Thursday, March 18, 2010

Privacy Audits


In theory, privacy audits are a sensible and useful thing. Regardless of whether they're conducted internally or externally, they can provide insights into data handling systems, identify shortcomings, and help prioritize resources. They can provide external, independent validation of compliance with privacy laws and contractual commitments. And they can be a useful source of transparency. Sometimes, they're even mandated by privacy law, e.g., in some controller-processor outsourcing arrangements under EU data protection rules. Considering how many good reasons there are to conduct privacy audits, it's a bit of a mystery to me why there isn't more of an industry to provide them. Indeed, if you were looking to hire external experts to conduct privacy audits, and if you asked me for a recommendation, well, I'd be kind of stuck to give you a name. I've asked a bunch of my peers at other companies too, and privately, they're stumped too.

Lots of people purport to be able do privacy audits. Law firms, accounting firms, consulting firms are all ready to sell this service, at sometimes astronomical costs, but in practice, if you ask around amongst people who have tried to hire them, you often hear people complain about high-priced pay-as-you-learn tutorials for junior professionals. There are also a few "low-cost" versions floating around, but they are often rudimentary checklists (e.g., "do you have a written privacy policy in place? yes, check!") etc. There must be more room for the happy middle ground between the super-high-cost customized audit and the self-audit checklist models.

So, here's a business idea. Why don't some enterprising people work to establish a privacy auditing business, combining some deep technical understanding with process rigor, offer the service at a competitive cost, and help fill a vacuum? Almost everyone in the profession whom I know agrees that privacy audits are, in theory, a useful tool for privacy hygiene, but in practice, it's hard to find the right level of professional service.

There seems to be a clear market failing here. Over time, surely, the idea of privacy audits will become more integrated into good privacy practice. Whoever can figure out how to provide this service will be contributing to the privacy profession and probably end up making a lot of money. Good luck!

6 comments:

Jeroen Terstegge said...

Hi Peter,

Actually, after 9 years with Philips, I have started my own firm (PrivaSense).

Reviewing privacy compliance and conducting privacy impact assessments is one of my services. So if you need a name, think of me.... ;-)

Jeroen Terstegge
www.privasense.nl

Lauren Gelman said...

Hey Peter. I'm doing exactly this (among other things) with my new business BlurryEdge Strategies. http://blurryedge.com

I've found that for companies with no legal counsel, companies who don't want to ask their high price outside counsel to use precious hours on this, or companies with just an overwhelmed GC, having someone who can give them an overview of their privacy status and things to watch out for moving forward is extraordinarily valuable. Everyone I talk to knows they need to be worried about privacy, but they do not have the time or expertise to do it themselves or significant resources to invest in a big accounting firm to do it for them.

However for a reasonable price, thinking about privacy at the point you are first developing an architecture and a business model goes a long way!

Happy to talk more and hear your thoughts on what a privacy audit looks like. My first two questions are: What are your current and future business models and What does your database structure look like. I never ask about the privacy policy (a clearly written one is an obvious deliverable for this type of project, not an input to it).

Anthony Martin said...

Very interesting post. I have two questions:

(1) Are there really no outside businesses that combine legal, tech, and compliance expertise in one convenient (and reasonably priced) package?

(2) How astronomical are the current fees/quotes? And is that a function of the "billable hour?"

@AMPrivacy
Anthony Martin

Frederic Thu said...

Peter,

You'll be happy to learn that we started providing such professional service in France four years ago - at reasonable prices, to many companies, including big ones.

We also know at least a German company providing such service.

And it might well appear soon on a pan-european scale as well...

This market isn't mature yet, but starts to grow at an interesting pace...

Best regards,

Fred

mlim said...

Yes there is a need for good quality privacy audits & an opportunity for innovative individuals & organizations here.

This is somewhat similar to the more established but sometimes no less haphazard environmental/sustainability/green audits. There is an ISO (14001) environmental management systems standard certification which many use to drive or guide such audits. Green audits are likely at a stage where consistent measurements of performance & outcomes are not nearly as established as say financial audits.

cjb said...

Peter:

I agree with you entirely about the need for more independent and regular privacy auditing. Companies should be forced to "say what they do" and "do what they say." Consumer confidence can only be enhanced if credible auditors with appropriate expertise assess the claims made by companies about their compliance with privacy norms. I have often argued that there is an important role for standards authorities in this regard. I am surprised, however, that you have not come across any examples of privacy auditing services. I know that KPMG provides these services. And what about Webtrust? Maybe Google can blaze the trail in this respect?

Colin Bennett