignores information privacy, and considers it an impediment to social progress, so why should private companies respect it?
The obvious answer is the danger of reputational damage. I think this issue can also be safely ignored. Consumers evidently don’t really care that the businesses they do business with treat their information in such a cavalier fashion. Look to the US, where any number of firms have divulged hundreds of thousands of customer records including social security numbers. Not one of them has suffered significant long term damage to share prices or revenues. Turn this on its head- name me a business (other than Amazon) that has gained significant business advantage from a reputation for caring about its customer data.
Arguably HP is suffering reputational damage for tapping peoples’ phones but I would be surprised if sales are affected.
Of course there may be other regulations to consider – where customer privacy is a real live issue. James, for example, is concerned with HIPAA. But the UK Data Protection Act can be safely ignored for now. It pains me to say it, but I can’t in good faith find a reason to advise a UK enterprise to invest significantly in this area, unless they do a lot of business in California or Italy.
Another question: how on earth is anyone going to know that companies are using production data for testing? Its not as if we have a significant whistle blower culture here, and there is no regular audit to worry about as there is with SOX.
Businesses don’t exist to be nice. I am no Milton Friedman but I have to acknowledge that there just isn’t enough of a business justification.
It is surely not the job of an industry analyst to protect consumers, is it? Aren’t others supposed to do that? So while I will always advise companies to establish good data governance principles, which enable them to be more effective and compliant with any regulation that happens to come along, while protecting the rights of customers and employees, doing so is at least partly just a personal bias, a notion of doing the right thing. It would not be anything to do with UK data protection legislation though
There is no jailtime associated with the UK Data Protection Act.
Indeed, US executives in this area should be aware that far from being ahead of American privacy law, Europe lags some way behind. We have little or no enforcement (although Germany, Italy and the Czech Republic have somewhat tighter regimes than most), and no California style laws around notification of information leakage. Until circumstances change, I can’t see a solid reason why shareholders would be happy to see their companies invest heavily in privacy.
Egg, the UK online bank, used to advertise about BS7799 compliance. It quietly withdrew the ad because it didn’t resonate. Evidently consumers don’t care much about privacy. Until they do industry analysts and the businesses we serve may be wasting time focusing on this area.
I don’t want people to think I am crazy.
As Struan Robertson, a technology lawyer at Pinsent Masons said recently:
“The problem here in the UK is that a breach of these Regulations is little deterrent: all that is likely is that the Information Commissioner will tell the adware supplier not to misbehave in future – and if it does, its worst-case-scenario is a pathetic £5,000 fine.”
It may be worse than that. The last fine, according to a Commission press release was in July 2006. For £300… oh yeah, terrifying… I think most enterprise businesses will safely ignore the threat of a £5k fine. Now jail time for data leakage – that might concentrate the mind. Its why, unlike Vinnie, I think SOX has played a role in better governance. ROI as risk of incarceration.
So while I fully understand why James is focusing on the granular data privacy problem, that is his employers’ call to make. I will continue to talk to the issue, because I think its important, but not because I am an industry analyst, even though I do spend time on Governance, Risk and Compliance.