Data privacy is everywhere in the news today. For the first time, the public is getting to peak behind the curtain at Facebook (and, by proxy, the entire tech industry), and finding what appears to be cavalier attitudes about personal privacy. Most of us are just beginning to comprehend the near total consolidation and distribution of our online activities. And many are probably feeling we have been a bit too blasé in allowing companies to collect, store, use and sell our personal data.
At the same time, both European Union (EU)-based companies and non-EU-based companies that have a global presence are facing the challenge of implementing measures to address General Data Protection Regulation (GDPR), a new EU regulation meant to give EU citizens transparency and control over their personal data. While the concept seems straightforward enough, it mandates massive and expensive changes for companies around the world.
Missteps at Facebook and the looming GDPR are just harbingers of what is to come. High-profile testimony on Capitol Hill may be the prelude to similar regulations in the U.S. Even without formal policy, enterprises will need to offer consumers increased transparency and the opportunity to select their desired level of privacy and personalization. In other words, they must do what it takes to build connection and trust with their customers.
While the volume of personal data collected by corporations and employers has been steadily increasing, awareness of implications to the individual have not followed the same trajectory. Many recognize that data collected about their tastes, preferences and whereabouts feed marketing and content campaigns, but only a minority of people seem to be concerned about what it might mean about the erosion of their privacy. Some are frustrated with the lack of choice in determining the extent to which data is harvested across the online ecosystem – not just the company or platform they joined. And some are concerned with how they may be conflated with groups they feel do not reflect them.
To add to consumer anxiety, there doesn’t appear to be a way to know exactly what data is being collected, whether the data is accurate, or how to limit or delete this data if so desired. Is the public waking up from its convenience-induced complacency? Some are asking whether free access to platforms such as Facebook and Google are worth the loss of privacy and the likelihood that they’ll be micro-targeted to influence buying behavior or even political activity.
While consumers do have some very limited – and intentionally hidden – capabilities to determine what data is captured, the prevalent perception is that data collection is inevitable. Individuals sign away rights by agreeing to terms and conditions too long and complicated to read in exchange for the ability to use an app. Some consumers are aware of options and tweak their privacy preferences in application settings, but many view it as a binary opt-in or opt-out decision. But, as the public becomes increasingly aware of the misuse of personal information, “in or out” will no longer be a sufficient option.
What does this mean for enterprises? While public resistance to wholesale data collection is growing, enterprises must consider closely the following: personal choice, transparency and data governance.
1. Personal Choice
Enterprises will need to endow products and services with the capability to easily and overtly select the level of personalization based on a consumer’s appetite for relinquishing their personal data. The prevailing desire for choice will drive the need to provide a sliding scale of privacy and personalization. This will impact everything from marketing campaigns to app design. Based on GDPR constructs, enterprises will need to accommodate the following rights:
- Access – the right to access your data
- Correction – the right to correct any errors
- Erasure – the right to erase data where it is no longer relevant and the right to forbid companies to share data with third parties
- Restriction – the right to restrict use of your data
- Portability – the right to transfer data (processed automatically) to another controller
- Object – the right to object to processing
- Informed – the right to be informed of the reasons for processing
- Withdraw – the right to withdraw consent
Enterprises will be forced to pull back – and keep back – the curtain. The days of blind trust will be replaced with demand for full transparency. One of the key principles in GDPR is to be fair and lawful – to inform and be transparent about the use of personal data. Organizations will be required to state clearly how they plan to use personal data in concise, easy-to-understand terms, free of legal jargon and clearly marked and highlighted. Companies already are pushing content to their user base regarding their enhanced data privacy policies. As time progresses, the public will demand policies and practices that are even easier to access, read and understand – along with their options to choose.
3. Enhanced Data Governance
An enterprise’s data governance frameworks will need to pervade its IT environment. Personal data pertains to “any information relating to an identified or identifiable natural person.” This can include name, email, address, gender, location, cultural preferences, an HTTP cookie or even an IP address. Processing of personal data refers to “any operation or set of operations performed on personal data” and can be as routine as storing an IP address on your web server logs or feeding data into an AI engine. Companies will need to enhance their data governance and revisit how they collect and store their customer data regardless of citizenship. They will need to expand the data set previously viewed as sensitive and establish and expand data governance wherever they store or use customer data. This will include areas such as sales and marketing, contextual data being served up via an application, and internal and external data analytics. Companies also will need to do the hard work of identifying, consolidating and auditing the disparate sources of data across their entire enterprise.
Progressive companies are already moving beyond the regulatory and legal requirements and addressing data privacy as a matter of customer perception and trust. Some have created “creep boards” to review company policies about their use of personal data so they don’t “creep out” their customers. While many companies are busy tightening their ships to avoid GDPR penalties, all companies need to revisit their digital strategies and their implications on data.
ISG helps companies develop digital strategies for products and services that entail new data privacy and personalization techniques and sound corporate data governance structures. Are you concerned about your broader ecosystem? Contact me to discuss how we can help.
About the author
Nancy Jacobson brings a strategic focus to ISG clients aligning solutions to business and IT strategies and managing complex transformation environments to deliver business value and drive revenue growth. Drawing from broad experience in the consulting industry, Nancy focuses strategic planning and execution, IT transformation, and business and IT alignment to facilitate solutions that contribute directly to a company's strategic goals and market differentiation. She brings over 25 years of consulting and management experience defining and leading large-scale transformations for Fortune 500 companies.