Valerie Lyons
DCU
Valerie is currently undertaking a PhD in DCU's Business School, researching the effectiveness of organisational information privacy management approaches. She has worked in information security for the last 25 years, and spent 15 years as Head of Information Risk Management in KBC Bank Ireland.
Introduction
Information Privacy protection is an important information management issue that continues to challenge both private and public sector organisations, and is of growing concern to multiple key stakeholders. Many organisations worldwide have suffered privacy breaches, largely caused by a lack of senior management understanding – often resulting in poor governance. When privacy is compromised, it can impact an organisation’s reputation, damaging corporate credibility and consumer trust and increasingly results in rising financial penalties.
There are three key mechanisms for addressing privacy management challenges: individual self-protection, industry self-regulation, and government regulation. Evidence suggests that consumers are skeptical about the efficacy of individual self-protection and industry self-regulation for protecting information privacy, and the self-regulatory model of privacy governance may not be sustainable over the long term. This would leave compliance to government regulation as the only other approach, however governments have grappled with, and often been unsuccessful in their approaches to regulating issues associated with information privacy management. Additionally regulations are often reactive and outdated by the time they are enacted, and violations of most privacy laws are detected/prosecuted only based on a required disclosure filed after a violation has occurred and damage is done. So while it is clear that the challenges associated with privacy protection management will continue, what is not clear is how best to address them.
Methodology
This research explores if justice-based privacy management approaches (i.e. approaches driven by privacy initiatives aimed at nurturing the privacy/trust relationship) are less likely to result in privacy incidents and be perceived as more trustworthy than control-based approaches (i.e. approaches driven by compliance).
Using qualitative methodologies to analyse the published privacy policies and corporate social responsibility reports of the top 25 Fortune-500 companies within the technology sector, we determine if an organisation takes a justice-based approach or a control-based approach to privacy management. We choose technology companies as our target sample, as other industries such as pharmaceutical, financial, and health companies are dominated by industry-specific regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Combining the results from this research, US Securities and Exchange Commission (SEC) disclosures, audit results and internal controls disclosures are assessed using quantitative methodologies (for each of the selected organisations) to empirically examine if there is a relationship between their privacy management approach and the occurrence of privacy incidents and/or privacy malpractice.
Implications
Our hypothesis proposes that organisations following a justice-based privacy management approach experience less privacy incidents and increased consumer trust, compared with organisations following a control-based approach. The results of this research can contribute to establishing a new model for organisational privacy management which extends beyond the limitations of compliance. Such a model could contribute to existing industry accepted privacy management frameworks such as the Fair Information Practice Principles (FIPPs) and Privacy by Design (PbD) both of which underpin the current European General Data Protection Regulation (GDPR).
