Asking the Right Privacy-By-Design Questions at #CIWUSA17
Privacy-by-Design technical and business process engineering important for solving business GDPR compliance challenges. But the privacy issues and enforcement questions around GDPR are pretty complex. How should companies begin?
The Consumer Identity World conference will be starting in just a few days, and I’m in the final process of preparing to moderate a few panels.
The job of a panel moderator is primarily to ask questions, lead the discussion, and to engage the audience. Therefore, like Einstein, I’m starting to put together questions. The three panels are:
- From Dumb Cookies to Informed Consent: Privacy-by-design as a Strategic Requirement
- A world beyond passwords – Improving security, efficiency, and user experience
- The User Experience Panel
If you read the conference agenda and see where these panels sit in the various tracks you’ll note that a lot of the subtext is around how companies will comply with GDPR, which takes effect in May 2018 along with threats of dire fines.
Privacy-by-Design Panel Questions
Let’s go through some of the questions I have up my sleeve for the Privacy-by-Design panel. In the short term, even Einstein would have to ask:
- How does GDPR affect our (i.e. our client’s) business?
- What is the minimum bar we have to hit for compliance in the short term for each of our business processes (e.g. for service delivery, or for marketing)?
- How can we continue marketing to new customers and new business while still giving customers more control over the use of their personal information?
- How can we avoid seeming creepy and incurring complaints?
- Do we want to be a leader or follower in implementing privacy-enhancing technologies or business processes?
- How important are customer (consumer) relationships to our business?
- How could our privacy practices improve customer relationships and enhance customer trust?
- How can we increase customer engagement to motivate customers to consent to our use of their information in the course of our service delivery and marketing operations?
- How can we develop an “always-on” incident response process to meet GDPR’s 72-hour breach notification? How can we determine where that notification requirement applies?
Call to Action
We continue working through questions like these with clients in GDPR assessments and other projects. I’m looking forward to the panel to hear what the panelists and the audience have to say. Your organization’s time is running short to get answers to these and other questions. Come to CIW in Seattle if you can, and feel free to contact us for more information.