This week the news has been full of reports from Las Vegas regarding the latest technological trends on display at the International Consumer Electronics Show. Discussions about wearable technologies and smart appliances — and the emerging “Internet of Things” — often lead privacy advocates to question the potential downsides of companies collecting massive amounts of data regarding everything from where we walk to what we eat.
The risks of big data have been met with observations that “big data requires big judgment.” Such statements are certainly true and yet don’t provide much guidance on how companies can prepare to exercise judgment in a way that manages their own risks and the risks to their users.
All companies that collect data on their users need to consider carefully how that data will be used and how it will be protected. Companies need to understand trends in legislation, the risks of data breaches, and stakeholder concerns regarding everything from government surveillance to behavioral advertising.
The challenge for companies is not only to understand the environment in which they are operating, but also to ensure that internal capacity exists to support thoughtful decision-making and the exercise of “big judgment.” Building this capacity requires fostering lines of communication between diverse internal stakeholders, ranging from product designers to internal counsel. Key questions that should be considered include:
- Are concerns about user data privacy factored in to decisions made by product designers? Data that is never collected cannot be voluntarily or involuntarily disclosed.
- If the company relies heavily on third parties for the delivery of their products and services, who is conducting due diligence on these relationships? Are concerns about data use and protection considered when such business engagements are considered?
- Are corporate communications to the public regarding data use and protection drafted for lawyers or for real people (not that lawyers aren’t people)?
Being a responsible steward of user data requires a coordinated effort by many different corporate actors. Thoughtful public statements about data protection will not be effective in managing risks to the company and its users if the commitments in such statements are not incorporated into product design decisions. A compliance-oriented approach to data privacy management may fail to address and respond to the concerns of corporate stakeholders that go above and beyond protections provided by current law.
All companies that collect data on their users — ranging from well-established technology firms to young start-ups — need to ensure that the internal channels of communication exist that will foster the exercise of appropriate judgment on the management of that data.