Make space on your bookshelf for The PRIVACY PAYOFF: How Successful Businesses Build Customer Trust, a valuable new business primer on privacy by Ann Cavoukian and Tyler Hamilton. Cavoukian is the Information and Privacy Commissioner of Ontario and co-author of a previous book on privacy entitled Who Knows: safeguarding your privacy in a networked world. Hamilton is a business reporter and technology columnist at the Toronto Star who has covered consumer privacy issues extensively.
While Cavoukian's first book was consumer-oriented, this book is aimed at the small to medium business market, providing an excellent insight into the importance of good privacy practices.
In 12 chapters, this 300 page plus book addresses the significance of good data protection as a leading business issue (stating unequivocally that heightened post 9-11 government security concerns have absolutely nothing to do with the business need to address consumer privacy).
Chapters 3 and 4 address the fundamental concepts of privacy and the development of fair information practices or FIPS, with an explanation of how these FIPs have been translated into various codes (OECD, CSA and the FTC's "Big Four"). Chapter 4 goes on to describe the global regulatory environment, including the development of the EU Directive and the impacts of article 25 (adequacy of non EU-nation data protection), as well as the development of PIPEDA and the U.S. Safe Harbor arrangement. Other key U.S. privacy laws are also briefly summarized and there is a short comment on Asia/Pacific privacy legislation.
Chapter 5 looks at the need for business to take a comprehensive approach to privacy implementation beginning with a privacy diagnosis. Some tools are highlighted that businesses can use to assess their own current level of privacy principles compliance and shortcomings, including a Privacy Risk Assessment Test developed by Forrester Research Inc.
Some readers of this book may turn to chapter 6 first where the authors include profiles on six Chief Privacy Officers (five U.S.) including IBM's Harriet Pearson and Peter Cullen of the RBC Financial Group, who reports a 50 percent drop in privacy complaints since RBC committed to a high profile approach to privacy protection to maintain customer trust and achieve competitive differentiation. Jules Polonetsky of DoubleClick, which has had a roller-coaster ride of privacy problems, Kirk Herath of Nationwide Insurance Companies, Zoe Strickland of the US Postal Service, and Oliver Johnson of Merck & Co. are also profiled. All of the CPOs offer useful advice on the processes of privacy management within large and diversified organizations - see especially Zoe Strickland's five-point list.
Chapter 7 covers safeguards leaks, glitches and breaches with descriptions of viruses, worms and Trojan Horses, first-hand evidence on the perils of unsecured wireless networks, and a bottom-line comment that "sorry isn't enough."
In Chapter 8, the authors focus on consumer worries about digital data shadows, solutions to the cookies problem, the privacy risks of biometrics, satellite tracking, electronic tags, interactive TV, and other similar devices, and the growing, in fact alarming, increase in identity theft.
Chapters 9 and 10 cover the impacts of such consumer fears on marketing activities and the big issue of workplace privacy (there are excellent tips for employers on pages 247-249).
Chapter 11 covers technologies that can be used to enhance privacy (an ongoing focus of the Ontario Commissioner) and chapter 12 concludes with very practical advice on a privacy action plan for business. The "Top 25 Tips for Privacy Payoff" list is useful and practical.
This book is well researched and any observations and conclusions made by the authors are well-supported by factual detail and analysis. If there is any criticism of this book for a Canadian reader it is the orientation towards the U.S. marketplace as a source of research, examples of privacy issues, CPO profiles, and in some cases, even legislation. For example, a discussion of workplace privacy law starts off with a discussion of the U.S. Electronic Communications Privacy Act. It is only two pages later that Canada's private sector privacy law and its effect on workplace surveillance is briefly mentioned. While the authors cannot be faulted in aiming their book at the larger market of U.S. corporations (their publisher, McGraw-Hill, owner of Standard & Poor's and Business Week, is one of the world's biggest business publishing houses), and U.S. privacy mistakes by business tend to have far more dramatic impacts, more Canadian focussed content would have been desirable.
Nevertheless, this is an excellent primer for any business reader seeking to understand the broad issues of privacy protection in the commercial world and the business imperative to implement a thorough and cohesive privacy program. The practical advice in Chapter 12 alone makes the book worth every cent. For readers interested in Ann Cavoukian's views on opt in and opt-out consent, the book is also worth the money.
Murray Long, Canadian privacy consultant and journalist
N.B. This review taken from my electronic privacy newsletter