Among the many requirements of the General Data Privacy Regulation (GDPR) is a directive to implement new systems of “privacy by design and default.” In this post-GDPR era, the practice may turn out to be more than a mandate. True privacy by design could be a timely opportunity to engage and empower customers.
According to an April 2018 survey by IBM and Harris Poll, 78 percent of U.S. respondents said that an organization’s data privacy capabilities are “extremely important,” while only 20 percent “completely trust” those companies whose products they use. The findings of a 2017 study by software corporation SAP found that 79 percent of consumers will disengage from a brand if their data is used without consent or knowledge.
These attitudes expose a vast opportunity in making the shift to security by design and default. Adopting transparency around data privacy practices could provide the chance to rebuild customer trust and develop lasting relationships.
What is Privacy by Design?
The concept of “privacy by design” was introduced by Ann Cavoukian in the 1990s. She presented outlining principles for proactively incorporating data protection into systems and operations from the ground up. It was imperative, she wrote in her paper, that privacy “become integral to organizational priorities, project objectives, design processes and planning operations.”
From the user’s perspective, according to Cavoukian, the organization is responsible for establishing “openness and transparency … relating to the management of personal information.” The privacy by design mandate in the GDPR was directly influenced by Cavoukian’s work.
Even beyond very costly GDPR fines, there’s enormous risk in failing to adopt secure design. According to a June 2018 Ponemon Institute study, 74 percent of IT security practitioners say it’s “likely” their company had a security incident in the last year because of their digital transformation processes.
The Key: Respect for the Individual
Openness and transparency would require a transition of practice and priority from meeting disclosure requirements to genuine education, including the adoption of language that makes sense to the user.
“Until now, the average consumer was likely unaware that when they ‘turn on cookies’ it means they are agreeing to share their information with dozens — and, in some cases, hundreds — of affiliated partners. Those days are over,” wrote Kevin Cochrane in the Harvard Business Review.
At the core of Cavoukian’s content on privacy by design is the concept of “respect for the individual.” Organizations are well-served to consider the role of UX design principles outlined in the international standard 13407 (revised to 9241 in 2015) from the International Standard Organization (ISO), in which a key goal identified is “empowering the user.”
When privacy by design is achieved in the enterprise, customers should feel confident about how personal data is used and kept secure, how artificial intelligence (AI)-based recommendations are generated and how to revoke personal data at any time.
Five Ways to Rebuild Customer Trust
With consumer trust at historic lows, chief information security officers (CISOs) should view privacy by design as more than just a regulatory directive. When put into practice, genuinely user-centric, privacy-focused design practices can provide the groundwork for meaningful customer relationships.
The following are examples of ways the enterprise can embrace the GDPR’s directive to adopt privacy-based design and make these business practices apparent to the public.
1. Adopt Smarter Identity and Access Management (IAM)
A key opportunity for organizations to reduce friction in their users’ experiences while improving data privacy is through the adoption of smarter solutions for IAM.
Eight out of 10 data breaches involve weak or stolen credentials, according to the 2017 Data Breach Investigations Report from Verizon, and password reuse remains an undisputed problem. Enabling trust-based access through interoperable credentials, biometrics and multi-factor authentication represents a shift in IAM practices — and it’s a viable solution to password fatigue.
2. Prioritize Risk-Aware Authentication
Consumers are increasingly aware of the risks of password-based authentication methodologies, according to a January 2018 study by IBM — their survey of 4,000 consumers’ priorities found that security ranked higher than convenience, especially when it relates to money-based applications.
Organizations who adopt risk-aware authentication solutions for user detection and new account creation may have an advantage when it comes to both customer trust and risk mitigation.
Read the complete IBM Study on The Future of Identity and Authentication
3. Emphasize Customer Benefits
When data is being collected for personalization algorithms, it’s imperative to educate the consumer on how data-sharing can improve their experience through continual customer education efforts built into the user experience.
An August 2017 study by Pegasystems on consumer attitudes toward AI found that 70 percent are open to AI if it can provide some distinct value, such as saving the customer money or time. However, 88 percent demand that businesses are “more open about where AI is currently being used while also showcasing how it improves the customer experience.”
4. Offer Value in Exchange for Data Shared
You don’t need to limit the value you provide the customer to brand-specific purchases. When possible, data shared by customers should provide value across brand interactions. For example, customers of VineSleuth are provided with free, on-demand access to their algorithmically-generated personal wine taste profiles to share with friends and inform wine purchases outside the app.
5. Provide On-Demand Access to Data
While GDPR Article 15 details the “[r]ight of access by the data subject,” brands should consider implementing on-demand access. Cochrane recommends the inclusion of tools for managing privacy and data sharing within customer applications. The in-app customer data privacy center could include the ability for the individual to review their consent, update specific data permissions and download the sum total of data shared at any time.
While many security leaders are struggling to gain footing and update processes in the post-GDPR era, it’s valuable to consider the customer’s perspective.
Enterprises which embrace the directive to practice privacy by design have an opportunity for more secure authentication and access management, meaningful customer education and better data privacy. The results will likely shift data-dependent organizations toward design practices which balance UX with privacy compliance, but also the opportunity to rebuild critical customer trust and relationships.
Jasmine Henry (formerly Jasmine W. Gordon) is a Seattle-based emerging commentator and freelance journalist specializing in analytics, information security, ...