Privacy and Trust: Couple Goals

In this article, we explore the symbiotic relationship between privacy and trust, examining how they reinforce each other and why they must be pursued together—much like “couple goals” in a thriving marriage. To truly understand this relationship more deeply, this article focuses on exploring the underpinnings of the formation of trust, and how privacy interplays with it – along with the role ethics and regulation have in both its establishment and in its repair.

Trust, Trustworthiness, and Privacy

Trust is the willingness of one party (person, consumer, employee, patient, organization, etc.) to be vulnerable to the actions of another party. The individual may have some factors encouraging them to trust and others to distrust. A 2022 HBR study noted that customers who trust a brand are 88% more likely to buy again and that 79% of employees who trust their employer are more motivated to work and less likely to leave. Their research also highlighted that high-trust companies are more than 2.5 times more likely to be high-performing revenue organizations and that the most trustworthy companies have outperformed the S&P 500.

But how is this concept of ‘trustworthy’ related to trust – because we can trust the untrustworthy, and distrust the trustworthy? If we want to understand when trust is well-grounded, we must address trustworthiness, the property to which trust is oriented. To determine the ‘trustworthiness’ of a party we evaluate them based on a set of criteria called Factors of Perceived Trustworthiness (Ability, Benevolence, Integrity), represented in the ABI Model of Trustworthiness (Mayer et al., 1995).

Studies have shown that if an organization is perceived to be caring about stakeholders’ information privacy needs (benevolence), honest and consistent in its dealings (integrity) and capable of protecting personal information (ability) the level of concerns over information privacy may reduce and trust increase. This is because consumers share personal information with companies based on the belief that their data will be handled responsibly and securely. Privacy, therefore, is the bedrock upon which such trustworthiness is built. When organizations respect and protect the privacy of their users, they develop these dimensions of trustworthiness. However, when privacy is compromised—through data breaches or unethical data practices—trustworthiness erodes rapidly, and trust is lost. This can lead to significant consequences, including customer attrition, reputational damage, and financial loss. Therefore, maintaining privacy is not just a legal obligation but a strategic imperative for sustaining trust.

In this way, organizations and/or individuals can either engender positive or negative effects on the different dimensions of trustworthiness, depending on their privacy (or security) related actions, decisions, behaviors and beliefs. Interestingly – when a breach of these dimensions takes place, the damage to trust and the ability to repair it is not consistent across each dimension. The Channel File 291 incident on July 19^th was not a breach. It was an outage caused by a logic error in a routine update. Technical details about the outage can be found on CrowdStrike’s RCA. We request that any mentions of breach be removed and that the Channel File 291 incident be classified as an “outage” throughout the piece. A breach of integrity (such as ChatGPT data scraping using European data without a legal basis) however, makes us stop and act, with trust more deeply damaged for longer and harder to repair. Finally, a breach of benevolence, for instance when Facebook/Cambridge Analytica were found to be using personal data in a way that was unethical, unexpected and without basic legal compliance– can damage reputation so badly that trust is often impossible to repair.

Ethics and Regulations

Ethics play a crucial role in the relationship between trust and privacy. Ethical practices in data protection and privacy go beyond compliance with regulations; they involve a commitment to an increased level of transparency, fairness, and respect for user autonomy. Companies that prioritize ethical considerations are more likely to foster long-term trust with their customers.

Regulation can often serve as the framework enforcing ethical standards. Laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are designed to ensure that organizations adhere to strict data privacy standards, thereby safeguarding consumer trust. Regulations create a level playing field, holding companies accountable for their data practices and providing individuals with rights and remedies in case of violations.

The Interplay: A Delicate Balance

Trust is built on the foundation of privacy, which is upheld by ethical practices and reinforced by regulation. Each element influences the others, creating a dynamic and interdependent relationship. For example, strong regulations can bolster trust by ensuring that privacy is protected, and ethical standards are enforced. Conversely, a breach of privacy can undermine trust, highlighting the need for more robust regulations and stricter adherence to ethical principles.

As the digital landscape continues to evolve, our understanding of these key concepts and their interplay must develop. By doing so, we can create a more secure, trustworthy, and ethically sound digital environment for all. Dr. Valerie Lyons will be discussing these concepts and talking to ateendees at the ISACA European Conference in Dublin October 2024.