As part of the CIO Days 2012 we did scenario planning sessions with a group of CIOs from the Netherlands. Scenario planning is methodology to consider what might happen in the future, and what the impact will be. Instead of trying to predict a future, we determined two dominant uncertainties about the future, and combined these in four possible futures. My Novay colleague Timber Haaker is our scenario planning guru, and also authored this blog post and this article in CIO Magazine nr.2013-1 with more background on scenario planning and the scenario planning sessions we did at the CIO Days. This is a pdf with only the relevant pages. All in Dutch. I facilitated the scenario planning session on privacy, the results of which I share below:
After listing uncertainties about what the future of privacy could be, we selected the two main uncertainties (though consensus). These were:
- how the privacy regulations evolve: high (strict privacy regulations which are enforced and with high penalties) or low (relaxed regulations, little enforcement and low penalties),
- privacy awareness: low (no-one cares) or high (a major concern and therefore potential differentiator).
Combining the two main uncertainties, resulted in the below four scenario’s.
The scenario’s are:
- In Tick Box-scenario regulations are very strict, but people generally don’t care. An organisation thus has to fulfill privacy requirements to satisfies lawyers, contrary to customers. One could consider this money wasted…
- In the Fear-scenario privacy is a hot issue. Both regulators as people in general care a lot about privacy, and privacy requirements are a major issue. A CIO should ‘fear’ not being able to fulfill privacy requirements. A company should invest in privacy-by-design, privacy-enhancing technologies and privacy expertise in general.
- In the Choice-scenario the regulations are relaxed, but people do care about privacy. There is thus a choice from the perspective of the business, and privacy is a differentiator.
- In the Ignore scenario neither regulators not people care, and privacy is not an issue for the CIO.
Is was interesting and fun to facilitate this session. By doing it in a session (starting in subgroups) we got everyone involved (wisdom-of-the-crowd). Since we, of course, had little time we did not go into details on the different scenario’s, but I think all of the participants (including myself) learned something on how privacy may evolve, and how to use scenario planning to be prepared for a unknown future.