So you’re here because it’s complicated, right.  In mid-2019 we’re very focused on privacy and adapting to new laws and amendments related to that. In Canada, there’s PIPEDA, with recent amendments that require prompt disclosure if PII (personally identifiable information) is breached.

But privacy is easy compared to the other challenges.  Everyone who has data has “private data.”  We know names and addresses and passwords, and other things that can be aggregated.  We can buy behavioural profiles at almost any level.  Demographic and psycho-graphics are easily acquired, and layered onto your data. 

We can advertise with pinpoint precision – the hard part now is figuring out who to pinpoint, not how to pinpoint them.

Partly this is a difficult topic because we conflate all the topics in the word cloud above.  Privacy is not ethics.  And Ethics is not Compliance.  And compliance is not Governance. 

To illustrate – we can protect everyone’s privacy really well. We can encrypt names, passwords and other sensitive data, and we can design access controls so only our employees with a legitimate need to know can see the sensitive data. So consider that a hospital not too long ago got into trouble because a nurse who was not part of the care team for a famous person released details and commented to the media.  Whatever judgement lapse she suffered, in a well-designed scenario she would not have had access to the medical records.   Trust and shared values can work in small groups, most large organizations need controls.

So for privacy we have controls and encryption, and maybe a management directive.

But consider an ethics example.  A legal fight is brewing in California (actually it’s well under-way), between Uber, Lyft and others with the State Government.  The basic issue is whether drivers are employees or subcontractors.  Uber, and many other gig economy players benefit from the sub-contractor posture.  But at a societal level, taxi drivers who are employees are being dislocated by lower cost drives offered by Uber’s subcontractors. It’s so bad in New York City that Taxi medallions which in 2013 cost over a million dollars are now suspended from sale, with the last transactions at around 100,000 dollars.  For drivers there, the medallion was their retirement plan, and since that plan is gutted, there have been a rash of drivers who have committed suicide. Something’s wrong for sure, and in Canada we mostly accept that governments should be trying to figure out how to create level playing fields that are sustainable in their jurisdictions.  

Uber’s defense in California is that “drivers are not core to their business” and that their core business is a market platform that can intermediate many transactions, not just rides.  There’s an interesting article here that describes it in more detail. See the VOX article here.

So, whatever you feel about Uber’s argument, this is a completely different problem from protecting privacy. This is about choices made in the design and implementation of a business model, and these are informed by social context, legal frameworks, and so on.  Some people look and say “do the right thing,” and others look at the law and say “it’s not illegal, we’re compliant, we’re good.” And there are many positions in between. Even the ability to debate this requires an ethical context.

Compliance, different again, is about the important job of making sure you are meeting the many requirements that you have. These can be financial, tax related, regulatory, other legal, or industry or whatever.  Compliance is about not being offside of existing rules.

All this is ideally stewarded under a governance program. And that’s what governance is – it’s a program. It needs to grow and evolve as different requirements emerge.  Your postures on some issues, fine a few years ago, may need to be quite different today.  Data governance needs a home, probably not in IT if you’re a big organization, maybe in IT if you’re smaller and have few issues.  Note that some “data governance” topics are almost entirely in IT – like data dictionary management so you know what you have and are stewarding.  What the value of that is, may be decided by others.

There are strategies to deal with all these questions, and a broad data governance review could be one place to start, but so might a short conversation.  Our leadership team is organized to help our clients with these issues. Go here to send us a note