Investing in Privacy
AN INVESTIGATION BY the United Kingdom’s Information Commissioners Office in 2007 found that 11 banks had breached the Data Protection Act by leaving consumers’ personal data in waste bins outside of their facilities. For one of the banks, London-based Barclays Bank PLC, the incident not only highlighted the need to address the immediate problem of confidential waste disposal, but it also provided the impetus for launching a comprehensive data privacy program enterprisewide.
The program, which addresses data privacy issues for the company’s 150,000 employees in more than 60 jurisdictions worldwide, earned the company the International Association of Privacy Professionals’ 2009 Innovation Award in the large organization category.
“Previously we were probably reacting to circumstances,” says Julian Parkin, Barclays’ group privacy program director. “What we’re now building through the privacy program is the ability to proactively manage privacy risk.”
The first step was to establish an organizational baseline of rules for handling data. In devising that baseline, Barclays did not follow the path of many global companies that simply make policy which complies with the strictest laws worldwide and then establish it as the standard across the group.
“We do not want to be complying with every law in every part of the world in every jurisdiction,” Parkin explains. “We want to make sure that we comply with the relevant laws in each jurisdiction but have a baseline which makes us good at privacy.”
For example, several U.S. states have breach notification laws that require data processors to inform consumers of data loss under certain circumstances. Barclays’ baseline, however, does not include a breach notification requirement. Notification would be a business decision outside of jurisdictions that require it.
Once the baseline was established, the bank identified the privacy gaps within its internal processes. Barclays assesses data privacy and protection gaps with regard to legal and regulatory requirements in eight categories. The categories include personal data, employee data, CCTV, IT and organization, intranet, Internet, marketing, cross jurisdiction, and outsourcing.
Barclays also identified gaps in third-party supplier processes, primarily using third-party question sets for low-risk providers coupled with in-person audit teams for high-risk suppliers in certain jurisdictions. The question sets cover a third party’s confidential waste disposal policies, building security, and encryption of mobile media, among other privacy issues. After internal and external gaps were identified, Barclays used the information to design procedures and processes or revise existing ones where necessary.
After Barclays had the operating model in place, it introduced another important component: ensuring employee awareness of privacy issues. “We have 150,000 people around the group and every single one of them will touch data in some way, whether they’re a security guard, a cleaner, a cashier, or the chief executive,” says Parkin. “Everybody is impacted by this.” The company uses awareness campaigns throughout the year to reinforce positive behaviors or deter negative ones. The campaigns might include signage on exit turnstiles that remind employees to “Think Privacy,” giveaways of privacy branded products like mouse pads, or handing out privacy branded baggage tags in elevators to remind employees to think about the handling of data.
In addition, the group is asking business units to provide a two-year plan for awareness campaigns, but each unit decides what its campaign will look like. “Individual businesses know what works within their local business,” Parkin says. “So we don’t prescribe to them how to do it, but we give them a selection of material that they can use across a variety of mediums.”
Some aspects of awareness are ongoing as well. At the Barclays headquarters in London, security confiscates unsecured laptops from employees’ desks, requiring that employees “do the walk of shame” to retrieve the laptop from security, Parkin says.
The organization also uses an incident-management process that allows the company to identify and manage privacy risk. “You can see a series of near misses that indicate to you that you’ve got an issue,” Parkin says. If an employee tries to send an unencrypted e-mail out of the organization, for example, the person will see a warning prompting him or her to encrypt it to avoid breaching the unencrypted email rule. If the person sends it anyway, it is bounced back by the firewall. While, in that case, there was not a breach, security may meet with the employee’s department to ensure that data transmission guidelines are fully understood.
“It’s through getting people to pair activity with the risk that you change behavior,” Parkin says.
Barclays also has standardized privacy training and now trains HR teams and line managers. The bank is currently developing privacy training for third-party suppliers, but it has not yet been rolled out.
The privacy team measures performance through various means, including focus groups, surveys at the beginning and the end of an awareness campaign, the number of calls from employees to the privacy team, and the number of laptops that are confiscated, among other data.
Barclays’ new privacy program also allows the organization to deal with privacy issues earlier. “As we get better,” Parkin says, “we feed the privacy issues into the start of the process.”
The organization is now designing products that are privacy compliant from the beginning, he says. That’s useful, he explains. “We’re seeing in every jurisdiction that this is becoming a more significant issue,” Parkin adds. “We’re finding that we’re well positioned to be able to step up in those jurisdictions so that we can demonstrate that we have a robust platform for us to be able to manage our privacy compliance.”