According to “The Privacy by Design report” commissioned by the ICO in 2008, (available here), a major barrier to businesses investing in privacy-friendly systems and business processes is the absence of an effective business case for doing so. In other words, making sure an organisation has implemented necessary processes and procedures to protect privacy and the security of their data is perceived as an expensive exercise with little benefit. Perhaps that’s why some organisations choose to assign data protection and privacy such a low priority, the logic being – why spend money now to implement safeguards when we can tackle issues if and when they arise?
The ICO’s intent, presumably, when they commissioned Watson Hall Ltd and John Leach Information Security Ltd to undertake this research, was to build a case to convince organisations that a “wait and see” strategy on privacy is a false economy and that it’s worthwhile being proactive with privacy. Their argument is that it makes sense and is cheaper in the long run to invest money in privacy and data protection at the outset, particularly if that data is crucial to a business’s operations and especially when you consider the cost of being reactive: for example, dealing with data security incidents, not to mention the more intangible costs of damage to reputation. All the ICO need now is the evidence to back up this assertion.
Last week Watson Hall Ltd and John Leach Information Security Ltd jointly released a discussion document aimed at garnering input from businesses relating to their use of, and the value they place on, personal information.
The deadline for contributions to this project is 1 September 2009, although no timescale has been given for publication of the final report.