Light Dark
August 3, 2018 By Jasmine Henry 4 min read
Data Protection

Among the many requirements of the General Data Privacy Regulation (GDPR) is a directive to implement new systems of “privacy by design and default.” In this post-GDPR era, the practice may turn out to be more than a mandate. True privacy by design could be a timely opportunity to engage and empower customers.

According to an April 2018 survey by IBM and Harris Poll, 78 percent of U.S. respondents said that an organization’s data privacy capabilities are “extremely important,” while only 20 percent “completely trust” those companies whose products they use. The findings of a 2017 study by software corporation SAP found that 79 percent of consumers will disengage from a brand if their data is used without consent or knowledge.

These attitudes expose a vast opportunity in making the shift to security by design and default. Adopting transparency around data privacy practices could provide the chance to rebuild customer trust and develop lasting relationships.

What is Privacy by Design?

The concept of “privacy by design” was introduced by Ann Cavoukian in the 1990s. She presented outlining principles for proactively incorporating data protection into systems and operations from the ground up. It was imperative, she wrote in her paper, that privacy “become integral to organizational priorities, project objectives, design processes and planning operations.”

From the user’s perspective, according to Cavoukian, the organization is responsible for establishing “openness and transparency … relating to the management of personal information.” The privacy by design mandate in the GDPR was directly influenced by Cavoukian’s work.

Even beyond very costly GDPR fines, there’s enormous risk in failing to adopt secure design. According to a June 2018 Ponemon Institute study, 74 percent of IT security practitioners say it’s “likely” their company had a security incident in the last year because of their digital transformation processes.

The Key: Respect for the Individual

Openness and transparency would require a transition of practice and priority from meeting disclosure requirements to genuine education, including the adoption of language that makes sense to the user.

“Until now, the average consumer was likely unaware that when they ‘turn on cookies’ it means they are agreeing to share their information with dozens — and, in some cases, hundreds — of affiliated partners. Those days are over,” wrote Kevin Cochrane in the Harvard Business Review.

At the core of Cavoukian’s content on privacy by design is the concept of “respect for the individual.” Organizations are well-served to consider the role of UX design principles outlined in the international standard 13407 (revised to 9241 in 2015) from the International Standard Organization (ISO), in which a key goal identified is “empowering the user.”

When privacy by design is achieved in the enterprise, customers should feel confident about how personal data is used and kept secure, how artificial intelligence (AI)-based recommendations are generated and how to revoke personal data at any time.

Five Ways to Rebuild Customer Trust

With consumer trust at historic lows, chief information security officers (CISOs) should view privacy by design as more than just a regulatory directive. When put into practice, genuinely user-centric, privacy-focused design practices can provide the groundwork for meaningful customer relationships.

The following are examples of ways the enterprise can embrace the GDPR’s directive to adopt privacy-based design and make these business practices apparent to the public.

1. Adopt Smarter Identity and Access Management (IAM)

A key opportunity for organizations to reduce friction in their users’ experiences while improving data privacy is through the adoption of smarter solutions for IAM.

Eight out of 10 data breaches involve weak or stolen credentials, according to the 2017 Data Breach Investigations Report from Verizon, and password reuse remains an undisputed problem. Enabling trust-based access through interoperable credentials, biometrics and multi-factor authentication represents a shift in IAM practices — and it’s a viable solution to password fatigue.

2. Prioritize Risk-Aware Authentication

Consumers are increasingly aware of the risks of password-based authentication methodologies, according to a January 2018 study by IBM — their survey of 4,000 consumers’ priorities found that security ranked higher than convenience, especially when it relates to money-based applications.

Organizations who adopt risk-aware authentication solutions for user detection and new account creation may have an advantage when it comes to both customer trust and risk mitigation.

Read the complete IBM Study on The Future of Identity and Authentication

3. Emphasize Customer Benefits

When data is being collected for personalization algorithms, it’s imperative to educate the consumer on how data-sharing can improve their experience through continual customer education efforts built into the user experience.

An August 2017 study by Pegasystems on consumer attitudes toward AI found that 70 percent are open to AI if it can provide some distinct value, such as saving the customer money or time. However, 88 percent demand that businesses are “more open about where AI is currently being used while also showcasing how it improves the customer experience.”

4. Offer Value in Exchange for Data Shared

You don’t need to limit the value you provide the customer to brand-specific purchases. When possible, data shared by customers should provide value across brand interactions. For example, customers of VineSleuth are provided with free, on-demand access to their algorithmically-generated personal wine taste profiles to share with friends and inform wine purchases outside the app.

5. Provide On-Demand Access to Data

While GDPR Article 15 details the “[r]ight of access by the data subject,” brands should consider implementing on-demand access. Cochrane recommends the inclusion of tools for managing privacy and data sharing within customer applications. The in-app customer data privacy center could include the ability for the individual to review their consent, update specific data permissions and download the sum total of data shared at any time.

While many security leaders are struggling to gain footing and update processes in the post-GDPR era, it’s valuable to consider the customer’s perspective.

Enterprises which embrace the directive to practice privacy by design have an opportunity for more secure authentication and access management, meaningful customer education and better data privacy. The results will likely shift data-dependent organizations toward design practices which balance UX with privacy compliance, but also the opportunity to rebuild critical customer trust and relationships.

 |  |  | 
Jasmine Henry

More from Data Protection
November 8, 2023

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature