Building a personal privacy posture

Part 17 of 18. Sixteen posts of specifics, condensed into a posture rather than a list. The five sentences that should govern personal privacy for a board director and their household. How to keep it current.

_Part 17 of 18 in the Digital privacy for board directors series._

This is the penultimate post in the series, and the one I have been working towards. After sixteen posts of specifics — the home router, the smart speaker, the school edtech, the social media platform, the gaming voice chat, the financial controls, the public exposure, the board portal, the travel posture, the AI year — the question worth asking is whether all of it adds up to a posture rather than a list.

I think it does. This post is the synthesis. Five sentences that, taken together, govern the personal privacy of a board director and their household. Each sentence rests on a particular set of practical decisions from the series. The sentences are short on purpose.

The five sentences

One. The household is the unit of privacy, not the individual.

The protection of a board director's privacy is not, in 2024, about the director's own posture in isolation. It is about every member of the household — partner, children, grandparents, in-laws, household staff — operating on a coherent posture that they understand and agree to. The technical controls matter; the conversations that established them matter more.

The decisions that rest on this sentence: the smart-home audit, the photo-sharing arrangements, the conversations with extended family about social media, the standing rules for household staff. The household-as-unit framing is what makes those decisions coherent. The alternative — I will protect myself but my family will continue as before — is incoherent because the family's posture is, in practice, the director's posture.

Two. The director's role creates exposure; the work is to make the exposure deliberate.

You cannot become invisible. The role is a public one. Companies House is public, the corporate website is public, the annual report is public. The work is not to remove the exposure but to ensure that the exposure is what you intended and not what defaulted to you.

The decisions that rest on this sentence: the Companies House service-address choice, the corporate biography review, the LinkedIn privacy settings, the conference appearance rules around family. None of these makes the director invisible. Each makes a particular fact about the director's life either visible or not, by choice, after consideration.

Three. The relationship is the strongest control; the technical measure is its maintenance.

The senior household staff, the family, the extended family, the children, the schools — these relationships are the core of personal privacy. Every technical control in this series is, ultimately, a maintenance mechanism for one of these relationships. The standing rule about payment changes maintains the relationship with the assistant. The conversation about social media maintains the relationship with the children. The household network architecture maintains the relationship with the people who routinely visit your home.

The implication: a privacy posture built on technical measures alone, without the relationships, is fragile. A privacy posture built on the relationships, with the technical measures maintaining them, is durable. The director who has had the difficult conversations and not bought the gadgets is in a better place than the one who has bought the gadgets and not had the conversations.

Four. The half-life of the data determines the protection level.

The financial-detail-of-this-week data has a short half-life and warrants short-life protection. The photograph of your six-year-old has a forty-year half-life and warrants forty-year protection. The data your child's school collects has the same long half-life. The pattern in the 23andMe post earlier this year — that the data most worth protecting is the data that will be relevant for the longest — applies to households the same way it applies to firms.

The decisions that rest on this sentence: the what to share publicly about children decisions, the encryption choices for photo backup, the protective registration with Cifas, the credit-monitoring decisions. The principle scales: protect according to the half-life, not according to the immediate sensitivity.

Five. The next director will not have read sixteen posts; the discipline has to be portable.

You are not the last person who will benefit from this work. Your assistant of three years from now, the spouse who is still figuring out their own social media, the children who will become adults, the grandchildren who will be born — each is a future user of the privacy posture you build now. The work has to be portable: written down, explained, transferable.

The implications: the password manager is shared with the family on appropriate terms, the financial-hygiene decisions are documented, the standing rules for household staff are written and given to each new hire, the conversations with the children are repeated periodically as they grow. The posture you build is, in the best case, the posture your household lives in for decades. Make it teachable.

The standing audit

Once a year — pick a date, stick to it — half an hour against the five sentences.

Is the household, in aggregate, operating on a coherent posture? Or has one node drifted? The grandparent who started posting on Facebook again, the household manager who stopped enforcing the rule about payment changes, the child whose social media settings have quietly become more open. Catch the drift.

Is the director's deliberate exposure still deliberate? Has Companies House been kept up to date, or has the home address crept back in? Has the corporate biography drifted? Is the LinkedIn account still doing what you wanted?

Are the relationships current? The assistant who has been with you four years has been having a different conversation about the standing rules than the new assistant who started last month. Refresh both.

Has the data half-life been respected? The new platform you adopted this year — what is its half-life and what is its protection level?

Is the discipline still portable? The notes you made when you first set this up — are they accessible to the people who will need them when you are not in the room?

Half an hour. Once a year. The thing that prevents this from becoming a one-time exercise that decays.

What this synthesis is not

It is not a checklist. The series has had checklists where they made sense. The synthesis is the layer above the checklists — the five things to remember when the checklist is not in front of you.

It is not a framework with a clever name. I have deliberately avoided giving it one. Frameworks attract certifications, certifications attract consultants, consultants attract slide-decks. The five sentences do not need any of that. They need a director willing to live by them.

It is not a guarantee. No privacy posture in 2024 is a guarantee. The threats change, the technology changes, the family changes. The posture is a stable platform on which to make new decisions as circumstances shift.

What this month looks like

One sitting, an hour, with a notebook.

Write down the five sentences for your own household. Use mine if they fit. Change them if they do not. Add the specific decisions from your own circumstance that rest on each.

Read what you have written. If it describes the household you actually live in, the work is roughly done and the annual audit is the maintenance. If it describes a household you do not yet live in, the work over the next year is closing the gap.

In four weeks: the last post in the series. Passing this on — to the next director, to the children, to the people who will inherit the household's privacy work from you.