12 Components of Trust – In relation to personal data

Over on the Project VRM mailing list there is a developing discussion around the different variants of ‘trust’ that relate to CRM or its VRM counter-point. From that discussion it’s clear that this is a complex area with people coming from multiple different perspectives.

To try to help that debate along, here’s a view from the Trust Index assessment – which tackles only the ‘should I trust you with my personal data’ aspect (*), but does so in some detail. Before delving into that, it is worth reminding that this assessment is based on European grade Privacy Legislation and its underlying principles, and then further enhanced with additional questions arising from good customer management practice. The principles themselves are very solid and based on many years of applied thinking (its only the deployment that does not work well).

When Privacy Officers answer these questions to complete an assessment, they select from 5-point scale answers which are backed with detailed compliance text to help clarify any queries they may have on scoring. Additionally, each question/ score is weighted based on input from experts as to the relative impact of problems in each of the 12 areas.

(*) At present we take the view that to tackle more than one trust component would be too difficult as their definition is less solid than ‘privacy’ which has legal underpinnings. Should string definitions of ‘trust’ occur across other areas of the VRM discussion then this index can be extended.

Trust Index Assessment

1. How would you describe the overall approach your organisation takes to managing personal information?

2. What safeguards does your organisation have in place around the collection of personal information?

3. Does the organisation have processes and controls in place to ensure that my personal information is used only for the purposes I have agreed to in providing it to you?

4. To what extent does the organisation deploy the principle of retaining the minimum information to support the use being made of it?

5. How does your organisation ensure that the accuracy of my personal information is maintained?

6. Does the organisation have a comprehensive, accessible policy around how long it retains personal information, and how it disposes of it on completion of use?

7. How does the organisation approach the principle that I should be able to access the personal information stored on me?

8. How does the organisation ensure the security of my personal information when it is their hands?

9. How does your organisation ensure the security and integrity of personal data when you share it with other your suppliers, partners and other third parties?

10. How does your organisation enable me to understand the risks that exist around your management of my personal information, where liabilities lie and what remedies will be brought to bear in the event of a data breach?

11. Does the organisation have a process in place to proactively contact me if an information breach occurs that exposes personal information about me to risk?

12. To what extent does the organisation enable me to access/ download/ utilise the information within your systems to add value to me?