You are the Vice President of Operations for a large multinational corporation and are about to launch a line of voice operated smart TVs. It’s Monday, 9:00am and you receive a call from Damon, the Chief Privacy Officer.
“Hello Kyra! I am calling in regards to the new line of TVs we’re preparing to launch. As you may know, the voice activation feature “listens” to what customers are saying, and the info is then transmitted back to us as well as a third party that convert speech to text for us. Although our intent is to capture commands and queries to help us make improvements, and the data is only collected when the voice recognition feature is activated, if people’s spoken words include PII then that info is also captured. We need to ensure that the info is transmitted in a secure manner. Could you please put together a compliance guide to ensure the user data is protected? Let’s start with a set of principles, which will set us on the right path to prepare for compliance audits across the world.”
You hang up and get to work. Thirty minutes later you have scribbled a list on the back of a manila envelope, which looks something like this:
- Collect customer data fairly and for one purpose only: Have a legitimate reason for processing the customers’ audio files; give the customer a choice to opt out and no fishing expeditions.
- Opt-in: Ship TVs with voice recognition switched off allowing customer to turn it on if interested, and make it easy to turn off once activated.
- Collect relevant data: only collect what’s needed to improve the quality of the product. Don’t keep data on the “off-chance” that it will be useful in future.
- Collect accurate data: test the quality of the audio files received to ensure the data remains relevant – leads to the right decisions.
- Purge data policy: don’t store the data longer than necessary, or sell the data.
- Process data in compliance with regional privacy legislations: examine privacy laws in the countries where we plan to launch the smart TVs.
- Secure the data: encrypt customer data in transit and at rest with a trusted security solution.
- Repatriate data according to regional rules: ensure customers’ audio data from Region A can be sent to the repository at head office in Region B.
- Appoint a data custodian as a trusted third party who will independently verify the data, implement and enforce policies, and provide only the relevant data required for product improvement.
Done! You review your list and realize the scope and severity of the project. “I hope a lot of these policies and processes have already been implemented – I had better formalize this in an email and get the ball rolling before I forget and throw this envelope in the mail.”