Privacy By Design: Best Practices For A TV Industry In Transition
Online advertising has been coming under a good degree of scrutiny lately, and television may not be far behind. As new technologies evolve to tell us more about who's watching what, it seems highly likely to me that one of these days some flavor of "Do Not Track" will be applied to the television platform.
The question is, who among us will be prepared?
After all, privacy practices aren't something you can easily add after the fact, like the icing on a cake. Privacy protection and information systems security need to be baked into that cake from the moment you mix the ingredients, and if you deal with consumer data in any form, it needs to be considered part of everything you do.
Start-ups have a clear advantage here. After all, it's much easier -- not to mention much less expensive -- to build privacy practices into a business when you're starting from scratch. That's not to say, however, that established businesses can't lead on the privacy protection front. The industry, as well as clients and customers, will benefit when they do. On the Federal Trade Commission website, there's a pretty thorough tutorial about the fundamental necessity of information systems security and privacy protection practices for business.
I have written about innovation in the TV industry in the past The same principles apply more than ever when it comes to privacy. Make privacy a core strategic priority from day one. This way, it will be part of your processes and policies for years to come. Here are six best practices I think are most worth considering when building privacy into a TV-data-centric solution:
1) Implement "Privacy by Design": Make privacy one of your corporate objectives, integrating privacy and information security principles into everything you do.
2) Don't receive unnecessary personally identifiable information. If you must collect personally identifiable information -- names, addresses, birthdates, etc. -- limit it to what you really need. If you are a media research/planning company and can run your business without that information, even better, because you can't compromise what you don't receive. Then go even further to do everything you can to prevent household re-identification.
3) Keep your data secure. Protect your data from loss, unauthorized access, and unapproved uses. If you are building a TV ad network, don't let your data leave your servers without agreements for security and protection. If you are a media research/planning company, don't let your data leave your servers except in aggregate form (i.e., as a report).
4) Make your opinion heard. As government agencies develop privacy guidelines, they want to hear from practitioners in the industry. Go ahead and submit your comments on privacy and information security to the FTC and the Commerce Department. Take part in roundtables among stakeholders. Be proactive, participate in the process, and help make sure that the regulatory bodies don't establish rules that don't work for the industry.
5) Consider pursuing information security certification. As an example, the International Organization for Standardization (ISO) sets standards of excellence in various sectors across 160 countries. Their information systems security certification is difficult to achieve but a tremendous independent validation of your IT practices. While only about 90 U.S. companies are ISO27001 certified (none in the media industry other than TRA), the process of certification itself forces you to take a hard look at security best practices.
6) Conduct regular information security audits. Unsure where you're vulnerable? Invite an objective third party to audit your company's practices. Once you execute their recommendations, schedule regular audits to ensure you're maintaining the highest level of information security.
Privacy and information security may not seem core to your business, but in fact they're key to ensuring you'll be able to serve your clients now and in the future without fear of privacy landmines.
And always remember -- do what's right where privacy's concerned and you'll pass muster in the only court that matters: the court of public opinion.