DCWHome

Privacy Management for Enterprises in a Global Economy Privacy management for multinational companies tends to become challenging due to a complex web of legal requirements, distributed business activities and the movement of data and business operations to cost effective locations in the world. Third party outsourcing has become widely used and adds another layer of complexity both for the outsourcing and the insourcing company. The insourcer for example needs to treat data from a number of source countries according to the specific requirements at these sources and needs to observe them throughout the lifecycle of the data. In addition an insourcer will have to fulfill its contractual obligations to the outsourcing companies which can lead to further requirements for the technical and operational aspects of a solution. Some companies have in addition been discussing to move from a liability based model (in which the focus is what one legally has to do) to an accountability based model in which ethical concerns and broader privacy risks (e.g. reputation risks) should also be taken into account.

In a global enterprise privacy concerns need to be addressed by numerous teams. If one looks at outsourcing as an example these are sales teams, compliance teams, solution engineers, process engineers, implementation teams, operations people on the ground and even after the solution has been delivered privacy concerns, still need to be addressed on an ongoing basis, e.g. during change management (say, when data center are moved.)

Known technical point solutions, e.g. encryption technologies, auditing tools are of course important but will often address only a small part of the overall privacy concerns that a practitioner has. This raises the question which automated tools could provide the corporate privacy teams with practical assistance in solving this more holistic problem.

The position taken here is that one major component of an overall solution has to address the management of privacy knowledge, policies, requirements and controls themselves. I believe that there are no tools out there helping privacy teams doing that today. Ideally these tools will help the businesses to answer the privacy issues they have, identify the technical and procedural controls relevant to them and to allow them subsequently to manage the privacy requirements and controls they have identified. It would be enough that the output of such a tool is intelligible and actionable for humans and not necessarily be automatically executable in enforcement engines.

Other useful tools for a global privacy management are deidentification tools that are applicable to data in different formats (from free text to structured data, images or scanned invoices etc), e.g. for outsourcing scenarios.

How to design products in a privacy-aware, i.e. which and how privacy engineering principles should be applied and how "Design for Privacy" could be integrated into the product design lifecycle is another interesting challenge.

The position taken in this paper is that the development of tools for global privacy management could be very valuable in enabling corporations to implement good privacy standards across the board more effectively. Research work in this area will benefit from collaborations of computer scientists with researchers who have specialized in business processes and experts on the international privacy legal landscape.