Three core privacy mantras for Aussie businesses to live by
There’s a growing body of evidence to suggest consumers are pulling back from sharing data about themselves and their preferences in greater numbers.
In a recent PwC study, half of social media users, and over one-third of consumers of media, third-party travel websites and healthcare services, had heightened concerns about personal data privacy. A shade under half – 49 per cent – said they no longer share excessive personal data beyond what is necessary.
The flip side of that figure, however, is the majority – 51% – still share a considerable amount of personal data online.
Why? The reason could be the lack of a plausible opt-out or alternative.
If a consumer wants a loan or use a service that requires them to establish their identity, the choice is either to do what the bank or provider asks, and accept the risk of that business becoming a future data breach victim, or not get what they want.
Consumers may see no realistic option other than to over-share their data in exchange for access.
The provider may also be hamstrung – forced by the regulatory environment to collect and store personally-identifiable information (PII) for a (potentially undefined) minimum period of time, and keep it in case anyone ever asks for it. Some high-profile businesses breached had data going back over a decade with no apparent need. This has now created a situation where many Australian organisations are sitting on PII goldmines.
The main mantras
There is no shortage of suggestions and generic advice on what Australian businesses can do (or invest in) to reduce the risk of a privacy breach, and what actions consumers can take to reduce risks on their side.
Ideally, consumers shouldn’t be forced to make these kinds of decisions. While not dismissing the notion of personal responsibility, the ideal situation would be for organisations collectively to take a more principled and by-design approach to preserve privacy in every facet of how they interact with their consumer.
Two core mantras immediately come to mind.
First, there’s something to be said for adopting a security-paranoid approach to the way you operate. Start from the position that while you can (arguably) probably protect any PII you collect, imagine you failed to do so: what would be the consequences? And more fundamentally, should you have collected and held that PII data in the first place?
Devicie, for example, has taken a hard stance on PII. We try not to acquire any data we don’t explicitly need. What little we do collect, we try to sanitise on its way into our environment and also when presented back to our customers and our own people. We currently use data masking – obfuscating the appearance of PII in our systems using symbols or other characters – for this purpose, hashing is a more robust and similarly useful approach that we are moving to where possible.
This works for us, but isn’t going to suit every organisation. Some organisations naturally have to collect more PII in the process of doing business. However, it does not preclude them from adopting the second core mantra: put yourself in your customer’s shoes.
One thing to consider is to think about data uses as if you were the customer of the service. Always picture yourself as the customer and say, ‘Would I be comfortable with this?’ Indeed, in adhering to standards such as the GDPR appropriate consent for data use is required, which is a good perspective to take. After all, there’s always a risk that data acquired for one purpose is stretched to another – inevitably unethical and often in breach of regulations (even illegal)
It may be convenient to gather telemetry data from consumers that interact with your website – and users will probably tolerate it as well. But going to the next level and using social media trackers to see what the consumer does on other people’s websites is likely to be less well-received. The ‘sniff test’ is if it would irritate or annoy you, don’t do it.
Today, social responsibility is as – if not more – valuable than corporate desire. Consumers are increasingly aligning with organisations that act ethically, and that increasingly means being ensuring privacy as well.
A footnote on footprint
Depending on the organisation, a third mantra may also be worth considering: to make it your business to reduce, not add, risk. This is particularly applicable to organisations that serve or service others.
In security circles, there’s considerable effort to bring the security of suppliers and other third parties into line with customer-set standards. Similar efforts exist in decarbonisation and sustainability, where outsourced providers can be a significant contributor to Scope 3 emissions, and customers again are moving to align with providers that offset and reduce their emissions over time.
Privacy is on track to become similar. That is, organisations will choose to work with others that demonstrate a similar commitment to privacy. This is already happening: a Gartner survey last month found almost one-third of respondents had “abandoned an agency or channel partner over the last year due to customer trust or privacy concerns”.
This may become even more pronounced as changes to the Privacy Act in Australia (and similar reviews across the ditch in NZ and globally) push organisations to hit a collectively higher bar of PII preservation and protection. Given the precarious state of privacy, and a seemingly endless parade of breaches, change is long overdue and – for many consumers – cannot come soon enough.