August 3, 2018 By Jasmine Henry 4 min read

Among the many requirements of the General Data Privacy Regulation (GDPR) is a directive to implement new systems of “privacy by design and default.” In this post-GDPR era, the practice may turn out to be more than a mandate. True privacy by design could be a timely opportunity to engage and empower customers.

According to an April 2018 survey by IBM and Harris Poll, 78 percent of U.S. respondents said that an organization’s data privacy capabilities are “extremely important,” while only 20 percent “completely trust” those companies whose products they use. The findings of a 2017 study by software corporation SAP found that 79 percent of consumers will disengage from a brand if their data is used without consent or knowledge.

These attitudes expose a vast opportunity in making the shift to security by design and default. Adopting transparency around data privacy practices could provide the chance to rebuild customer trust and develop lasting relationships.

What is Privacy by Design?

The concept of “privacy by design” was introduced by Ann Cavoukian in the 1990s. She presented outlining principles for proactively incorporating data protection into systems and operations from the ground up. It was imperative, she wrote in her paper, that privacy “become integral to organizational priorities, project objectives, design processes and planning operations.”

From the user’s perspective, according to Cavoukian, the organization is responsible for establishing “openness and transparency … relating to the management of personal information.” The privacy by design mandate in the GDPR was directly influenced by Cavoukian’s work.

Even beyond very costly GDPR fines, there’s enormous risk in failing to adopt secure design. According to a June 2018 Ponemon Institute study, 74 percent of IT security practitioners say it’s “likely” their company had a security incident in the last year because of their digital transformation processes.

The Key: Respect for the Individual

Openness and transparency would require a transition of practice and priority from meeting disclosure requirements to genuine education, including the adoption of language that makes sense to the user.

“Until now, the average consumer was likely unaware that when they ‘turn on cookies’ it means they are agreeing to share their information with dozens — and, in some cases, hundreds — of affiliated partners. Those days are over,” wrote Kevin Cochrane in the Harvard Business Review.

At the core of Cavoukian’s content on privacy by design is the concept of “respect for the individual.” Organizations are well-served to consider the role of UX design principles outlined in the international standard 13407 (revised to 9241 in 2015) from the International Standard Organization (ISO), in which a key goal identified is “empowering the user.”

When privacy by design is achieved in the enterprise, customers should feel confident about how personal data is used and kept secure, how artificial intelligence (AI)-based recommendations are generated and how to revoke personal data at any time.

Five Ways to Rebuild Customer Trust

With consumer trust at historic lows, chief information security officers (CISOs) should view privacy by design as more than just a regulatory directive. When put into practice, genuinely user-centric, privacy-focused design practices can provide the groundwork for meaningful customer relationships.

The following are examples of ways the enterprise can embrace the GDPR’s directive to adopt privacy-based design and make these business practices apparent to the public.

1. Adopt Smarter Identity and Access Management (IAM)

A key opportunity for organizations to reduce friction in their users’ experiences while improving data privacy is through the adoption of smarter solutions for IAM.

Eight out of 10 data breaches involve weak or stolen credentials, according to the 2017 Data Breach Investigations Report from Verizon, and password reuse remains an undisputed problem. Enabling trust-based access through interoperable credentials, biometrics and multi-factor authentication represents a shift in IAM practices — and it’s a viable solution to password fatigue.

2. Prioritize Risk-Aware Authentication

Consumers are increasingly aware of the risks of password-based authentication methodologies, according to a January 2018 study by IBM — their survey of 4,000 consumers’ priorities found that security ranked higher than convenience, especially when it relates to money-based applications.

Organizations who adopt risk-aware authentication solutions for user detection and new account creation may have an advantage when it comes to both customer trust and risk mitigation.

Read the complete IBM Study on The Future of Identity and Authentication

3. Emphasize Customer Benefits

When data is being collected for personalization algorithms, it’s imperative to educate the consumer on how data-sharing can improve their experience through continual customer education efforts built into the user experience.

An August 2017 study by Pegasystems on consumer attitudes toward AI found that 70 percent are open to AI if it can provide some distinct value, such as saving the customer money or time. However, 88 percent demand that businesses are “more open about where AI is currently being used while also showcasing how it improves the customer experience.”

4. Offer Value in Exchange for Data Shared

You don’t need to limit the value you provide the customer to brand-specific purchases. When possible, data shared by customers should provide value across brand interactions. For example, customers of VineSleuth are provided with free, on-demand access to their algorithmically-generated personal wine taste profiles to share with friends and inform wine purchases outside the app.

5. Provide On-Demand Access to Data

While GDPR Article 15 details the “[r]ight of access by the data subject,” brands should consider implementing on-demand access. Cochrane recommends the inclusion of tools for managing privacy and data sharing within customer applications. The in-app customer data privacy center could include the ability for the individual to review their consent, update specific data permissions and download the sum total of data shared at any time.

While many security leaders are struggling to gain footing and update processes in the post-GDPR era, it’s valuable to consider the customer’s perspective.

Enterprises which embrace the directive to practice privacy by design have an opportunity for more secure authentication and access management, meaningful customer education and better data privacy. The results will likely shift data-dependent organizations toward design practices which balance UX with privacy compliance, but also the opportunity to rebuild critical customer trust and relationships.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today