Privacy: Time to look in the mirror?

When considering Data Privacy, traditionally we round upon cyber criminals, unscrupulous mass marketers and other faceless data harvesters as the enemies of privacy whilst ignoring the most common privacy threat:  The “enemy” within.
Time to look in the mirror Today, 28 Jan 2016, the world celebrates the 10th Data Privacy Day – a global event recognising that privacy is important to us all and our data deserves protection… but from whom?
Traditionally we round upon cyber criminals, unscrupulous mass marketers and other faceless data harvesters as the enemies of privacy whilst ignoring the most common privacy threat:  The “enemy” within.
From an organisational perspective, accidental insiders are to be feared as much as malicious external attackers. Naive, careless or under-resourced employees are the most likely causes of privacy breaches. Undetected data breaches – like pollution – will result in a loss of respect, and business, when revealed to the public. With the trend for transparency and ongoing press attention, the thing worse than losing out to a sophisticated cyber attacker is losing personal data through inattention or under-investment.
It’s not just organisations that may have a cavalier attitude towards data privacy. At a personal level, there is a tendency to publish too much about ourselves online, skip the simplest  T&Cs and pretend we don’t understand that our personal data is the product that provides the “free” services that we take advantage of.  We need to accept that it is our online choices that result in some of the biggest challenges to our privacy. 
The world wide web is 26 years old now and has gone from being a novelty to a necessity - it is time we all acted its age. As individuals, we need to take responsibility for how our personal data is used, push for a more transparent online data economy and to accept the web is no longer just a source of information but a purveyor of valuable data for organisations and home to essential services for individuals.
As individuals’ understanding of data privacy matures, businesses need to become more rigorous in their use of data at all levels – whether this relates to their customers, employees or other businesses.  Organisations’ use of privacy as a unique selling point by marketing their services or products as being “privacy aware” is growing.  Protecting personal data and having visible commitment to addressing the rights of the individual is becoming a key factor in developing and retaining customer trust and brand reputation.
On 15 Dec 2015 the long-awaited EU General Data Protection Regulation1 (GDPR) passed the “inevitability” tipping point. Yes, it is going to be implemented, and much of the media focus has been on the negative reinforcements for compliance.  The potential fines are going to be significant (up to 4% of global turnover) and it is going to bring new levels of responsibility to organisations as well as regulatory scrutiny and public transparency.  The positive effects of the GDPR have been played down in the general debates and discussion but there are real opportunities within the GDPR for organisations that  have a genuine desire to engage with privacy commitments to improve their brand and the rights of the individual.  What is required is a change in privacy culture from avoiding breaches and penalties to proactive implementation of privacy at all levels of the organisational business model.
The  GDPR will set global standards for data protection and privacy.  Organisations that see the regulations as an opportunity to adopt best practice are already choosing to do the right thing and are embedding a culture of privacy awareness  across their business:
  • “Privacy by Design” is embedded in the privacy regulation, encouraging completion of Privacy Impact Assessments (PIA) and engineering privacy from the start to balance the business needs to use data with the fundamental rights of individuals;2
  • The requirement for data portability will make it easier for customers to switch to you (as well as away from your competitors), so respecting individual rights and making transfers both to and from your organisation crucial to develop your reputation as a privacy aware and positive organisation;
  • Pro-active engagement with customers to obtain and manage the new consent requirements will    establish leadership and provide a competitive edge, whilst those companies that wait and see will lose vital customer engagement;
  • Trust will be the new differentiator  – comparative privacy performance (e.g. evidence of PIA, confident and clear fair processing notices, easy access to information on privacy and integrity in dealing with personal data)  will help customers decide who to trust online.
Given the uncertainty of what is to come and continued pace of innovation – who knows how the internet of things will play out  in terms of personal data aggregation, profiling, security and connectivity of previously unconnected data types – even the GDPR will require interpretation.3 This will leave space for those best able to balance trust, transparency and opportunity to create market advantage within the new regulatory framework.
Against a backdrop of legal and brand complexity, leading digital brands are being encouraged to shape the future for privacy4 – balancing risks and responsibilities; clarifying the data for services exchange; enabling and safeguarding the easy, engaging online experiences we all crave.
Whether your people are too cautious and conservative with personal data today, or even perhaps unaware of their obligations and unintentionally cavalier, now is the right time to get ahead with privacy. 
At BAE Systems, we can unpack the opportunities for privacy pioneers – using our experience in privacy and security, big data and digital to help our customers face the challenge of compliance and realise the opportunity as privacy-confident, privacy-positive market leaders.


  1. “The European Commission put forward its EU Data Protection Reform in January 2012 to make Europe fit for the digital age (IP/12/46). Today, an agreement was found with the European Parliament and the Council, following final negotiations between the three institutions (so-called 'trilogue' meetings).” – European Commission Press Release.
  2. BAE Systems Applied Intelligence has been working to embed PIA and Privacy Engineering into all of its engagements and product designs and based on the PIA conducted, inclusion of PIA into system and service sign off is becoming a reality.
  3. “But when push comes to shove, there is a hard way to respond to the new regulations (to not accept the way the wind is blowing) and there is an easy way: to turn this into an opportunity to gain competitive advantage via a ‘Growth Through Trust strategy’.
  4. “In reality the business community and particularly multi-nationals are likely to wield more influence over the actions of member states, the European Commission and the US authorities than either the ICO alone or the Article 29 Working Party ever will.”
Nick Rhodes, Business Solutions Privacy Lead 28 January 2016