It is pretty obvious that the privacy profession is changing fast.
Once the realm of an elite of nerdy specialists, the profession is opening up to include a whole range of professionals with a variety of talents, training and skill sets. And whilst the complexity of the challenges faced by those with responsibility for managing information, protecting data and safeguarding individual privacy remains as high as in the early days, the implications of addressing those challenges correctly are becoming exponentially greater. If we succeed, we will not only have contributed to the prosperity of future generations, but we will have also done our bit to preserve everyone's freedom.
Going forward, our success as guardians and developers of the information society will depend on our ability to understand and effectively deal with the never-ending evolution of technology, the strategic and commercial value of personal data and the global nature of all data-reliant activities. With that in mind, here are some of the issues that we are going to have to master in order to fulfil our duties as privacy pros:
- Transparency 2.0 - Traditional and unimaginative transparency mechanisms have their days numbered. Long and legalistic privacy notices, in particular, are unlikely to serve their purpose going forward. Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible. Our responsibility in this regard will be to understand and communicate sophisticated uses of personal information in a way that is also understood by others no matter the interface or situation in which the information is collected.
- Anonymisation - Yet to be exploited fully, the idea of performing some magic to personal information so that such information is no longer personal data may not be the perfect solution, but it is an extremely valuable way of safeguarding our privacy whilst still making the most of the data. Don't panic! Privacy professionals need not become algorithmic maestros, but we must at least have some faith in the ability of anonymisation techniques to help us make the use of personal information less intrusive.
- Privacy (thinking) by design - Let's face it, having a legal obligation that limits the amount of personal information to be collected, used or retained to the absolute minimum is never going to work because it is at odds with today's and tomorrow's information economy. However, being prepared to consider the possible harmful effects that any data activities may cause at the outset and doing something to avoid them should be at the top of the list of all privacy professionals.
- Security by default - Data security does not mean data choking, but applying the appropriate security measures to protect data should be non-negotiable. Furthermore, whatever the correct security measures are, they should always be deployed from within the technological applications and as those applications are developed—not as an afterthought. More than ever, privacy pros and security pros must join forces to deliver protection at the earliest possible stages of every process.
- Relying on safe global vendors - Can a customer of any data processing service realistically have full and exclusive control over the data being processed? If the answer is no, and it will be invariably no, how can this be reconciled with the duties placed by the law on that customer? Responsible vendors have no choice but taking it upon themselves to adopt the right practices. So privacy professionals should be looking out for those vendors that are prepared to guarantee that wherever in the world the processing takes place—even in the cloud—the data will be protected under universally applied and internationally recognised standards.
- Giving something back - As individuals' control over their own data declines and is replaced by the principle of benefiting from the value of that data, it will be the privacy professionals' responsibility to assess and identify what may qualify as appropriate benefits compared to the value derived from the exploitation of such data. From access to our own data to transparent profiling, the future role of the privacy professional is likely to involve turning the output into valuable benefits for those individuals who generate the information in the first place.
- Privacy impact assessments - From a privacy professional's perspective, one of the greatest advantages of PIAs is that they are the most effective tool to safeguard people's privacy without closing the doors to innovation and progress. We must master the art of doing PIAs—from the very simple to the hugely elaborate—in ways that are seen as delivering benefits for both individuals and organisations.
- Team privacy - Ultimately, getting privacy right within an organisation is a team effort. Many of those with responsibility for protecting data and safeguarding people's privacy will not even have the word “privacy” in their titles, but working as a team of professionals who are united in their quest for pragmatism and effectiveness, and who can keep an eye on how things are done within their respective sphere of influence, will be the only way of realising our goal.
Much work remains to be done, but with a bit of creativity, some effort and, above all, confidence in our ability to succeed, our jobs will be as fulfilling as the future can promise.