Business Imperatives:

• Evolving regulations around the world are increasing enterprise requirements to implement and be able to demonstrate rigorous measures to protect the privacy of customers, employees, and other users. However, in the aftermath of the Sept. 11 attacks, there is much speculation that the privacy pendulum may swing away from personal rights in favor of law enforcement. IT executives not already doing so should be evaluating the potential effects of such regulations on IT at their enterprises and among their business partners.
• Privacy initiatives must be closely integrated with key elements of every enterprise's IT infrastructure, most notably data and network security. IT executives should begin now to integrate privacy-related considerations and requirements into larger efforts focused on security, storage, backup and recovery, and other IT infrastructure elements.
• Privacy protection is at least as much an issue of sound business practices and internal corporate politics as it is an IT issue. IT executives should work closely with senior management, line of business (LOB) executives, and other constituents, to ensure that privacy policies reflect and respond to business and user needs as well as regulatory changes.

Privacy – in this context, the preservation and protection of personal and sensitive information – has been an issue for IT executives since the beginning of corporate dependence on IT itself. However, at no time in the history of IT has privacy had such significant implications, or created such significant opportunities for IT executives and their enterprises, as now.

New and developing regulations worldwide are the latest catalysts of interest in online privacy. Examples in the U.S. include the Children’s Online Privacy Protection Act of 1998 (COPPA), the Graham-Leach-Bliley Act (GLB), and the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Canada has its Personal Information Protection and Electronic Documents Act (Bill C-6). The European Union has its Safe Harbor Accord for the European Commission’s Directive on Data Protection. Clearly, privacy is increasingly important to IT executives at enterprises almost everywhere in the world. (See the RFG Research Notes "The Challenge of Global Privacy Regulation Differences," Sept. 7, 2001 and "HIPAA Privacy – First Step Down a Long Path," Apr. 18, 2001.)

Many of these regulations carry significant business and financial penalties for non-compliance, and some include imminent compliance deadlines. IT executives and their teams therefore face the daunting challenge of interpreting and divining the likely effects of such regulations, and translating these into comprehensive, business-driven, and effective strategies and policies. (Table 1 below offers an overview of the IT areas likely to be affected by privacy requirements and regulations.)

An important early step toward addressing these challenges is the requirement to integrate privacy-related requirements into current and future policies and strategies that govern other critical elements of enterprise IT deployments. Privacy should be woven tightly together with enterprise IT infrastructure, data protection, security, and other solutions. In many cases, this will require development and maintenance of comprehensive and up-to-date IT asset inventories, and of similarly robust business application profiles (BAPs) and user needs assessments.

Assessments of current IT resources must be fairly granular to uncover potential privacy-related benefits or detriments. For example, many enterprises already have and use IT elements that can support privacy-related features, but said features have not yet been activated, or adequately integrated with other IT infrastructure elements. For example, a given router or other network appliance may include features that support policy-driven management. However, those features will do nothing to protect privacy if they are not activated and governed by policies that address privacy by, for example, restricting access to IT resources without adequate authentication or authorization.

Further, IT executives must view privacy requirements and the ability to meet them from the perspectives of particular groups of users, individual applications, and data. This is necessary to achieve the optimum balance between the privacy requirements and access needs. For example, Social Security numbers or their equivalents would seem ideal access keys, as they are known by and easy to remember for the users holding them. However, such numbers can make intensely personal, sensitive data available to anyone who has access to them under certain circumstances. IT executives are therefore facing increasing pressure to use alternative access keys, to deliver the access users want while maintaining the privacy they need and deserve.

In addition, IT executives and their teams should remember that while privacy and security are tightly related, they are not the same things. In some cases, IT deployments can be adequately secure, yet woefully inadequate in protecting user privacy, or being able to document the steps taken to do so. Many privacy regulations do or will require that involved entities be able to document their efforts to comply with said regulations.

Furthermore, privacy and security objectives can lead to conflicting technical requirements. For example, privacy laws in some countries obligate businesses to allow customers to change their data if incorrect. However, security measures must ensure it is truly the individual in question accessing the records. IT executives and their teams should therefore strive to address both privacy and security requirements adequately, and to make sure relevant constituents understand the similarities and differences between these two important challenges.

These and related challenges are amplified and multiplied for enterprises operating globally, considering or deploying wireless applications access, or supporting or considering self-service applications for customers and/or internal users. Any combination of these can make privacy protection and security significantly more difficult to achieve and maintain.

IT executives and their teams should begin assessment of privacy-related needs and available resources at their enterprises with comprehensive and up-to-date BAPs. (See the RFG Research Notes "The Importance of Business Application Profiles," Sept. 19, 2000 and "Why Wireless Applications Require Business Application Profiles," Oct. 2, 2001.) These, along with detailed information about user requirements and incumbent resources, will help IT executives immensely as they attempt to address privacy and the role of IT in protecting it from an architectural perspective.

This collected knowledge, along with the best available information about relevant current and anticipated regulations, should be used to form the foundation of relevant business policies for IT operations. The business elements of these policies should be developed with the direct participation of senior and LOB managers, and their translation into actual IT management policies overseen by IT executives and their designated team members.

At some enterprises, a governance board or committee already in place could be the locus of such activities. Where no such group already exists, a task force devoted to continuing oversight of the impacts of privacy on IT, including participants from these constituencies, may be required.

While working to develop and promulgate privacy protection policies and procedures within their enterprises, IT executives should also begin to identify opportunities to harmonize their efforts with those of relevant business partners. In addition, IT executives must make sure their dealings with current and prospective IT vendors include support for enterprise privacy requirements. For example, every relevant candidate contract, request for information (RFI), or request for proposal (RFP), and service level agreement (SLA) should include specific privacy-related expectations and requirements.

IT executives at enterprises working with external providers of IT services should ensure that these providers are "privacy-savvy" as well. Several of the larger consulting systems integrators already have practices or resources devoted to HIPAA compliance and other privacy issues. IT executives should learn all they can about resources available from current and prospective consultants and integrators, and integrate these resources carefully with their own efforts. (Table 2 below shows some useful resources offered by some consultants and integrators at their Web sites.)

For the longer term, some enterprises are considering or forming "privacy offices," or designating privacy officers, to keep business and IT efforts aligned with privacy regulations and requirements. The reason for raising the privacy issue to such high organizational visibility is that privacy issues run up and down as well as across organizations. Privacy regulation compliance is potentially a highly sensitive public relations concern as well. IT executives, especially at enterprises directly involved in health care, financial services, or other industries reliant on sensitive personal data, should ensure they are well represented in any such efforts.

RFG believes IT executives are increasingly being forced to integrate data privacy protection solutions into their enterprise deployments. IT executives should already be exploring opportunities to turn privacy challenges into opportunities for themselves and their teams, and into potential competitive advantages for their enterprises.

Copyright © 2001 Robert Frances Group, Inc. All rights reserved. Agenda products are published by Robert Frances Group, Inc., 22 Crescent Road, Westport, CT 06880. Telephone (203) 291-6900. Facsimile (203) 291-6906. http://www.rfgonline.com. This publication and all Agenda publications may not be reproduced in any form or by any electronic or mechanical means without prior written permission. The information and materials presented herein represent to the best of our knowledge true and accurate information as of date of publication. It nevertheless is being provided on an "as is" basis. Reprints are available.