Privacy engineering turns data collection into data curation

Businesses struggling to understand their privacy exposure and obligations need to adopt a customer-focused ‘privacy engineering’ approach that curates accumulated data not as a technological achievement but as a business asset, the chief privacy officer of Cisco has advised.

Improving technological capabilities had led many companies to stockpile all kinds of data, Cisco vice president and chief privacy officer told attendees at the Cybersecurity Innovation Day at this week’s Cisco Live! conference in Melbourne.

Yet that accumulation of data had created common issues around managing that data and its use. “For years we had been told that we can stockpile data,” Dennedy explained.

“But now I believe we all have a data problem, I believe we all have a curation problem, and I believe we’re all looking for tools. Now that ‘we can’ with technology, ‘what do we want’ is the future of technology.”

That created problems for companies that had spent so much time focused on accumulating data that they had often not stopped to consider what they were doing with it.

Internally within Cisco, Dennedy’s team had addressed this issue by working to develop methodologies to correlate data with a range of business metrics and requirements around how it can be used as part of the information economy.

Fitting data into conventional business-value models was an imprecise science, given often tenuous connections between data and the business environment in which it was collected. This required data analysts to focus on correlations that might never have factored into the original decision to collect data – and it can have direct implications for privacy best practice in the context of a tightening global climate of privacy controls.

Companies are no longer “just selling you a product,” Dennedy said. “They’re selling a group of capabilities, risk capabilities, and transparency so they can be good data stewards.”

Companies that failed to do so would increasingly incur the wrath and potential loss of customers that have proven increasingly concerned about poor privacy practices amongst data-focused companies.

Those practices are often inadvertent – “it’s a tricky thing to know where your data is, because it’s incredibly fluid,” Dennedy said, “and you invested a great deal to figure out who has what and where it’s flowing” – but new obligations under legislation such as the EU’s general data protection regulation (GDPR) had created a situation that was “ripe for innovation”.

Dennedy outlined five steps organisations must go through to maximise the value of their data – including knowing their data, embedding controls to protect that data, democratising the data, driving business insights, and implementing policies to maximise that value.

Part of effective data curation was putting it into the hands of those who can “maximise the business plan within the business plan,” Dennedy said. “You manage what you measure, but you protect what you treasure. That doesn’t necessarily mean everyone gets everything – but it means letting loose. Wherever you have customerised it, you’re adding value.”

Determining the form and magnitude of that value is a core part of maximising the value of data privacy investments – as explored in Cisco’s recent 2019 Data Privacy Benchmark Study.

The experiences of respondents in that study offered a range of insights that confirm businesses are getting better at privacy – but many still have a way to go. While many companies said they are ready for GDPR, customer data privacy concerns were still driving sales delays, the study found, but many privacy investments were yielding significant benefits – as well as auxiliary benefits beyond compliance, such as improved data security.

To get to that point, businesses first needed to consolidate their many views of data privacy – but once that was agreed upon, the business value was there to be taken.

“Privacy is a balancing act, and a fairness, reasonableness, and risk-based assessment,” Dennedy said. “We can’t build technology without clarity of purpose, and that’s why a functional definition of data privacy is so impactful and powerful.”