Tag: Burton Group

Two Bonuses for Privacy Professionals

There are plenty of reasons to come to Catalyst. Engaging workshops, great sessions, interesting speakers, the chance to see the entire Identity and Privacy Strategies team on stage with bags on their heads –  you know, the kinds of thing you’d expect.  For those of you with a Certified Information Privacy Professional (CIPP) certification, this year we’ve a little something extra for you – continuing education credits. By attending IdPS’ Privacy Risks Get Realtrack, you’ll earn 3.5 hours of continuing privacy education (CPE) credit. Attend SRMS’ Risk Management: Programs You Can’t Afford to Cut and receive another 3.5 hours of credit.

And here’s a second bonus: we are making it easier than ever for you privacy professionals out there who haven’t attended a Catalyst before to attend this year. By registering with promo code IAPP, you’ll be able to attend the conference at $300 off the Early Bird rate.  See you in July!

(Cross-posted from Burton Group’s Identity blog.)

The beginning of the beginning: our privacy report publishes

Over the last 6 or so months, Bob Blakley and I have been doing a lot of listening and thinking about privacy.  To successfully re-launch our privacy coverage, we needed to lay a wide foundation that would serve to support future research.  We needed to provide a meaningful starting point for our customers.  Since our customers’ jobs are not typically focused on privacy, we needed to start with a form of first principles and build outward. 

I’ve learned that it is generally frowned upon to use the second person in our reports – too informal I am told.  Use the blog if you want to address the audience directly.  Normally, I don’t have a problem avoiding the second person, but this report proved to be a challenge.  We had to work hard not to write without using “you.”  And why was that? Privacy discussions are and must be inclusive.  They involve each of us on a far more personal level than a discussion of, say, account lifecycle management.   Cognizant of privacy implications or not, the decisions you make on a daily basis have effects the privacy of your customers and partners.

Because privacy is personal, because it requires concerted behavior throughout the enterprise, discussions about privacy must include everyone.  You.  Me.  Everyone. To guide concerted behavior, in our recently released privacy report, we put forth a Golden Rule as a means of developing and evaluating privacy principles leadings to practices and behaviors:

We protect privacy when we consider the dignity of individuals about whom we know things, and when we use what we know about them only in ways which preserve and enhance that dignity.

This report is by no means the end of our exploration of privacy – it is just the beginning.  We will continuing the conversation this July, at Catalyst North America, in the “Privacy Risks Get Real” track.  We are working hard to ensure that these discussions reflect the inclusive nature of privacy.  We’ll be exploring privacy concerns across multiple domains: from healthcare to higher education.  Finally, to sweeten the deal, we have worked with the International Association of Privacy Professionals to get some of the tracks at Catalyst approved for Continuing Privacy Education credits.  We are looking forward to continuing the privacy conversations with all of you this July!

Speaking of Catalyst, we have special surprise for IdPS blog readers… Since it is Easter egg hunting season, we’ve placed a couple of them on the Catalyst web site. The prize inside is a super discount code to attend Catalyst. To find the eggs, go to the conference web site and do this:

  • Hover (but don’t click) over the “San Diego” icon for 20 seconds

-or-

  • Click and hold on the Catalyst logo and then drag your mouse off and release

Register right away – this discount is limited to 50 users and could disappear at any time!

(Cross posted from the Identity Blog @ Burton Group.)

Zen Mind, Newb Mind

Being the new-ish addition to the IdPS team is, well, an interesting place to be.  Besides the requisite induction activities (ask me at Catalyst how you pick up the dry cleaning for a team who lives all across the country), I’ve been working with my peers on vastly different pieces of research.  And being curious by nature, I’m loving the chance to not only dig into different topics, but also observe how different people go about the actual process of analyzing a topic or a market.  One technique that Burton Group uses is Contextual Research (CR).  Essentially, the CR process is meant to challenge an analyst’s knowledge of a subject and their associated preconceived notions as to what problems enterprises face and how they are facing them.  It turns seasoned veterans, experts in the field, into beginners again.  This is what practitioners of Zen Buddhism call “beginner’s mind.”

Here’s how it works in a nutshell.  Kevin (seasoned vet) and Ian (newbie) identify a bunch of organizations to talk to.  So far nothing out of the ordinary as compared to our other approaches to research.  That being said, the conversations we have with these organizations is very different from typical research techniques.  Instead of coming to the conversation with a fixed hypothesis that we want to prove out, we come to the conversation with nothing.  No leading questions.  No surveys.  No preconceptions.

In these conversations, we, the analysts, are newbs. We let the people that we are talking to teach us what is important to them about a subject, how they have approached a problem, what wisdom they’d like to share with others.  The analysts furiously take notes, listen, and try not to talk.  Having listened to as many people as we can, we bring the whole team together to find affinities among the statements, identify trends and common techniques, and evaluate the state of a market through the eyes of a customer.

Right now, Kevin and I are in the midst of a role management CR.  Although, we are far too early in the process to comment on what we’ve found, some of the anecdotes we have learned along the way are really fascinating.  Discussions about the needs of the business, efficiencies gained, and methodologies for conducting role analysis – all of these conversations have been grounded firmly in the realities of today’s economy as well as current state of identity management in the enterprise.  You’ll see some of the results of this beginner’s mind approach to analysis at Catalyst this summer.  In fact, the Catalyst workshop on Advanced Role Management is going to be a master-class of a sort, shaped by what Kevin and I learn during this CR process.

Stay tuned for more on our roles CR.  Towards the end of April, I’ll be updating you on how the process has faired.

(Cross-posted from Burton Group’s Identity Blog)

Privacy risks get real

When you think of “the usual” privacy risks you think of things like brand and reputation damage, fines, and increased regulations. You don’t think of jail time for executives. But jail time is exactly what some Google executives face if an Italian prosecutor has his way.

The arrest of Peter Fleischer, Google’s Paris-based Global Privacy Counsel, in Milan on January 23 stems from video that was briefly available on Google’s site in Italy. The video showed high school students bullying a classmate with Down Syndrome. Google took down the video in less than 24 hours after receiving complaints about it. The view of Milan’s public prosecutor is that permitting posting of the video for any period of time was a criminal offense. Fleischer and three other Google employees have been charged with defamation and failure to control personal information.

In our forthcoming report, Bob and I explore the contextual nature of privacy. Google clearly operates in multiple geographic and legal contexts. In the US, Google enjoys protections similar to those afforded “common carriers”. However, in Italy, Google is being treated as a content provider and not a content distributor, and thus is not receiving any such protection.

The contextuality of privacy requires that you evaluate your business from all relevant contexts. In this case, Google may find that it should have looked at its video services from the perspective of an Italian user as well as an Italian regulator. This examination from all relevant contexts would highlight not only conflicts between contexts (someone’s desire to publish a video versus a state’s definition of what constitutes offensive or inappropriate content) but also conflicts between contexts and the organization’s business model. Google’s business of allowing anyone to post a video is in this case colliding with an Italian regulator’s desire to treat Google as a content provider, holding Google to an unanticipated set of requirements.

There’s no way that a small privacy team will be able to know everything about every context the company does business in. To that end, a side effect of doing business in multiple contexts can be a budgetary one. Organizations may need to budget for external legal counsel, counsel that specializes privacy for the contexts they are working in to aid privacy teams in their evaluation of relevant contexts.

We don’t expect criminal penalties for privacy violations to become common, and it’s not at all clear that the action against Google’s executives will be sustained by the Italian courts. But that being said, we do expect privacy regulations to become stricter and subsequent penalties to become more severe. Privacy risks are getting real. Join us at Catalyst this summer and learn how to adapt, and thrive, in the face of this new reality.

(Cross-posted from Burton Group’s Identity Blog.)