The keynote this morning at the International Association of Privacy Professionals (IAPP) Global Privacy Summit here in Washington, DC was given by Cass Sunstein, Felix Frankfurter Professor of Law at Harvard Law School. While he talked about many different issues, the one that stood out to me most was the topic of choice and default rules. Mr. Sunstein discussed the default rule, which is a central tenant to privacy professionals. One of the illustrative examples that he gave was a look at the difference in the number of people that are organ donors in Germany versus Austria. The numbers he cited were remarkable – Germany 12% and Austria 99.9%. This comparison is amazing and it should not be surprising that, with regard to being an organ donor, in Germany you need to opt-in by default and in Austria you need to opt-out as the default rule.
As privacy professionals, we understand that choice and consent are very important and, of course, fundamental. But it is also clear from Mr. Sunstein’s organ donor example that it is necessary to assure you are educating users about their choices and consent to their options related to your products or services. A closer look shows how the two differ:
· Opt-in shows clearly that the individual understands, we hope, that there is a question regarding their participation in data sharing and/or activities and they affirm that they are OK with it.
· Opt-out changes the default rule and states if nothing is done, then the default on the question on data sharing and/or activities is now carried out with no action.
One can clearly see the powerful impact of simple defaults on individuals, and when an organization chooses opt-in or opt-out it clearly changes outcomes on data sharing and other activities. This could be a simple question of whether or not the individual wants to share their Personal Information with third parties to help an organization provide better services.
All organizations are not the same – with some having tighter control on collecting data than others. Regardless, all organizations need some controls with regard to the collection, use/retention, and if and when disclosures are needed. To accomplish this, organizations can implement automated monitoring on all data collecting systems to assure that the opt-out or opt-in requirements are met, including whether or not check boxes are pre-checked and whether or not this violates an organization’s policy.
After the keynote, I had the privilege of attending a joint presentation from AvePoint and Bank of America on Navigating Data Breaches. This was a very interesting, interactive presentation and the attendees added greatly to the session by including their own real-world examples. Again it struck me that we were listening to how organizations deal with fundamental concerns as related to Privacy in the field today. One of the core tenants of data protection and information security is to put in place controls that prevent failures and monitor for compliance as a way to manage risk. As I listened to people interact with the presenters, it hit me that no team could manage this compliance monitoring without integrating solutions that were proactive yet flexible enough to be reactive when necessary.
At the conclusion of the presentation, I went down to the exhibition hall and did something that I enjoy most – walking the show floor. When you walk the floor at a conference you do several things: you listen to people, look at vendors, and get SWAG. The SWAG was great at the show today and the conversations were extremely interesting. I spent a few minutes having a discussion with a representative from the Office of the Privacy Commissioner of Canada, and received a great guide book on the Personal Information Protection and Electronic Documents Act (PIPEDA), a privacy guideline that we support at AvePoint. I even had an opportunity to talk to others in the field, and my conversations made it clear to me that the majority of the people in this field care greatly about what we are doing – because at the end of the day an individual’s privacy has a direct relation to their level of freedom. Privacy Protection does have real social and economic impact on the world, and to work in this field is both an honor and responsibility that my coworkers and I take very seriously. As a software company, we work hard to define real problems and needs of our customers in order to then apply software processes and controls to both directly and positively impact their privacy programs. This use of technology to apply a large pool of human knowledge clearly makes a difference, and it is something that we certainly do not take lightly at AvePoint.
I ended my walk at the AvePoint booth – booth 6 – where both prospects and customers were discussing our products and services. This is perhaps the most important part of walking the floor: I had the opportunity of seeing these prospects and customers interact with our team as they took a deep dive into our multitude of offerings as for Data Loss Prevention and Privacy Monitoring and Management. I ardently believe that listening to these conversations is the most important asset of a product designer. I was happy that I could hear about how people had privacy challenges, and that AvePoint Compliance Solutions could help them handle the challenges.
I will take back all of this information to the different design teams, and we will incorporate feedback and knowledge gained at this conference to help us continue to meet both the current and future needs of our customers. It is truly important to support conferences like the IAPP Global Privacy Summit and even more important to listen and learn from all of these experts. I look forward to the rest of the conference and the first day (or should I say half day) has shown my attendance of this show to be essential for me to take the pulse of this dedicated group of privacy professionals!