This week, the Information Commissioner’s Office (ICO) has been given the power to fine companies up to £500,000 and it is widely believed that the watchdog, responsible for enforcing the Data Protection Act and other privacy legislation, is on the lookout for a few quick and easy cases to show off it’s new fangs. Almost all businesses rely on personal information in their trading activities. Is there a real business case for taking data protection and privacy seriously? Or is this just more red tape causing a headache for entrepreneurs? Let’s look at the business case.

Information is valuable

Firstly, there is no doubt that information has value. There are multi-million pound companies that trade nothing but information and there is also a thriving black-market economy estimated to be in the billions. Some information, such as trade secrets, copyrightable works and patentable ideas, have an obvious value to a business but personal information is not so easy to quantify. There are a number of aspects to consider:

• The cost of re-acquiring quality information
• How much of the business mission depends on the information
• The cost to the organisation if the information is unusable
• The value that other people place on the information (the individual subject of that information, your competitors and those seeking to gain the information for unlawful purposes, and society in general).

Which of these values are most significant will vary from business to business. For instance, the cost of re-acquiring information may be as little as a few pence per record from a mailing-list marketer or it may involve many hours of detailed interviewing and research (even assuming an individual is prepared to co-operate with giving you data you have already lost once).

Data loss incidents cost real money

Next, there is the cost of a data loss. Some of the potential costs are:

• Diverting senior management and key staff away from normal activities to deal with the incident
• Additional costs of PR, legal advice, security, internal investigations and such-like
• Disruption to normal business caused by the loss of data or the additional containment measures put into place<
• Costs of notifying people of the loss and providing them with recompense
• Costs of complying with external regulation (investigations, legal costs, fines).

In addition to these direct and immediate costs, there are also a number of indirect and longer-term issues that need to be factored in. Key amongst these is the loss of trust and damage to the organisation’s reputation. In the worst case, loss of trust can cause customers to desert the organisation completely. It may be necessary to reduce prices to retain customers and restraints imposed by regulators may increase the cost of sales – thus eroding profit margins from both ends for many years to come.

Good privacy policies are a competitive edge

Finally, and most importantly, what are the benefits of having robust privacy policies and procedures in place? The really good news is that there are real and tangible benefits over and above avoiding the cost of a data loss incident. Organisations with a clear understanding of the data they hold and why it is held can achieve much greater efficiency: avoiding the need to duplicate information, ensuring that the information is accurate and complete and being able to use that information to respond rapidly to people’s requests all contribute to a leaner, more competitive business. Organisations with a reputation for respecting privacy also benefit from customer loyalty and from the fact that customers are willing to provide more accurate and detailed information than they would to a company they do not perceive as trustworthy. There are, of course, also benefits in the form of risk reduction (which may, or may not, be reflected in insurance premiums). The key risks that can be reduced in this manner are risks to reputation and the risk of data falling into the hands of a competitor (such as when a salesman leaves and takes his customer contact list to the new employer).

In conclusion, then, there is a clear business case for data protection and privacy to be high on the board’s agenda and for companies to invest in the proper stewardship of the data in their care.  At the very least, companies need to audit their business processes to properly understand what data they are collecting and why.

Comments

Add New Search RSS

Write comment
Name:
Email:	do not notifynotify
Title:
	Please input the anti-spam code that you can read in the image.

Powered by !JoomlaComment 3.25

3.25 Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."