Working with business stakeholders as a privacy professional
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Carlos Magnesium is the CEO of Zen Technologies, and he is a serial digital entrepreneur. Recently, he had the idea to develop an app that would be beneficial to schools and parents alike within his geographic location. The app will allow parents to understand their children’s wellbeing, including academic assessments and other school activities. The app is close to launch, but Carlos has another idea.
He wants to add another function that would allow the developers to switch on the camera when necessary to allow them to gather live data within schools then use such data to develop new functions to enhance the app. Carlos thinks the app’s camera should be turned on once a month to capture random live feeds while teachers and parents use the app. Carlos thinks this is a good idea and contacts his data privacy team.
The data protection manager, Chike, thinks that it is a nice idea but begins to ask questions about the impact of the processing activity as it involves children, intrudes parents’ privacy rudely and opines that the new processing activity will expose the company to data privacy risks and weaken the reputation of the app upon launch. Chike further argues that this is not a good practice as privacy-by-design and other procedures like notification, transparency and fair processing principle have not been considered.
Carlos knows that he’s going to get a backlash from Chike. He has always seen privacy as blocker to innovation and slows his ideas down. In one meeting, he had said that, “if not for the advent of privacy, he would have made more money and developed apps that would serve humans well; … privacy be damned.” During that meeting, he walked out. Again, here is Chike doing the same thing. Carlos listens to Chike, shakes his head and asks what can be done for the processing activity to take place. Carlos says, “after all, it’s only data collection for the benefit of the users of the app, it’s not like we’d use it for any other thing.”
Chike agrees with the CEO. He says, “I’m not saying that we shouldn’t go ahead with the product, I’m saying let’s ensure that we are taking the right steps to ensure that our products are privacy risk proof or better still, understand the risks prevalent in the product.” Carlos tilts his head in contemplation and asks, “what if we just add that feature, launch and notify users that the feature is for us to enhance our product – is that not legitimate interest?”
Chike shakes his head. As a matter of fact, he has spent a couple of months trying to enhance the training and awareness programme of ensuring that stakeholders don’t treat data privacy as an afterthought. but if the CEO is treating it as such, what can he do? He rubs his chin before responding, “Carlos, I know that the engine of any business is revenue generation but what will it profit a company if it were to lose its reputation and suffer privacy compliance fines?”
Carlos smiles and tells Chike to draw out the privacy implications of this process and work with the developers to tease out the privacy risks and more importantly, understand if the process was to go live, what implications it would have on the business.
Sometimes, privacy professionals essentially look out for the best interest of the company, and they should be understood, and the privacy professional too must understand the psychology of the business and the psychology of stakeholders within the business that would help them in carrying out their duties diligently.
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com