Muzamil Riffat, CISA, CRISC, CISSP, PMP, GWAPT
For most people, the notion and understanding of privacy tends to be fluid. Here is a question then: How much personal information should an individual be willing to sacrifice to reap the perceived benefits of convenience?
Well, if you are not certain about what the boundaries of privacy are, how are you supposed to make an informed decision about how much of it to sacrifice? Further complicating the matter is the rapid advancement in technology that is creating previously unimagined avenues of information collection and analysis with or without our knowledge. Users, organizations and governments have become three corners of a triangle in which the lines of the relationship, as far as privacy of information is concerned, are increasingly blurred.
Information is power, indeed. Therefore, it is not surprising that governments and organizations are employing all resources within their capabilities to utilize data collection and processing technologies for their noble or notorious goals (depending upon from which angle it is being viewed). This, in turn, is adding fuel to already bitter privacy disputes.
As our digital footprint is created at an unprecedented pace, some pundits are predicting that the concept of privacy as we know it, or knew it a few years ago, will quickly become a thing of the past. The drastic shift in the social/behavioral change for an information economy is due to the fact that the choice of privacy is slowly, but surely, snatched away from users. In response to the promises of technological advancements, users are willing to sacrifice a bit of privacy for each benefit in different areas of their lives. The cumulative effect of all these trade-offs will result in the end of privacy.
For auditors, the ever-changing landscape of information protection and utilization requires them to adopt a systematic and disciplined approach to ensure that all risk associated with privacy and/or potential information misuse has been mitigated to an acceptable level. Compliance to emerging laws and regulatory requirements should also be monitored to limit an organization’s liability or reputation risk.