Maturity and Metrics: A few thoughts from the IAPP’s Privacy Summit 2010

Posted April 23rd, 2010

With a case of the volcano blues, I found myself at the International Association of Privacy Professionals Privacy Summit 2010. As I sat in sessions and caught up with customers at this, the largest gathering of its kind, I noticed an undercurrent to the overall conversation. This undercurrent sounded, in some sense, very similar to conversations I have with my identity management customers regarding maturity and metrics.

Privacy has moved beyond the compliance officer and is receiving better representation in business operations. Example of this include an increased presence of privacy practices in

  • project and software development lifecycles
  • procurement and contracting processes especially with respect to procurement 3rd party services

In some sense this has given privacy, and its closely aligned peer – data protection, more of an outward appearance of risk management than compliance. This is evidence of privacy’s maturation.

But as privacy matures, as privacy is seen for its risk management capabilities, as privacy gets more engrained in business operations, better metrics relating to privacy are needed.

I sat in one session in which privacy professionals talked about the challenges of building dashboards to display privacy metrics. Few could point to meaningful dashboards that they had built. Fewer still felt they had a clear handle on what kinds of questions they should be answering and how they should measure to do so. This challenge relating to measuring privacy lines up with recent research I published on policy governance.  Continue reading "Maturity and Metrics: A few thoughts from the IAPP’s Privacy Summit 2010"...

April 23rd, 2010 | Tags: , , , | Category: Privacy | Leave a comment

Two Bonuses for Privacy Professionals

Posted May 11th, 2009

There are plenty of reasons to come to Catalyst. Engaging workshops, great sessions, interesting speakers, the chance to see the entire Identity and Privacy Strategies team on stage with bags on their heads -  you know, the kinds of thing you’d expect.  For those of you with a Certified Information Privacy Professional (CIPP) certification, this year we’ve a little something extra for you – continuing education credits. By attending IdPS’ Privacy Risks Get Realtrack, you’ll earn 3.5 hours of continuing privacy education (CPE) credit. Attend SRMS’ Risk Management: Programs You Can’t Afford to Cut and receive another 3.5 hours of credit.

And here’s a second bonus: we are making it easier than ever for you privacy professionals out there who haven’t attended a Catalyst before to attend this year. By registering with promo code IAPP, you’ll be able to attend the conference at $300 off the Early Bird rate.  See you in July!

(Cross-posted from Burton Group’s Identity blog.)

May 11th, 2009 | Tags: , , , , , , | Category: Privacy | Leave a comment

International Privacy Day: Synchronicity

Posted January 28th, 2009 - 2 comments

Today is International Privacy Day (and also National Data Privacy Day here in the USA and maybe where you are too).  The day is set aside to celebrate the anniversary of the Council of Europe Convention on Data Protection.  Put on your reading list for today both the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data as well as the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

 It’s also, felicitously, the end of the quarter for us here Burton Group, which means that we are trying to wrap up the final edits of our reports and send them off for peer review.  This quarter Bob Blakley and I have been researching privacy.  We’ve talked to a variety of different kinds of companies of all sizes in many industries, and we’ve come away with a lot of lessons.

 Two of these lessons are that privacy is deeply contextual, and that this contextual nature prevents privacy from being easily defined.  Without a strict definition, though, how does an enterprise privacy team proceed?  Can you write policies concerning something which means one thing in one setting and something different in another?  It turns out, we think, that you can.

 Principles.

 I practice martial arts.  Every martial art has a set of principles.  Though these principles may differ, their use is the same.  Principles guide practice.  You practice your art in multiple contexts to prepare you for whatever may come.  In each of those contextualized situations, your principles guide your response.  (Synchronicity moment number one).  Continue reading "International Privacy Day: Synchronicity"...

January 28th, 2009 | Tags: , , , , | Category: Privacy | 2 comments