Enterprises can use data to efficiently provide services, market products to consumers, and make better decisions backed by data.1 However, collecting excessive amounts of data without providing transparency regarding its usage could become a privacy issue. It can be difficult for enterprises to find a balance between having the data needed to drive business decisions while also respecting consumers’ privacy.
ISACA’s Digital Trust Ecosystem Framework (DTEF) can help enterprises ensure that broad organizational objectives and goals—including those relying on collecting and processing personal information—align with privacy objectives and compliance requirements. Each domain of the DTEF relates to privacy, and the privacy focus area emphasizes privacy by design and feedback loops, all of which can help enterprises strike a balance between privacy and maximizing the value of data.
Privacy and the DTEF
The DTEF model is three dimensional and contains four nodes: people, process, technology, and organization. The tension that exists between these nodes comprises the DTEF’s domains. Figure 1 shows the DTEF model.
Figure 1—The DTEF Model
Source: ISACA, Digital Trust Ecosystem Framework, 2024
The DTEF leverages a systems thinking approach, i.e., it acknowledges that a change to one part of an organization will affect other parts of the organization. For example, new technology will have ripple effects throughout the enterprise. It is this systems thinking approach that allows enterprises utilizing the framework to ensure that the privacy department can be a business enabler and align with overall enterprise goals. Enterprises that struggle with maximizing the value of their data while protecting privacy can leverage the DTEF to determine areas in which organizational objectives may be at odds with privacy objectives.
There are several examples of how the DTEF domains relate to privacy:
- Culture is a pattern of behaviors, beliefs, assumptions, attitudes, and ways of executing activities. External factors such as geographic location and ethnicity can affect people, which, in turn, affects culture. From a privacy perspective, culture may vary if consumers and staff are from a region that has strict privacy laws in place. This DTEF domain can help enterprises manage various consumer expectations. Knowing how culture affects data subjects’ expectations and priorities can help guide enterprises that are determining what data to collect and how it may be used.
- Emergence refers to the arising of new business opportunities, behaviors, processes, and other relevant items as the subsystems between people and processes evolve. It is important to note that emergence is not always positive; people do not always interact with processes in an ideal way. The adequacy decision about the EU-US Data Privacy Framework, which addresses the transfer of personal data between the European Union and the United States,2 is an example of privacy-related emergence.
- Enabling and support is the dynamic interconnection through which technology enables process, and process, in turn, supports the deployment and operation of technology. Enabling and support can ensure that processes and technologies are operating efficiently and in the desired manner. This domain can aid in the use of privacy by design in the creation and delivery of products and services; it primarily addresses how processes and technology can incorporate privacy by design principles. The enabling and support domain can ensure that new processes and technology are not configured in a way that mandates the collection of excessive amounts of information.
- The human factors domain relates to how people interact with technology and the development of tools to facilitate the achievement of specific goals. The human factors domain can help enterprises identify and remediate privacy dark patterns, which are practices that make it difficult for system/product users to understand and express their privacy preferences. This domain is critical to ensuring that enterprise use of data aligns with consumer expectations. It can set a baseline for what consumer expectations are and help combat some of the challenges associated with lengthy privacy notices that consumers may not read.
- The direct and monitor domain translates existing governance concepts and measures, encourages enterprises to meet their missions and goals, and establishes boundaries and process-level controls. This domain can help enterprises ensure that their privacy-related policies and procedures are defined. It can prevent a privacy strategy from being in opposition to other enterprise strategies, i.e., ensuring that data privacy practices and data processing practices are in alignment.
- The architecture domain refers to the “fundamental concepts or properties of a system in its environment embodied in its elements, relationships, and in the principles of its design and evolution.”3 The architecture domain, like the enabling and support domain, can help enterprises practice privacy by design and incorporate it into the overall digital trust infrastructure. This domain explicitly calls out the alignment between privacy objectives and enterprise objectives, which can ensure that data is used according to privacy requirements.
Privacy by Design
Privacy by design refers to the integration of privacy into the entire engineering process. Privacy by design can help enterprises ensure that new products align with privacy objectives and protect individuals’ data. Although privacy by design can protect data subjects and is mandatory in some jurisdictions,4 some enterprises struggle to incorporate it. Only 29% of respondents to a recent ISACA survey say they always practice privacy by design.5
It is understandable that privacy by design can be challenging in practice; privacy can affect nearly every part of the enterprise, and all initiatives involving personal information should incorporate privacy safeguards. The privacy focus area of the DTEF can help organizations better grapple with all the areas in which privacy professionals should be involved. This comes from the privacy focus area’s emphasis on identifying applications/technology processing personal information and aligning with privacy objectives and compliance requirements. Privacy professionals who understand which applications and processes involve personal data can work to ensure that they are operating in ways consistent with privacy objectives.
The privacy focus area explores the specific ways in which privacy should be considered. It emphasizes when privacy considerations need to be made, e.g., ensuring that policy life cycles align with privacy objectives and compliance requirements. It helps privacy professionals work crossfunctionally and can spur collaboration. For example, there is an activity in the privacy focus area about including privacy risk in the risk scenario inventory. This can help break down organizational silos, e.g., risk activities not factoring in privacy-specific risk, and embed privacy across the organization.
Feedback Loops
Privacy professionals must prioritize protecting personal information and the people to whom that information belongs. Enterprises often struggle to maintain trust with consumers when privacy practices do not meet consumers’ expectations. This can happen for a few reasons: Enterprises are not always clear about what data they are collecting and why they are collecting it, and consumers may not have the time or expertise needed to understand what a terms of service document or privacy notice is actually explaining.
Ninety percent of consumers accept terms and conditions without reading them.6 Some of this is because terms and conditions are lengthy, filled with jargon, and difficult to understand. For example, reading Microsoft Teams’ terms of service would take almost two and a half hours.7
Given that enterprises cannot force consumers to read terms of service agreements, and they may be legally required to share lengthy, complex documents detailing privacy practices, ensuring that consumer expectations and enterprise practices align is imperative. This can be done by periodically collecting feedback about privacy practices.
The DTEF’s emphasis on feedback loops (both internal and external) can help align enterprise use of personal information with privacy objectives and consumer expectations. For example, one privacy activity involves optimizing user experience for usability and alignment with privacy objectives based on quantitative and/or qualitative data. The DTEF emphasizes the iterative nature of these activities; as the ecosystem, consumer expectations, and data processing practices change, feedback should be gathered to ensure that any new initiatives meet consumer expectations.
Regularly capturing this feedback ensures that the data an enterprise collects and uses aligns with consumer expectations about privacy. This can help enterprises maximize the insights and value data provides without damaging trust with data subjects.
Conclusion
Trust with consumers can benefit revenue growth, an organization’s reputation, and customer loyalty.8 Privacy violations, such as using data for purposes other than what it was originally collected for, can significantly harm the trust between an individual and an enterprise.9 To best maximize the value of data while respecting consumers’ privacy, enterprises should practice privacy by design and solicit feedback from consumers. ISACA’s DTEF is a powerful resource that can help ensure privacy is embedded throughout the enterprise and works to build trust and support the organization’s objectives.
Endnotes
1 Burns, S.; “3 Ways Data Is Helping To Improve Business Efficiencies,” Forbes, 2 December 2020
2 European Commission, “Data Protection: European Commission adopts new adequacy decision for safe and trusted EU-US data flows,” 10 July 2023
3 International Organization for Standardization (ISO); International Electrotechnical Commission (IEC); Institute of Electrical and Electronics Engineers (IEEE); ISO/IEC/IEEE 42010:2011(E) – Systems and Software Engineering – Architecture Description, 1 December 2011
4 GDPR-info.eu; “Art. 25 GDPR: Data Protection by Design and by Default,” 13 July 2016
5 ISACA, Privacy in Practice 2024, 18 January 2024
6 Cakebread, C.; “You're Not Alone, No One Reads Terms of Service Agreements,” Business Insider, 15 November 2017
7 Cohen, J.; “It Would Take 17 Hours to Read the Terms & Conditions of the 13 Most Popular Apps,” PCMag, 4 December 2020
8 PwC, “The Complexity of Trust: PwC’s Trust in US Business Survey,” 16 September 2021
9 Martin, K.; “The Penalty for Privacy Violations: How Privacy Violations Impact Trust Online,” Journal of Business Research, vol. 82, January 2018, p. 103-116
SAFIA KAZI, CSX-F, CIPT
Is a privacy professional practices principal at ISACA. In this role, she focuses on the development of ISACA’s privacy-related resources, including books, white papers and review manuals. Kazi has worked at ISACA for 10 years, previously working on the ISACA® Journal and developing the award-winning ISACA Podcast. In 2021, she was a recipient of the AM&P Network’s Emerging Leader award, which recognizes innovative association publishing professionals under the age of 35.