Wednesday, December 28, 2016

2017: Beginning of the end for "Post & Hope"

by Dale Smith, CIPT

Privacy Policies. Today, the Elephant remembers privacy policies.

A large majority of today's data-gathering institutions comply with various governmental privacy regulations dating back to the 1970s by posting a formal privacy policy. Typically, this post takes the form of a lengthy, comprehensive, high-level, legally oriented document which states how the institution manages consumers' private information as it is gathered, used, and stored.

Such a "boiler plate" policy is further characterized by the general absence of any facility for consumers' real time interaction for questions or clarifications. It's a one-way street ... the sound of one hand clapping. This Elephant calls it a "Post and Hope" format.

Hope for what? In the best case, the hope is that the consumer will be well served by reading the document's content and make a well-informed decision on giving up requested PII. In a less-commendable case, it could be the hope that the consumer is obfuscated by the document's defensive complexity, gives up on any due diligence, and blindly ticks the "I Agree" box in frustration.

Even in the best cases, this operational disconnect cries out for improvement, yet privacy pros have dithered over a solution for many years. How could the notice/consent process better protect the consumer, while fairly respecting the institution's value proposition? Could institutions build digital trust with consumers as a by-product of gathering their personal information?

In my opinion, the drafters of the European Union's General Data Protection Regulation (GDPR) have successfully addressed this issue by redefining the notice standard for the compliant gathering of consent. Simply put, GDPR-compliant consent is gathered as part of a bilateral exchange between institution and consumer. It's a two-way street ... the sound of both hands clapping.

As the clock ticks toward 25May2018 (enforcement start day for GDPR), PrivacyCheq PID solutions facilitate the transition from "Post and Hope" to GDPR-compliant informed consent. A remote demo is available, with more to come.