In the recent web conference, Beyond Catch Phrases — Practical Guidance for Ethical Privacy, Goodwin and Procter’s Gerry Stegmaier, CIPP/US, compares the ideallyic combination of privacy ethics and internal business to a heard of zebra crossing the crocodile-infested waters of the Nile. “We don’t want to be the first zebra, you don’t want to be the last zebra, and we don’t want to be a small zebra,” he said. “In essence, when we think about compliance and ethics, we’re not trying to be perfect, we’re just trying to not be the one that gets eaten by the crocodile.”
Privacy professionals, he continues, know that their own environments are filled with predators that can consume corporations if they’re not too careful. Regulators, other businesses, and even class-action lawyers can become carnivorous if companies don’t walk the ethical line. “We’re thinking about, if you don’t do this, there’s legal license ramification, there are other specific legal ramifications in corporations that can call into question how lawyers and other professionals exercise their professional judgement,” he said.
Navigating these waters can get tricky, and as such, Stegmaier, nNovation’s Kris Klein, CIPM, CIPP/C, and Fieldfisher’s Phil Lee, CIPM, CIPP/E allied to present “comparative perspectives” on the ethical privacy while also giving those in the field practical, wieldy tricks to enhance their practice. It’s about “having that toolkit that you need when we get into those tough situations when someone says, ‘well, do we have to do this, or should we do this?,” and then based on what we decide to do, what that might mean for each of us as professionals,” Stegmaier said.
Ethical practices can't be just an afterthought.
“We like to think of this as moving beyond ‘don’t be creepy,’” as went Lawrence Greenberg’s famous advice to companies when considering privacy. There’s more to it than that; things don’t often work out the way they should, and the advice, though memorable, doesn’t give much guidance beyond a good soundbite. Instead, like Jerry Garcia’s idea that “happy is a way, not a goal,” so is privacy. “It’s not an outcome, it’s a journey,” Stegmaier said. “That means mistakes will be made along the way."
Yet privacy professionals should still strive for ethical practice, as they may be the “sole voices to get things right,” he added. Mother Theresa said it best, Stegmaier continued: “don’t wait for leaders. Do it yourself, person to person, one at a time.”
To do that well, it behooves industry players to embrace a global approach. Klein elaborated on Canadian “comprehensive” privacy laws and ideals, such as former Privacy Commissioner of Ontario’s Ann Cavoukian’s Privacy by Design concept. It’s “an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures,” Klein said. The concept encourages seven principles, such as transparency, proactive approaches, and a user-centric process. Adopting these principles means “baking privacy as the default setting,” he said. It’s “not waiting for something bad to happen before you fix the problem." However, it’s “not necessarily giving up one value for another, it’s not privacy at all costs,” he added. Safety shouldn’t be compromised for privacy’s sake.
Lee provided European perspectives, highlighting the innate difficulty in abiding ethical practices across the 31 EU member states. While the European Charter of Fundamental Rights names privacy and data protection as fundamental rights — and “those rights really permeate through all of European legislation and European case law” — the different nations' unique adaption of the law, their respective cultures, and even their differing languages makes compliance slightly more complicated across different borders.
That’s not the only tension privacy professionals face. Lawyers, who have a legal obligation to their clients, often feel “hamstrung” when their training and the company’s desires conflict, Stegmaier said. Lee added that challenge that he faces often is, "as a lawyer is that you know have this duty to act in the best interest of your client, but as a privacy professional, your role is also to ensure that the rights and freedoms of individuals themselves are protected,” Lee said.
Balancing these requirements, however, can be as simple as developing a privacy-specific Code of Ethics, and making strides to train employees on the code while continually enforcing it. At the end of the day, “compliance is about managing risk,” Stegmaier said. “We need to identify risks, develop procedures to manage risk, monitor compliance, respond to non-compliance, and evaluate the procedures and results and continually improve.”
In doubt? “When you’re out there in the field and you have to make decisions, and you have a problem, you know, I think you should ask yourself, ‘well, what would Jerry do?’ Stegmaier said. “Because privacy is a way, you know, not a goal. And if it isn’t a way, then there’s no way that we’re going to get to the way unintended.”
If you want to comment on this post, you need to login.