Privacy: A Business Imperative and Pillar of Corporate Responsibility
By Cecily Joseph
All of us can see how technology can change and improve lives. Wearable devices can help better manage health, home sensors can reduce your energy use and costs, and STEM education can lead to an in-demand and fulfilling career. Working in Silicon Valley, I see leading technology companies all around me, pass self-driving cars on my daily commute, and have a love/hate relationship with the Symantec security robot that now patrols our corporate campus.
With these incredible opportunities and technological advancements comes the crucial responsibility to ensure companies like Symantec are assessing the use of their technology. In conducting our sixth materiality assessment as part of our recently released 2018 Corporate Responsibility (CR) Report we paid special attention to the evolving privacy landscape and also noted a new material issue: The social impact of technology.
Companies today do a lot in driving their sustainability agendas. At Symantec this year, we made incredible environmental progress, reducing greenhouse gas emissions by 15 percent in FY18 and reaching our 30 percent reduction target in just three years. We also increased employee volunteer hours by 28 percent and used our philanthropic dollars to help close the diversity and gender gaps in the tech workforce. While climate change, employee engagement, and diversity are all vital aspects of a company’s commitment to corporate responsibility one of the most important things we can do is to make sure our technology is being used responsibly.
At Symantec this means:
- Building internal policies and practices that ensure Symantec’s compliance with emerging privacy regulations
- Delivering products and services that enable consumers, businesses and governments to protect their personal information
- Engaging policy makers and other stakeholders on privacy related issues
- Managing our products responsibly to reduce the risk that they are being used to infringe upon privacy rights or freedom of expression
- Supporting global communities through our software product donations
Privacy and Corporate Responsibility
For software and technology companies, the link between data privacy and corporate responsibility is relatively straightforward. But should CR practitioners in non-tech industries focus on privacy? I think so, and here’s why:
First, no matter what industry you work in, more products are becoming connected products. Mattel released a WiFi-connected Hello Barbie in 2015 and researchers promptly uncovered several vulnerabilities that showed it could be hacked into a secret listening device.
Second, regardless of industry, companies process and store both customer and employee data that must be kept secure. Fast food chains like Wendy’s and Chipotle, and health insurers like Anthem and Premera, have all been hacked, and retailers Macy’s and Adidas experienced customer data breaches in 2018.
In addition to increased risk, privacy regulation is also changing. This May companies across the globe were forced to increase their privacy efforts to comply with the European Union’s recent General Data Protection Regulation (GDPR). And Europe isn’t alone; data protection law continues to develop swiftly in other regions. Privacy regulations are changing in the Asia Pacific region and in the U.S. California’s governor recently signed the California Consumer Privacy Act of 2018.
Finally, data privacy must become a pillar of corporate responsibility programs because stakeholders are demanding it. People are concerned about the misuse of their data, investors are asking for increased corporate transparency, and NGOs continue to show us how privacy is a fundamental human right.
Like other tech companies, GDPR readiness was a critical initiative for Symantec and we took a number of steps to strengthen and enhance our privacy practices. We have internal policies and practices that ensure our own legal compliance with emerging privacy regulations and engage with policy makers and other stakeholders on privacy-related issues. We are also in a unique position as we offer products that help consumers and organizations secure and protect their important data as well as those that help companies stay compliant with evolving privacy regulations. And, as part of our commitment to delivering on our mission to make the world a better and safer place, we’re continuing to look for ways where we can do even more to help people protect their personal information.
The Social Impact of Technology
In addition to our focus on privacy, we have an obligation to ensure our products are distributed and managed responsibly, and we carefully monitor human rights risks associated with the use of our technologies in specific regions and by specific customers. Safeguards and controls include robust global trade compliance efforts, stringent contract provisions with partners and end users, and detailed processes for due diligence on orders of relevant products to countries of concern.
As an example, our Public Internet Access Policy aims to minimize the risk of our technology being used for inappropriate purposes. We track sales opportunities, hold orders deemed high-risk until we can collect more information on intended use, and reject orders found to pose a human rights risk. We follow all legal sanctions and do not sell to certain countries where our products could be used by governments against their people.
Managing the social impacts of our products also means making sure all people have the ability to keep their data secure and to protect themselves from cyber threats. Through a partnership with TechSoup, our products are distributed free of charge to nonprofits in need around the globe.
During FY18, we donated more than 440,000 licenses with a retail value of over US$19 million. Our donation program served over 22,000 organizations in 55 countries last year. These product donations keep confidential data safe, keep technical systems running virus-free, and put nonprofit partners’ minds at ease to allow them to focus on what really matters.
For the Japan Association for Refugees, entrusting Symantec Endpoint Protection with keeping sensitive data secure, allows the organization to focus on advocating for the rights of refugees and asylum seekers. At Garden to Table Trust, keeping their systems running means they can teach children in New Zealand to grow, harvest, prepare, and share more fresh fruit and vegetables so they can live longer and healthier lives. And, at la Fundación Cristo Rey in Spain, our products help protect the identities and personal information of the 3,000 students and 50 nonprofit organizations that receive training services from the nonprofit.
These efforts are a start and we know we need to do more. Just as technologies are constantly changing and situations around the world evolve, we know we need to constantly revisit our responsibilities to ensure our products are being used responsibly.
As new research shows that data privacy goes directly to building trust with stakeholders, to providing companies with a competitive advantage, and to protecting human rights, I anticipate that we’ll see more and more companies embed privacy into their CR programs. Publishing our annual CR Report provides a time for reflection. I’m proud of the progress we’ve made, recommitted to the issues where we need to do better, and excited to see where a new year takes all of us.
Help us strengthen future reports by providing your feedback on Symantec’s 2018 CR Report via a brief survey.