Privacy Score for Organizations - A Whitepaper

Organizational Privacy Score
Rajesh Jayaprakash
r a j e s h j p @ g m a i l . c o m
Organizational Privacy Score quantify ethical treatment
of consumers’ privacy by organizations. It is similar to
the “Credit Score” concept for organizations but focus on
privacy instead of credit worthiness. The key to the
concept is the enablement of “Informed Consent and
Control” by the customers. An organization gets higher
scores as it ensures greater levels of granularity and
clarity to the adoption of this central concept. The
survey approach used measure, globally compare and
identify weak areas in organizations’ privacy approach
for ALL types of customers’ data used in the
organization. Overall, adoption of such a score can lead
to an industry situation where organizations have to
compete for customer trust and leave the choices of
privacy to consumers.
Privacy and Security are treated as two different topics
and security is not covered here.

of 33
Acknowledgements
I would like to gratefully acknowledge the encouragement, support and reviews of the following
individuals in drafting this paper:
 Matt Musselman
 Dalia Hussein
Legal Disclosure
I, Rajesh Jayaprakash currently work in a large, private sector organization in Canada. I previously
worked in multiple large organizations in Canada and US. The views and opinions I share in this
paper are my personal views only and have no indication or are reflection of organizational
policies or practices of my current or previous employers.
The information provided in this web site is the property of Rajesh Jayaprakash and may not be
reproduced without the express written permission of Rajesh Jayaprakash.
All materials are copyrighted Rajesh Jayaprakash © 2014. All rights reserved.
Disclaimer of Liability
Rajesh Jayaprakash provides the information found in this article for informational purposes
only. The information posted in this article is not intended as advice to, or concerning, particular
readers or circumstances. THE INFORMATION IS PROVIDED "AS IS," WITHOUT WARRANTY OR
CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF
COMPLETENESS, ACCURACY, USABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
MERCHANTIBILITY. The user or viewer of the information assumes all risk for the use of this
material. The user's sole remedy for dissatisfaction with the information provided is to stop using
the information.
Rajesh Jayaprakash completely disclaims all liability for the use of the information posted in this
article by any user or viewer, including liability for any losses, damages, lawsuits, claims or
expenses, including, but not limited to, consequential losses anyone may incur as a result of
using this information. Rajesh Jayaprakash’s rights, obligations and responsibilities to its
customers, or any other third parties, are governed solely by the agreements under which those
rights, obligations and responsibilities were created.
All links noted in this article are provided solely for informational purposes. Rajesh Jayaprakash’s
does not endorse the linked entities, nor is Rajesh Jayaprakash responsible for the content
accessible through these links. Under no circumstances will Rajesh Jayaprakash Corporation be
held liable to any third party who may choose to rely on a linked entity, their products, services
or information given.

of 33
Table of Contents
1 INTRODUCTION............................................................................................................................... 5
2 TERMINOLOGY: PRIVACY, SECURITY AND IDENTITY ..........................................................................5
2.1 Data Privacy approach......................................................................................................................................6
2.2 Security .............................................................................................................................................................6
2.3 Identity & Access ..............................................................................................................................................7
3 CURRENT SITUATION OF PRIVACY COMPARISON METHODS .............................................................7
4 NEED OF A ‘PRIVACY SCORE’.............................................................................................................8
5 PROPOSED APPROACH: THE CONCEPT..............................................................................................8
5.1 Informed Consent and Control - Questions to measure it. ..............................................................................9
5.2 Organizational Privacy Score – Components scores Tree.................................................................................9
6 ‘BASIC PRIVACY SCORE’ SECTION....................................................................................................11
7 ‘DATA PRIVACY SCORE’ SECTION ....................................................................................................14
7.1 Why include all data in scoring, not just PII?..................................................................................................14
7.2 The definition of “Internal data” in an organization. .....................................................................................16
7.3 The definition of “External data” of the customer.........................................................................................18
7.4 Principles for Identification of Nine Data Categories .....................................................................................19
7.5 Visual representation of nine data categories................................................................................................20
7.6 Nine data domains categories and questions.................................................................................................21
7.6.1Category 1 - Customer Basic static (master) data provided by user directly. ................................................21
7.6.2Category 2 - Customer Basic static (master) augmented data by harvesting methods. ................................24
7.6.3Category 3 - Customer business (transactional) data.....................................................................................26
7.6.4Category 4 - Customer’s Augmented Transactional Data ..............................................................................28
7.6.5Category 5 - External people/prospect basic data obtained from external sources......................................28
7.6.6Category 6 - External transactional data of people/prospects.......................................................................30
7.6.7Category 7 - External analytics information ...................................................................................................30
7.6.8Category 8 - Internal analytics information....................................................................................................31
7.6.9Category 9 - Non-Customer data....................................................................................................................31
8 ‘SPECIAL DOMAINS PRIVACY SCORES’ SECTION...............................................................................28
9 OVERALL ‘ORGANIZATIONAL PRIVACY SCORE’ CALCULATION..........................................................32
10 SURVEY SHEET............................................................................................................................35
11 VERIFICATION OF PRIVACY SCORE AND ROLE OF THIRD PARTIES.................................................35
12 PRIVACY DASHBOARD – SOME SAMPLE VIEWS...........................................................................35
12.1 Detailed View - Numerical..............................................................................................................................35
12.2 Summary View - Numerical ............................................................................................................................36
13 APPENDIX ..................................................................................................................................36

of 33
1 Introduction
Consumer’s Online Privacy and Consent are relatively maturing areas globally and there are some
highly polarised views about them. Today, approaches to data privacy and laws vary drastically
from country to country. However, technology is global, making this issue more complex.
Currently, in the industry, privacy is viewed mostly from two angles. First is basic Legal
Compliance which varies by region or country. The second is the security capability which treats
consent gathering from consumers as a subtask and ensures legal compliance (mostly bare
minimum) with it. Most of the European Union nations have a good legal framework based on
the concept that online privacy is a human right and it is built it into the laws. The United States
has a more controversial legal standard and industry supported economic model based
approach. Ie: As long as consumers’ data is made ‘non-personally identifiable’ or even otherwise
if there is consent, all available data can be used for economic activity.
There is not much available from industry as global standards or guidelines. There are multiple
proposed frameworks which are yet to get widespread adoption. (Eg: Guidelines proposed by
FTC, another from the US Commerce department) This causes widely varying and non-
comparable approaches to privacy among organizations. Lack of these standards also makes
sharing of privacy and consent data between industry partner organizations difficult, resulting in
customers repeating their preferences to a lot of entities. Overall, it reduces the understanding
the consumer has about the privacy approaches of organizations and the transparency of it.
There was a study published by a leading university stating that if a consumer reads all the
privacy statements and policies of commonly used websites he/she visits, it would takes 200
hours a year.
2 Terminology: Privacy, Security and Identity
Before we get to some of the details, it is necessary to state the views on some of these basic
terms. These terms are used in the industry with widely varying definitions. So the angle that is
used as a premise to the privacy score concept is described here.

of 33
2.1 Data Privacy approach
This is about the policy of an organization. Or, let us say the stated ‘intention’ of an organization.
What they plan to do with customers’ information, etc. However, this is not the same as the long
‘terms and conditions’ usually displayed to the consumer when a consumer interacts with an
organization. It is one of the mediums the organization is using to communicate its intentions to
the consumer. So the organizational privacy policy is more encompassing than the terms and
conditions.
2.2 Security
This is a technology & operations function which ensures the stated intentions in the data
privacy policy of an organization are met. There could be security policies that ensure this.
However, those are security policies which eventually enable the delivery of the privacy policy,
not the privacy policy itself. In that aspect, we can comfortably separate privacy and security.
Here is an example to illustrate the difference between privacy and security and the
complimentary nature: You need some money and need a personal loan from some of your
friends. You have four friends. The first one has no money, and even if he had some, you know
he would not part with it for you. The second one would have given it to you if he had it, but he
doesn’t have any money. The third one has money, but would not loan it to you. The fourth one
has money and would be willing to loan it to you.
Here, the second one and fourth one have the intention of giving it to you. The third one has no
intention but has the capability. Only the fourth one has both.
Privacy policy domain defines the promises the
organization is making to the customer about their
privacy – or not making. Security domain is about the
capability to keep those privacy promises. In that sense,
these are fairly distinct topics and should be treated
separately. This paper addresses only the privacy part (ie:
the promises the organization is making – or not making).
Mixing up these concepts is the root cause of the lack of
clarity in this area.

of 33
The same is the case with privacy and security. Both are different. We need some kind of privacy
score and security score. And we need to know both.
2.3 Identity & Access
Identity also has widely varying definitions. For this paper, it is considered as a set of credentials
that an individual or machine supply in a given context to complete the authentication process of
him/it. Ie: For the organization to verify he/she/it is what he/she/it claims to be. Some of these
credentials could be PII, biometric information, etc. it could be an internal organization Id (Like
Billing Account), A governmental Issued one (SSN) or a privately issued external organization ID
(Facebook ID or LinkedIn ID). Or, usually, a combination of these.
There are other definitions which give a much bigger scope for identity, which get into profiling,
Personally Identifiable Information(PII), any information that can be related or traced back to an
individual etc. It is not our intention to discuss these views further.
3 Current Situation of Privacy Comparison methods
Currently, there are privacy maturity frameworks and privacy scores in use sporadically in the
industry. But these are assessing the maturity of the privacy program of the organization. They
do not measure or compare what the organization intends to do or not about the disclosure of
data privacy practices of the organization or choice to customer (ie: The privacy policy itself).
1. GAPP (Generally Accepted Privacy Principles) based privacy maturity framework of AICPA
and CAC.
2. There are also ‘privacy scores out there but they are very specific to websites. Ie: Specific to
amount of tracking done in websites using cookies, etc. Ie:: AVG’s privacy score.
3. There is also a privacy score which can be derived as part of DOW sustainability index which
many organization’s use. However this is also based on a general set of questions and does not
follow a holistic and structured approach specific to data privacy.
Most of the existing standards revolve around PII and Non-PII since the legalities are around this.
However, consumer data can be easily combined with new technologies like big data and cloud
and the context around it. So we are not taking the PII based approach here.

of 33
4 Need of a ‘Privacy Score’
Anything that gets measured gets done in large organizations. And, currently, the industry does
not measure privacy policy or privacy intentions. All the industry measures are ‘Security’
capabilities and technologies, which themselves are hard to measure. When security breaches
occur, there is lot of attention on privacy, but naturally it soon gets diverted to security.
So changes in the privacy domain need to start with measuring the privacy intentions of the
organization and making it clearer to public. This, in turn, helps to convert privacy policy to a
visible, competitive advantage in the marketplace.
5 Proposed Approach: The concept
The global nature of technology makes it the right space to find solutions to the holistic privacy
problem, even though some of the components to the solution may reside in other domains like
legal. The legal components need to be addressed by countries and are going to be country
specific, and it may not be wise to expect a global legal baseline to emerge.
The basic premise of this article and the concept of “Organizational Privacy Score’ is that online
privacy, and the control of it, should be driven from a meaningful consumer choice, irrespective
of the nationality of consumer. The choice should enable the consumer to select the human
rights based on an approach similar to what is prevalent in the European Union or the economic
approach in United States and the finer details of it. So every person gets the same choices to
choose and maintain their own privacy setting regardless of the country he lives in. However,
nations can set their own minimum for their citizens by setting their own laws. This is a larger
concept within which the privacy score concept operates; however, understand that these are
not the reality today. So it can start as just a scoring mechanism for each organization’s current
policies and practices.
This is a survey to identify and compare business organizations’ approach in terms of respecting
consumer privacy at a policy level, globally, and to identify areas of improvement. The objective
is to measure and compare what the organizations intend to do (and not do) about the
organization’s data privacy practices and offer meaningful choices to customers irrespective of
the laws of the land.
This does not affect or measure the security capabilities in protecting privacy. So it is not a
‘security’ score. It measures the intention or policy; not the capability to achieve them (i.e.; the
security aspect of it).
There are three broad sections of questions to arrive at this score:

of 33
 ‘Basics’ Privacy Score:
 ‘Data Privacy Score:
 ‘Specialised Domains’ Privacy Scores:
All questions should be given in a multiple choice format. Each question and choice associated
with scores can be later summarised to scorecards. With this approach, we are developing a
comparable approach for privacy, as opposed to specific things or projects that an organization
has done about privacy.
5.1 Informed Consent and Control - Questions to measure them.
All the questions used here are geared towards measuring the ‘informed consent and control’ of
the customer.
Namely:
 Is the customer informed about the existence of the data?
 Does the customer understand the meaning and impacts of this data that the
organization has?
 Does the customer have access to the data and the ease of doing it?
 Does the customer have control to update or remove the data the organizations
have, and the ease of doing it?
5.2 Organizational Privacy Score – Components scores Tree
Components of the Organizational Privacy Score explained using a diagram.

of 33
6 ‘Basic Privacy Score’ Section
The intention of the “Basics” section is to identify whether the organization has the basic
framework and intention to protect consumers’ privacy and their general approach to privacy
holistically. For organizations starting to work on their privacy improvements, this is a good area
to focus on first.
Questions to decide the Basics privacy score
No Type Question Choices & Points
Importanc
e of
question
( 1 to 10,
10 Most
important
)
Maximum
points for
Question
(Multiplying
Points of
choices and
Grade of
Question)
1 ‘Basics’
Privacy
Score
Do you have a formal privacy
policy documented and
approved?
 Yes - 5
 No - 0 10 50
2 ‘Basics’
Privacy
Score
Would you let the consumers
know of a data request of
governmental bodies if the law
of the country permitted you to
do it?
 Yes - 5
 No - 0
5 25
3 ‘Basics’
Privacy
Score
Do you sell your customers’
data?
 No – 5
 Yes - 0 10 50
4 ‘Basics’
Privacy
Score
Do you rent out or in any other
way make your customers’
information available to outside
organizations, including your
partner organizations or legal
subsidiaries?
 No – 5
 Only to
subsidiaries – 4
 Only to
Partners &
Subsidiaries – 2
 Anybody (who
may or may
not pay) - 0
8 40

of 33
5 ‘Basics’
Privacy
Score
Do you track customer actions in
any of your organization’s
websites?
 No – 5
 Yes - 0 5 25
6 ‘Basics’
Privacy
Score
If you track customers’ actions
on the website, do you get
consent for that and are you
able to provide proof of that?
 Do Not Track -
5
 Yes - 3
 No - 0
2 10
7 ‘Basics’
Privacy
Score
Do you inform the visitors of
your website what data you are
collecting?
 Yes - 5
 No - 0 2 10
8 ‘Basics’
Privacy
Score
your website why you are
collecting it?
 Yes - 5
 No - 0 2 10
9 ‘Basics’
Privacy
Score
your website whether you will
be selling or renting the
information collected?
 Do Not sell or
Rent - 5
 Yes – 3
 No - 0
2 10
10 ‘Basics’
Privacy
Score
your website about other legal
entities (i.e.; another legacy
entity that will be responsible
for future actions with that data)
that might collect their data?
 There is only
one legal entity
responsible
and it is us - 5
 Yes - 2
 No - 0
2 10
11 ‘Basics’
Privacy
Score
your website of the list if there
are other legal entities that you
would share the data with?
(Y/N)
 Not shared
with anyone
else - 5
 Yes - 3
 No – 0
2 10
12 ‘Basics’
Privacy
Score
Do you set consents in a way to
give you consent by default? (Eg:
pre-checking consent boxes)
 No – 5
 Yes - 0
10 50
13 ‘Basics’
Privacy
Score
Is your privacy policy specific to
your organization? (Eg: Using
privacy policy templates
available online without many
specifics spelled out, not
removing non applicable
 Yes - 5
 No - 0
2 20

of 33
phrases)
14 ‘Basics’
Privacy
Score
Do you have a team with formal
authority to create/update the
privacy policy?
 Yes - 5
 No - 0
5 25
15 ‘Basics’
Privacy
Score
How long are the terms and
conditions that a customer has
to give consent to?
 Less than one
page – 5
 One to five
pages – 3
 Six to ten
pages – 1
 More than ten
pages - 0
5 25
7 ‘Data Privacy Score’ Section
This section measures the privacy policies of the organization with respect to its customers’ data.
Here, ALL data used by an organization is classified into nine categories and the privacy approach is
assessed with questions on how the organization “intends” to treat the consumer privacy aspect of
the data.
However, before we get into the nine categories, it is important to explain the principles used and
some key concepts used.
This is a holistic technology based approach for data privacy
scoring. This does not divide data by the business type,
nature of it or use of it. Calculations based on such dividisions
can soon get very complex and become country or industry
specific leading to non-comparability. So, rather, this is an
industry, country neutral privacy score which denotes an
intention for the ethical treatment of consumer data privacy
by organizations

of 33
7.1 Why include all data in scoring, not just PII?
Most of the laws on privacy today are surrounding Personally Identifiable Information (PII).
However, as we get to the details, there are no clear answers on what constitutes the PII definition.
There is a big influence on context in personally identifying somebody. For example, in a group of 10
people, if one is wearing a unique colour shirt, that alone is sufficient to ‘identify’ him in that
context. If somebody with green eyes is living in a village in a country where all others are of
another eye colour, that is enough to identify him there. So the legal protection of ‘de-
identification’ is not sufficient in a lot of practical cases. In largely used circumstances of zip code,
age, and health indicators are enough to make key decisions which could have serious impacts on
people living there even if they are not personally identifiable. For example, an insurance company
can decide not to offer certain coverage in areas where there are many incidents – if they are
allowed to do so.
In a new world of big data, this issue gets new dimensions. There is lot of data generated in social
media, text analytics, location based services etc. As big data technologies bring these data together
and link them up and analyse them, it opens up a whole new world of understanding and insights.
However, it also gives lot more data dimensions to slice and dice, effectively pointing to much
smaller subsets of groupings of people, essentially taking away their privacy.
Eg: How difficult it is to identify the real people if you have all the following information.
 In your zip code
 And Aged 60 to 65,
 And Driving a Ford fusion car
 And Wearing an Armani suite,
 And Using Ray ban sunglass
 And Starting from home 6 am mostly and getting back at 5 pm,
 And Driveing to a specific industrial area once a week,
 And Eating in Greek restaurants most Sunday afternoons,
 And Having 4 to 6 grandchildren,
 And Who was born in Germany,
 And Income range of 80 to 90 K,
 And Flies to Hawaii 3 times a year,
 And Going to public library every Monday afternoon,
 And Buying pills for diabetes at Shoppers Drugs Mart,
 And Active in social media from 6 pm to 8 pm
 And Likes history books
 And Watches horror movies online
 And Uses iPhone 4 S and recently changed to IPhone 5
 And Divorced twice and remarried two years back

of 33
 And Member of private golf course 10 km from residence
 And Making an average 6 calls a week to Texas
 And Many more, (as they get more sources of information, information of relatives
get combined to this etc.)
All these are Non-PII data according to most available definitions. When location of such a
person become available via real time GPS tracking devices and that information gets commoditized
(a lot of people have access to it cheaply via cloud etc.), privacy equations around PII become
obsolete. And we need to re-examine them.
7.2 The definition of “Internal data” in an organization.
“Internal data” is data created due to the direct business interactions with their customers. Simply
put, it is the entire data used in an organization. Most of the data is expected to be of customers --
prospective or previous customers’ data. Most of this data is created, managed and destroyed
under the control of the organizations. However, storage of this data can be inside the organization
or outside, due to cloud storage or partnerships with other IT companies to manage etc. In other
words, we do not mean the physical location or maintenance of the ownership with the term
‘internal’.
This diagram depicts this data in a set of concentric circles and classifies this data into three
categories using the principles of master data management. Master data, Transactional Data &
Analytical data.

of 33
The core of it is the ‘identifier’ or identifying mechanism for a person/customer. Then, there is a
static set of information about him/her which doesn’t change on a day to day basis, like names,
addresses, his or her preferences, contact information etc.
Then, he or she does the transactions with the organization. Like order products, get it fulfilled,
receive shipments via his preferred channels, respond to surveys by the organizations, use the
products by the organization (which generates another set of usage data) etc.
The above two types are factual information. Data about things that actually happen or close to it.
Then we have the traditional data warehouses which analyse both of these pieces of information
together to form various derived ‘information’ or conclusions. We can call this as analytical
information.

of 33
However, the key is all this can happen within the logical periphery of an organization. If the data is
lost or breached, the accountability is clear.
7.3 The definition of “External data” of the customer.
As human beings, we do lot of things every day, every moment. Each and all of these can be
described as events of different types. And then there are our feelings and moods about things and
events. Most of these events were not recorded during these previous years/decades. But in the
current and up and coming future, this is being recorded. A discussion on whether this is good or
bad is not intended here as it is not the topic. The whole industry will be so happy to get this entire
event recorded and get their hands on that data. Currently, it is happening in a piecemeal fashion.
We have social media which records our likes and dislikes and pictures in private and public spaces.
We have CCTVs mopping up people in public places, we have government issued ID’S like drivers’
licenses and social security numbers and passport numbers which can precisely identify an
individual anywhere in the world. Electronic devices we carry and cars we drive generate a lot of
data about our locations, things we buy, search for etc.
All these can also be represented in a similar fashion just as the data generated inside an
organization for the customer.
The identifiers and set of relatively static data for the person. Identifiers could be SIN/SSN,
passport numbers, or even widespread ID’s like a Facebook ID but mostly a combination of these.
Then, details like names, addresses, relationships and contact information. These do change but not
every day. The subset of this information is available with each of these organizations that the
person does business with.
Actions of the persons. Or say the transactional data of people. Any actions and events can be like
this. Like reading newspaper for 20 mins and visiting a friend after that. This information could look
trivial. But for a toiletry company would be very interested in this so would a newspaper company.
Earlier these types of events were not tracked. However, nowadays, users input a lot of information
into social media, whether they realize the consequences of doing this or not.Other trackers like
mobile phones track the movement. New kinds of ‘planning assistants’ like “Google Now” create
very detailed sequences of these activities. For salespeople, we have “salesforce.com today”. It is an
early market and we can expect more here. The detailed information connected to the actions of
people can also be tracked via the devices. Eg: The GPS of the car.
Then, there is the analytical information industry which helps to sell, process and resell data and
information derived from it. There are also a variety of information visualisation products based on
that.

of 33
7.4 Principles for Identification of Nine Data Categories
Categorize ALL data used in the organization (PII and Non-PII, internal and external) into nine broad
categories and evaluate the privacy practices that are followed for those areas. Each of these
categories will need to be answered separately. All data is expected to fall into one these sections
most times, and multiple categories occasionally. The intention of this classification is to accurately
classify any particular piece of data into only one section but it may not be always possible for some
specific types of data.
Data: Divided into nine categories:
Type of data
Source of
ownership Type of creation
Master
Data transactional Analytical
Consumer
Data
Internal
Customer Directly
Provided data
Category 1 Category 3 N/A
Internal
Customer data
augmented
Category 2 Category 4 N/A
External
Externally source
data (Buy/Rent)
Category 5 Category 6 Category 7
Internal
Internal analytics
information
N/A N/A Category 8
Non
Consumer
Data
Category 9
These nine categories are developed using principles used
in master data management(MDM). According to MDM
principles, the entire data in an organization can be
categorized into three groups: Master data, Transactional
data and Analytical data. Master data is the relatively static
data, like customer names, address, etc. Transactional data
is the day to day business operations data. Analytical data
is the derived from information using the other two. These
are then extended due to the recent heavy use in the
industry of data from external sources. Eg: social media
data, D&B, data.com, upcoming external transactional data
sources like Google 'Now', salesforce 'today' etc.

of 33
7.5 Visual representation of nine data categories
From a survey quesitons perspective, the most quesitons
would be repetitions across these nine categories and the
"Basic Privacy Score' questions.
This is okay since we are focusing on different types of data
all together, which are different in properties, collection
methods, ownership,legalities etc.
However, it is important to ask these questions seperately
since the treatment of these categories of data varies vastly
in organizations.

of 33
7.6 Nine data domains categories and questions
7.6.1 Category 1 - Customer Basic static (master) data provided by user directly.
This is basic and mostly static information about individuals provided directly to the
organization by the user. This channel of collection could be online, or in any stores.
Usually this data originates in CRM systems, portal databases, Identity databases,
and customer master data repositories etc. The business or IT team owning such
systems can be expected to answer questions in this section. However, this data is
usually replicated across many systems in large organizations. If such teams are not
able to answer in a comprehensive manner, data governance teams or enterprise
architecture teams could answer this section.
We consider this a separate category due to these features,
1. Given by customer directly to the organization.
2. Usually given multiple times and across multiple channels
3. Maintenance of this data is the responsibility of the organization
4. A good portion of this will be PII
5. Changes to this data are usually infrequent.
6. This is common data across many types of transactions and contexts and the
customer/person interacts with customer
The reason to split the data into these categories is to bring
in the specific nature when answering questions about data
in any organization. These data categories have considerably
different lifecycles, business and technical ownership across
large enterprises.Many of these categories represents certain
type of systems owned by the specific departments in an
organization.
So even though still not perfect, dividing customer data to
such categories is expected to help to get realistic and useful
answers, revealing the data privacy approach of the
organization to the practiced details. All these responses can
be summarised to form the final score of the organization.

of 33
7. Can be used during future transactions so that customer does not have to re-
enter this information.
8. Accuracy/factuality is as good as what customer has given.
Examples of this data category
 Customers’ Names
 Physical Address
 Contact information : Emails, Phone, Facebook id, Twitter id
 User ids.
Questions to decide the Data privacy score – Category type 1 data.
No Type Question
Choices & Points
(1 to 5 points max)
Importanc
e of
question
( 1 to 10,
10 Most
important
)
Maximum
points for
Question
(Multiplying
Points of
choices and
Grade of
Question)
1 Data
Privacy
Score –
Category 1
Do you explain the purpose
of collecting the data
before collecting it or in a
referenceable location?
 Yes - 5
 No – 0
5 25
2 Data
Privacy
Score –
Category 1
Do you sell this data to
other legal entities?
 No – 5
 Yes - 0
10 50
3 Data
Privacy
Score –
Category 1
Do you rent this data to
 No – 5
 Yes - 0
8 40
4 Data
Privacy
Score –
Category 1
Do you let consumer see
this data after collection?
If yes,
what is the mechanism
used? (Online, Written
forms by mail, etc.)
 No – 0
 Yes, need to
provide written
paper requests –
2
 Yes, need to
provide written
online requests –
3
 Yes -
5 25

of 33
immediately
after collection,
free of charge - 5
5 Data
Privacy
Score –
Category 1
Do you let the consumer
update/remove this data?
If yes,
What is the turnaround
time?
 No – 0
 Yes, need to
provide written
paper requests –
2
 Yes, need to
provide written
online requests –
3
 Yes -
immediately
online, anytime,
free of charge - 5
8 40
Data
Privacy
Score –
Category 1
Do you have a defined
retention period for this
data once the customer is
no longer in business with
you? (yes/no)
 No – 0
 Yes, three plus
years - 3
 Yes, less than
three years - 4
 Yes - six months
or less - 5
5 25
7.6.2 Category 2 - Customer Basic static (master) augmented data by harvesting
methods.
This is additional data obtained by the organization but it is not directly given by the
individual. It is captured or derived mostly by other means. For example, by tapping
into website logs or mobiles phones used by the individual, using sophisticated
algorithms available in the industry or r purchased from other sources in the
industry. Most companies do not consider this as customer data as it is not provided
by the customer.
 Income bracket of the customer
 Relations of customer with other customers,
 Number of household members.

of 33
 Customer segmentations & groupings.
Clearly, ownership is with the organization and maintenance is the responsibility of
the organization. The same team that answers Category 1 can answer these
questions too.
1. This data is NOT given by customer directly. It is inferred via logistical
methods or using electronic devices and industry algorithms.
2. Accuracy/Factuality varies
3. Not considered PII mostly.
4. This doesn’t qualify as basic data or PII but in most cases is linked with it and
becomes a part of extended basic customer information
5. Unclear legalities about the ownership of this data. Maintenance is the
responsibility of the organization.
6. Changes to this data are usually infrequent.
No Type Question
Choices & Points
(1 to 5 points max)
Importanc
e of
question
( 1 to 10,
10 Most
important
)
Maximum
points for
Question
(Multiplying
Points of
choices and
Grade of
Question)
1
Data
Privacy
Score –
Category 2
Do you let customers know
that you are capturing this
information?
 Yes – 5
 No - 0 10 50
2
Data
Privacy
Score –
Category 2
Do you provide examples
for such information?
 Yes – 5
 No - 0 5 25
3
Data
Privacy
Score –
Category 2
Do you explain the purpose
of collection of the data
while collecting it?
 Yes – 5
 No - 0
5 25
4
Data
Privacy
Score –
 No – 5
 Yes - 0 10 50

of 33
Category 2
5
Data
Privacy
Score –
Category 2
 No – 5
 Yes - 0
8 40
6
Data
Privacy
Score –
Category 2
If yes,
What is the mechanism
 No – 0
 Yes, need to
provide written
paper requests –
2
 Yes, need to
provide written
online requests –
3
 Yes -
immediately
after collection,
free of charge - 5
5 25
7
Data
Privacy
Score –
Category 2
update/remove this data?
If yes,
What is the turnaround
time?
 No – 0
 Yes, need to
provide written
paper requests –
2
 Yes, need to
provide written
online requests –
3
 Yes -
immediately
online, anytime,
free of charge - 5
8 40
8
Data
Privacy
Score –
Category 2
you? (yes/no)
 No – 0
 Yes, three plus
years - 3
 Yes, less than
three years - 4
or less - 5
5 25

of 33
7.6.3 Category 3 - Customer business (transactional) data
This data represents the day to day business operations and interactions. This data is
expected to be owned by the organization and is expected to be factual data.
1. This data is provided by the customer directly or with active participation of
the customer.
2. This data is not considered PII for most data elements, except for some key
data elements like billing account number, purchase order, shipment number,
etc.
3. Unclear legalities about the ownership of this data. Maintenance is the
responsibility of the organization
4. Changes to this data are usually not applicable after the transaction.
5. Mostly point to time specific.
6. Not common to entire enterprise. Ie; various types of data are scattered
across the organization, mostly with ownership under different departments.
They are mostly managed by specific lines of business. So one type of
transaction data (ie.: shipment) may follow a set of rules while another type
follow a different set of rules.
7. Very factual information.
 Orders, Purchases & history
 Shipments & history
 Bill and payment history,
 trouble tickets raised
 Surveys and responses
No Type Question
Choices & Points
(1 to 5 points max)
Importanc
e of
question
( 1 to 10,
10 Most
important
)
Maximum
points for
Question
(Multiplying
Points of
choices and
Grade of
Question)
1
Data
Privacy
 No – 5
 Yes - 0
10 50

of 33
Score –
Category 3
2
Data
Privacy
Score –
Category 3
 No – 5
 Yes - 0
8 40
3
Data
Privacy
Score –
Category 3
If yes,
What is the mechanism
 No – 0
 Yes, need to
provide written
paper requests –
2
 Yes, need to
provide written
online requests –
3
 Yes, immediately
after collection,
free of charge - 5
5 25
4
Data
Privacy
Score –
Category 3
you? (yes/no)
 No – 0
 Yes, three plus
years - 3
 Yes, less than
three years - 4
or less - 5
5 25
7.6.4 Category 4 - Customer’s Augmented Transactional Data
Customers’ factual data obtained from users during transactions or interactions with
customers but not directly input by customers mostly captured by websites, mobile
phones or such electronic devices used by the consumers.
Any information received during the interaction which is not directly given by
customer is usually captured by the electronic medium used by the customer. The
teams that answer category 2 can answer this category also.
 Channels viewed by customers while browsing TV channels.
 Frequency and usage of TV channels & mobile devices.

of 33
 Clickstream information.
 Location history obtained via tracking mechanisms like GPS.
 Time spent by customer of each web page.
Same questions and points as in Data Category 2 (Augmented master data).
7.6.5 Category 5 - External people/prospect basic data obtained from external
sources.
This type of data is usually from external organizations like social media data
collectors such as: (facebook, linkedin), AC Neilson, WPP, Harte Hanks, etc.
 Names, addresses, phone, email etc. of people collected by publicly available
information, surveys, etc.
No Type Question
Choices & Points
(1 to 5 points max)
Importanc
e of
question
( 1 to 10,
10 Most
important
)
Maximum
points for
Question
(Multiplying
Points of
choices and
Grade of
Question)
1
Data
Privacy
Score –
Category
5
Do you let the prospects
know of the existence of
this information
voluntarily?
 Yes – 5
 No – 0
10 50
2
Data
Privacy
Score –
Category
5
Do you resell this data to
 No – 5
 Yes - 0
10 50
3
Data
Privacy
 No – 5
 Yes - 0
8 40

of 33
Score –
Category
5
4
Data
Privacy
Score –
Category
5
Do you let consumers
see this data?
If yes,
 No – 0
 Yes, need to provide
written paper
requests – 2
written online
requests – 3
 Yes - immediately
after collection, free
of charge - 5
5 25
5
Data
Privacy
Score –
Category
5
update/remove this
data?
If yes,
used and the
turnaround time?
 No – 0
written paper
requests – 2
written online
requests – 3
 Yes - immediately
online, anytime, free
of charge - 5
8 40
6
Data
Privacy
Score –
Category
5
data once the customer
is no longer in business
with you? (yes/no)
 No – 0
 Yes, three plus years
- 3
 Yes, less than three
years - 4
 Yes - six months or
less - 5
5 25
7.6.6 Category 6 - External transactional data of people/prospects.
This category data represents the actions of the prospects made available to the
organization via external sources. Prospects are any entity the organization has data
on but do not have a current account with the organization.
 Facebook ‘like’s
 Events joined in Facebook.

of 33
 GPS travel history
 Phone call records metadata
Same questions as in Category 5, externally obtained basic data.
7.6.7 Category 7 - External analytics information
There is a proliferation in the IT industry for tools and algorithms that analyse social
media data to derive conclusions. A lot of research is happening in this area.
This data category represents the derived data outputs (aka analytics outputs)
bought by the organization from external sources. The accuracy of inferences is
owned by the external entity performing the analytics on the data obtained from
external sources.
Same questions as in Category 5, externally obtained basic data.
7.6.8 Category 8 - Internal analytics information
This data category represents all the analytics/derived information. Ie; outputs of
data warehouses, data analytic programs, any information generated in the
organization that could be linked to customer records, information which can used to
segment and classify information, market to customers, etc.
This analytics could be performed on a mix of internal data and externally obtained
data like social media data, location data, etc.
Same questions as in Category 2 (customer transactional data).
7.6.9 Category 9 - Non-Customer data
This data category represents specific entities which cannot be linked to a customer
or prospect in any meaningful way. Ie: Data that cannot be statically or dynamically
assigned to customer records at any point in time.
Ie: Data about a new building the organization is constructing. Heating and cooling
information in the data centres of the organization. Shipment of inventory from one
location to another and details about it.

of 33
1
Data
Privacy
Score –
Category 9
Provide same
representative examples of
data considered as Non-
Customer data
 Free form
N/A N/A
This type of data is documented for transparency purposes on what data the
organization assumed in this section as not belonging to customers. Industry
standard models can be used to bring in some boundaries here.
8 ‘Special Domains Privacy Scores’ Section
This area scores specific areas of specialised significance, technology or approach used by the
organizations and is of considerable impact to people’s privacy. Some of these domains may be
relevant to the given organization and some may not.
Some important domains
1. Big Data
2. Cloud
3. Location Based Services
4. CCTV
5. IoT (M2M)
6. Employee Data (This is an important aspect of organizational privacy but a specialised
field due to contractual and work relations)
These domains vary over time. Ie: Location based services and privacy around that was not a
significant issue ten years ago but it is a totally different situation now. So these are specialised
While adopting this, quite possibly different portions of an
organization would have to score separately and then average
out an organizational score.

of 33
scores specific to such domains.
Another example: RFIDs privacy may be important for a retail chain but may not relevant for a
software organization. For a retail chain, CCTV data may be very important with a privacy aspect
but IoT may not be. But, for a network gear manufacturer it could be the other way. So, we let
the organizations choose from the superset of domains identified in this section. However, all the
questions, answers, choices and scores for them should be standard. All the answers are
expected to be available for verification, if necessary (see the verification section for details) in
case a conflict arises.
It is also understood that the data mentioned here is a subset of the data mentioned in the data
domain section. This is acceptable as we are scoring for the technology domain here, not the
data itself. This eventually helps organizations focus on their practices in a few,certain areas if
their score is found to be less than industry average in that domain.
9 Overall ‘Organizational Privacy Score’ calculation
Overall organizational privacy scores are calculated simply by adding the weighed points (points
obtained for the answer * importance number of the question) obtained for all questions.
Based on the need and industry interest, questionnaires for such
domains can be developed on an as and when needed basis.
Organizations considering adopting this 'organizational privacy score'
concept are advised to focus on the Basic privacy score and Data
privacy score and summarise that to an Organizational privacy score
for now

of 33
It is very usual that different parts of large organizations treat the same data differently. Also,
there will be multiple copies of the same data which are treated differently in multiple systems
which could lead to contradicting scores from different parts of the organization.
These can only be overcome by taking averages. However, scoring per application becomes a
very complex and time consuming task as this would soon become a permanent part of the
organization and a part of the data governance program, if one is available. As part of this, each
data store can maintain a privacy score, and finally the organizational average can average out
the final results. This could be nice but it may be overdoing it too. The optimal way would be to
create scores by major business units in the organization or the entire organization. Or an
organization can initially do it on a general basis with the participation of centralised IT teams
and derive a score with a ‘best guess’ approach. And, later, can be done at more micro levels to
identify privacy issues and resolve them.
There are many industries like healthcare which have strict privacy requirements, this survey is
not intended to consider those aspects with special weight.
As the points and importance are given in above questions, an
organization can get a maximum of 2245 points. This is calculated
by simply adding the maximum points obtained for all questions in
the Basic Privacy and Data Privacy sections. Basic privacy score
sections get a maximum of 370 points and Data privacy sections get
1875 points but have to accommodate for changes in questions,
points and importance, questions for specific domains sections, etc.
So these numbers are ratified to a 0.0 to 10.0 scale for consistancy.
This can be put into different grades as is done in a credit score of
individuals and organizations and conclusions can be derived, if
required. But the points remain constant. The major difference is the
score for each section and that the area can be visible and that
actions can be taken to improve the specific area.

of 33
10 Survey Sheet
This provides a simple excel sheet in a survey format which will automatically calculate the
organizational privacy score, using the questions and calculation mentioned above.
If surveys are done separately in multiple parts of the organization, they need to be done
separately and averaged out manually.
11 Verification of privacy scores and the role of third parties
The major tool in verification is transparency. Any organization that is publishing the
organizational privacy score using this method is expected to make available the entire questions
and answers along with the score. External agencies can cross check this if need be. External
organizations or individuals can also facilitate this scoring if specific organizations do not have
enough understanding in doing this scoring themselves.
Currently, the verification is on an honour system. There would need to be external agencies if
they needed audits on these scores. External, neutral agencies can also consolidate these scores
from organizations in an anonymous fashion. Then, publish reports of comparison by industry,
country, continents, etc.
12 Privacy Dashboard – Some Sample Views
12.1Detailed View - Numerical
BASIC PRIVACY
SCORE
BASIC PRIVACY
SCORE
Category 1
data
Category 2
data
Category 3
data
Category 4
data
Category 5
data
Category 6
data
Category 7
data
Category 8
data
Big
Data
Clou
d
Locati
on
Base
d
Servi
ces CCTV
IoT/
M2M
Emplo
yee
Privacy
Organization Score 5 6 5 4 5 2 6 5 5 3 8 5 4 2 6
Country Average 3 5 4 6 8 5 8 6 6 2 3 2 5 3 6
Industry Average 4 5 3 7 6 4 5 4 4 2 6 2 6 5 6
Global Average 3 4 4 7 7 4 3 3 3 3 5 2 6 6 5
DATA PRIVACY SCORE SPECIAL DOMAINS PRIVACY SCORES

of 33
12.2Summary View - Numerical
13 APPENDIX
 Federal Trade Commission, USA : Protecting Consumer Privacy Online
http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-
bureau-consumer-protection-preliminary-ftc-staff-report-protecting-
consumer/101201privacyreport.pdf
 US Commerce Department : Commercial Data Privacy and Innovation in the Internet
Economy: A Dynamic Policy Framework
http://www.ntia.doc.gov/files/ntia/publications/iptf_privacy_greenpaper_12162010.pdf
 Carnegie Mellon Study on Hours Needed to Read Privacy Policies
http://www.aleecia.com/authors-drafts/readingPolicyCost-AV.pdf
 Stanford Encyclopedia of Philosophy
http://plato.stanford.edu/entries/privacy/
 Book: Privacy and Big Data (A very comprehensive research on privacy today)
http://www.amazon.com/Privacy-Big-Data-Terence-
Craig/dp/1449305008/ref=sr_1_2?ie=UTF8&qid=1391102330&sr=8-
2&keywords=privacy+and+big+data
 GAPP (Generally Accepted Privacy Principles) by North American CPAs.
Many graphical views like charts, competitor comparison diagrams etc. can be
developed using the above type of base data as required by the audience

of 33
http://www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/PRIVAC
Y/GENERALLYACCEPTEDPRIVACYPRINCIPLES/Pages/default.aspx
 Dow Jones Sustainability Index questionnaire ( Section 1.7 is for privacy)
http://www.robecosam.com/images/sample-questionnaire.pdf

Privacy Score for Organizations - A Whitepaper

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Privacy Score for Organizations - A Whitepaper

Ähnlich wie Privacy Score for Organizations - A Whitepaper (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Privacy Score for Organizations - A Whitepaper