In the 29 January 2007, Esquire interview, Andy Grove, at the time, 63 and chairman of Intel, said “Privacy is one of the biggest problems in this new electronic age. At the heart of the Internet culture is a force that wants to find out everything about you. And once it has found out everything about you and two hundred million others, that's a very valuable asset, and people will be tempted to trade and do commerce with that asset.”
This 28 January, 51 countries around the world will observe Data Privacy Day (also known in Europe as Data Protection Day) is an international event that occurs every year on 28 January. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices.
That only the United States, Canada, Nigeria, Israel and 47 European countries observe it does not mean Asians and their governments, as well as businesses operating in the region, don’t care – it’s just that we don’t know better.
Fifteen years on we still question whether companies and governments do value consumers’ desires for the protection of their data.
The Global Consumer Privacy Survey by EY reveals that security, control and trust are rated as the most important factors when sharing personal data with an organisation, making data privacy as relevant as ever in the age of the internet and social media.
Chua Chee Pin, area vice president, ASEAN, Hong Kong and Taiwan for Commvault, concurs adding that data privacy has never been more relevant and safeguarding personal data has never been more critical than it is today.
Collinson Asia-Pacific vice president for data, insights and technology, Daniel Cantorna argues that brands need to be cognizant of what their customers want and build their data strategies to include privacy by design from the outset.
Personalisation without privacy violation
When the collection of data occurs, the user must be informed of the nature of the data collection and how that data might be shared as part of the relationship with the business.
“While the user may decline to have data shared, a clear and concise disclosure detailing the benefits of a personalised experience will help reassure users that wish to have a long-term relationship with the business that their data is secure and treated with respect,” posits Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Centre.
Versent’s technical director for security, Simon Morse opines those users expect, even demand, personalisation but also to protect their data from cybercriminals. He advocates rigorous compliance with an emphasis on transparency.
To which Cantorna adds that by being transparent about how they use data to improve a service or a customer experience and seeking their consumers’ consent, brands can build customer trust and loyalty even amidst strict data regulations.
Adapting data privacy protection to COVID-19 conditions
COVID-19 has made remote work and restricted mobility the new normal. Not only are employees having to work remotely but consumers themselves are also encouraged to consume products and services online. This means commercialising their online social behaviour.
Forrester principal analyst Xiaofeng Wang suggests adopting a privacy-first personalization approach. Invest in consent management tools and alternative (not rely on third-party cookies) targeting and audience solutions. Improve zero- and first-party data management capabilities and communicate with customers about value exchange and data management transparency.
She also suggests having a privacy leader such as a Chief Privacy Officer. Both CMO and CIO should work with this person closely to improve compliance and establish a corporate culture for privacy.
"CMOs should incorporate privacy in marketing strategy and increase customer trust in the brand. They can also work with CIO in more tactical privacy initiatives such as increasing privacy assessments/privacy protection in connection with data analytics and investing in relevant technology to support the privacy program and customer data management," she elaborates when asked how these different roles will work together.
Changing with the times
Should data privacy protection rules like GDPR developed pre-pandemic be tweaked to reflect this new normal?
Cantorna acknowledges that remote working has led businesses to rethink their data strategies and ramp up their data governance measures to ensure the highest standards of data privacy, protection, and compliance with both their customers’ expectations and relevant data regulations are being applied.
Richard Watson, EY global and Asia-Pacific cybersecurity consulting leader believes that regulations involving technology and data will evolve, in much the same way that technology and business landscapes are changing and developing.
“Even after enforcement, regulations undergo enhancements to keep pace with changes in the technology environment,” he adds.
While regulations provide a solid framework to guide organisations, Commvault’s Chua believes that it is important to recognise that data privacy is intricately linked with data protection and management strategies.
A better way to data privacy protection
Can a company have its cake and eat it too? Is it possible to architect a data privacy and protection strategy that facilitates the creation of personalised solutions while complying with established regulations aimed at protecting people’s privacy?
EY’s Watson posts that a well thought data privacy strategy allows organisations to identify priorities and create a plan to address existing or upcoming compliance requirements without having to make unforeseen changes to business operations which can have a significant impact across the organisation.
He adds that the fundamentals of a strong data privacy management framework focus on how the organisation collects, uses, assesses, classifies, controls, and monitors all elements of critical data throughout the course of business operations.
“There are several pitfalls to avoid such as collecting more data than needed, not keeping accurate inventories, lack of awareness of third-party activities and not adjusting to business process changes. Establishing an appropriate framework, strategy and guiding principles will help ensure organisations can adapt to new or adjusted regulations,” suggests Watson.
Cantorna opines those brands must demonstrate value back to their customers by ensuring transparency and making it easy for them to withdraw their consent should they decide against continuing their interaction with the brand.
He supports the development and rebuilding of consent management systems and preference centres for brands in APAC by advising them on the best practices to maintain an open, transparent, and value-adding interaction with their customers.
Technology will be important in the process. But how do you design and orchestrate a strategy that does not fall prey to obsolescence? And where does the CIO figure out in all of this?
Commvault’s Chua says the onus rests on CIOs and leaders to proactively reinforce data management technologies and processes through a phased approach.
“Organisations need to first identify the sensitive data that needs to be protected, followed by incorporating cloud-native data protection, such as Software as a service (SaaS) backup and recovery in the cloud to minimise data loss.
“A simple-to-use, an actionable dashboard will integrate and automate security controls, with minimal complexities or governance risks. Risk education is also key,” he adds.
For his part, Synopsys’ Mackey believes that future-proofing for data privacy is a challenging exercise, but it is made simpler by recognising that the only data subject to a data breach is that which was collected and retained.
He suggests focusing data collection on the minimum data elements required to satisfy the user’s request or transaction. Follow it by retaining that information for the minimum duration dictated by either the user’s relationship with the business or for regulatory compliance.
“This way the scope of a data breach can be minimised. If instead, data collection is done in anticipation of a future need or feature to be implemented later, those additional data elements might be considered under future legislation to be protected and require additional treatment while also presenting a target for cybercriminals,” he concludes.