Many organizations are just beginning to think about implementing comprehensive data privacy programs.
The Graduate Management Admissions Council (GMAC)—the not-for-profit organization that owns the Graduate Management Admissions Test (GMAT), the standardized exam required by many graduate-level business schools around the world—began revamping its privacy program four years ago and is now ahead of the curve.
GMAC recently won the International Association of Privacy Professionals’ 2009 Innovation Award in the small organization category (fewer than 5,000 employees) for a data protection and privacy program that continues to evolve to support the GMAT examination globally. In 2008 approximately 260,000 people took the GMAT in 110 countries, according to Allen Brandt, GMAC’s corporate counsel, data protection and privacy.
In June the efforts paid dividends when the French data protection authority, the CNIL, granted approval to the testing company to use palm vein identification technology to secure the GMAT in France. (For more on this, see “Biometrics Put to the Test,” page 62.)
The organization began to rethink its privacy program in 2005 when it broke with a vendor it had used for 50 years to administer the test and contracted with a new one, Pearson VUE. Brandt says the change provided an opportunity to reassess the organization’s data protection and privacy processes and policies, and there was also an implicit deadline by which the assessment had to be completed because it was tied to the changeover. “Admittedly, it’s harder if there’s no change in your business to get the management to understand it,” he says.
In this case, the commitment to data privacy and protection came from the GMAC’s board of directors, Brandt notes. “They said, ‘This is the way we’re going to run this business, and we’re going to respect people’s choices, and we’re going to handle our data in a certain way.’”
As a result, the group appointed, for the first time, a chief privacy officer and a chief security officer. GMAC also decided to minimize the data it collects and stores. The organization asked two questions, Brandt says: “What are we looking for?” and “Do we really need it?”
As a result of asking those questions, GMAC stopped asking test takers for Social Security numbers in 2005, and the company had deleted all such numbers from their systems by 2006.
GMAC also stopped collecting credit card information. The company that delivers the test for GMAC now also processes the credit card information for test takers. GMAC also used to collect credit card data from students buying another one of 16 products and from graduate schools paying for a search service that allows them to find test takers, but the company decided to outsource that activity. The testing group now receives a code from the third party saying the transaction has been approved.
As part of the new focus on data privacy and protection, the organization revisited employee training procedures. New employees now watch a 90-minute privacy and security introduction, and all employees receive a monthly newsletter highlighting these issues. They also participate in mandatory annual training in addition to awareness-raising activities throughout the year.
The company is also proactive. For the past two years, Brandt says, the organization has taken the privacy-by-design approach by embedding a member of the data protection or the security team on most projects. Brandt says they spend more time educating data users on privacy than security. “With privacy, it’s a softer issue,” he adds. “It’s not quite as intuitive.”
The international aspect of the operations complicates the organization’s data privacy policies, because laws vary by country, but management has learned to deal with the challenge. The company often goes with the most stringent approach to data protection and applies it to all operations, as it did when it shifted to requiring “opt in” consent. GMAC now requires consumers to opt in for any mailing or program that allows the organization to share consumers’ personal information. For instance, consumers must manually click a box on the Web site to receive information from GMAC or to use the search service.
Approximately 20 countries, mainly European, legally require organizations to use opt-in consent, rather than placing the burden on consumers to uncheck boxes that have been pre-checked.
“Privacy in Europe is a fundamental right,” Brandt says. In the United States, privacy protections are not as strong, so many businesses don’t think of privacy violations as a criminal offense, he says. “We educate people on that every week.”