However, trust is a fragile commodity, and once broken it can seldom, if ever, be regained. Consequently, not only should you ascertain the proper use of customer information, but also ensure that all perceptions related to this issue are handled correctly.
One must be aware of the legal implications of abusing a consumer's privacy. Since the Freedom of Information Act of 1970, there have been many laws passed by Congress to protect the privacy of individuals, including:
Privacy Guidelines For Companies
In light of these laws, every company must take steps to ensure the privacy of visitors to its Web site. Here are some things a company can do to ensure both compliance with the law and maintaining the trust of its customers.
-- Sourabh Hajela
Question B: What is P3P (Platform for Privacy Preferences), and how do we implement it on our Web site?
There are a variety of tools and services--some free, some not--that you can use to construct your P3P files after you've collected your policy details. Then load the files into the specified location on your Web site, test it using the World Wide Web Consortium's P3P Validator (or other tool), and you're in business.
-- Peter Schay
Question C: How do we ensure that our employees don't violate our privacy policies?
The technical component, which can be as draconian or liberal as you wish, doesn't assume a level of trust on the part of your staff. The software either does its job or not. If you do have a policy breach, then you have the evidence to sanction the parties responsible. Watch out for overly complex technical policies, however. If the technical solution makes it difficult for users to do their jobs, users will fix the problem--you just might not like their fix! While technical methods involve combinations of setting appropriate access permissions on the data, user authentication, encryption, usage auditing, and other standard techniques, unless you have a good human-resource policy to match, compliance can be painfully difficult to enforce.
The trickier, but equally important, component is the creation of enforceable and enforced human-resource policies that reflect the stated goals of your company. Of course, having the employees sign binding contracts with sanctions for violating the privacy policies is crucial. In addition, many companies impose privacy policies by limiting the right to use sensitive information to only people who have job requirements for access. The "need to know" methodology has long been used in military and government circles as a technique to limit the exposure of sensitive data. As one wag recently put it, "Those who violate the policies are shot and killed. This does two things: thins the herd and sends a message to the rest." That approach may be extreme, but the level of compliance would, not doubt, be extremely high!
-- Beth Cohen
Sourabh Hajela, TAC Expert, has more than 15 years of experience in strategy, planning, and delivery of IT capability to maximize shareholder value for corporations in major industries across North America, Europe, and Asia. He is a member of the faculty at the University of Phoenix, where he teaches courses in strategy, marketing, E-business, and leadership. Most recently, he was VP and the head of E-business with Prudential Financial.
Peter Schay, TAC executive VP and chief operating officer, has 30 years of experience as a senior IT executive in IT vendor and research industries. He was most recently VP and chief technology officer of SiteShell Corp. Previously at Gartner, he was group VP of global research infrastructure and support, and launched coverage of client/server computing in the early 1990s.
Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.