Insights

Privacy and Security in Age of Mass Data Creation

Analytics & Insights

Author: Joe Humm

Understand the Data Privacy Business Problem

Throughout history, emerging technologies have typically experienced exponential growth before the introduction of safety standards.  Those standards tend to be based on difficult lessons learned.  For example, building skyscrapers with little regard for worker safety prior to OSHA or automobiles before airbags, anti-lock brakes and speed limits.

Data and technology solutions are now experiencing a similar shift with the overlay of data privacy.  2.5 quintillion bytes of data are created each day. And that pace is only accelerating with the growth of new technologies, such as Internet of Things (IoT), data sensors, and artificial intelligence.

This data can be incredibly helpful. It can enable organizations to better understand who you are as a consumer: your likes, preferences, dislikes, and the types of products you have higher propensity to buy. So, in general, this data can help create a better experience with the brands that you interact with daily. However, the yin to the yang of this scenario is that organizations have deep information relating to you as a person. Information which is at risk of hacking or could be used for manipulation, theft, fraud, or other criminal behavior.

Addressing the Challenges

To deal with these challenges, varying industries have taken steps to clearly outline how data should be protected in terms of privacy and security; interrelated but not synonymous topics.

  • Examples of security measures include PCI Compliance in the credit card industry, or Data Security Levels used to classify information and associated steps in business, government, or education-based entities.
  • In the area of privacy, government entities have instituted measures in an attempt to give people more control over their data, which includes laws like GDPR (General Data Protection Regulation in the EU) or CCPA (California Consumer Privacy Act).

Much of this has been effective in helping to prevent catastrophic data leaks and in giving people more peace of mind regarding their data. However, these rules and regulations can have limited effectiveness if not properly instituted or managed.

Facebook-Cambridge Analytica is a great example of how lackadaisical security and privacy standards can destroy business value. In 2018, BrandZ estimated Facebook’s brand value at $162.2B. However, in 2018, Cambridge Analytica was caught exposing records of individuals, based on questionable agreements with Facebook. The private information of 87 million people was unknowingly exposed which led to $5B in fines assessed on Facebook. Poor media exposure that followed resulted in a $3.2B loss in brand value in 2019.

So, the question is: what can organizations do to protect consumer data; take on the true role of data “processor” and not the data “controller” to create consumer trust; and ultimately protect their brand in the process?

As defined by the European Commision:

The data controller determines the purposes for which and the means by which personal data is processed.

The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company.

Data Security Defined

Data Security is defined by three key principles:

  1. Strong data governance
  2. Proper technical and process infrastructure
  3. Secure means for transferring and managing data from point A to point B

These principles are critical sister topics to Data Privacy. Thus, we will address Data Security in future articles. In this article, we will focus on the importance of Data Privacy.

Data Privacy Defined

The principles of GDPR are built around giving a person the right to control their data and to remain anonymous. The mechanisms by which this occurs is a unified European Union policy that allows consumers to request that entities Provide (access to), Delete or Change their personal information.

This European model was mimicked by the State of California, who signed into law the CCPA which went into effect on January 1, 2020. This legislation broadened the definition of Personal Information (“PI”) from that of Personally Identifiable Information (“PII”) and gave consumers the right to request that entities Provide or Delete, but not Change information. Furthermore, it allows consumers to Opt-Out of allowing businesses to use their information. California began enforcing this law on July 1, 2020.

Beyond California, states including Nevada and Maine have passed legislation to enable customers to Opt-Out and Opt-In, respectively, of data use. In addition, legislation is being crafted in New York, Maryland, Massachusetts, Hawaii, and North Dakota. Hence, there is quite a bit of activity in this area for which organizations need to plan and prepare.

Start with a Business Assessment

RevGen recommends conducting an assessment of your organization’s Data Privacy. While every organization’s approach to managing data privacy requirements will vary based on size and the complexity of the operations and systems, all approaches will have a degree of complexity because data privacy cuts across the entire enterprise from a people, process and technology standpoint.

 

Select a Technology Enabler

RevGen believes companies need to determine how they plan to build or deploy their data privacy solutions. These solutions can be high risk if not looked at holistically, given the potential for negative brand exposure and fines. In addition, they can span the entire value delivery chain; meaning they are consumer facing, spiderweb into each business unit, and require secure output on the backend. As for building the technical solution to manage data privacy, various options should be explored:

  • Build your own
  • Off-the-shelf solutions (e.g., WireWheel or OneTrust)
  • Adapt and utilize existing assets
  • A hybrid of the above

One of the biggest Data Privacy challenges is simply locating and documenting where Personal Information exists. On the surface, this sounds like a straightforward activity, but when you drill into it, companies will quickly find that they must first:

  • Educate data owners on what PI is
  • Provide a means to find it
  • Share/review findings with Legal
  • Build data feeds to process the information for consumer consumption
  • Deliver such files on a consistent basis

A miss on this front risks putting the entire effort at risk.

Deploy the Appropriate Expertise

We understand that many organizations may not be immersed in all of the changing regulations or have an internal team skilled in these types of programs, so this may be the time to consider bringing in external Data Privacy expertise to help facilitate your journey. And, as with any cross-functional, enterprise-wide program, process design, program management and change management must all be considered. The risks of not doing so are shown below.

Proper program governance can help keep the Total Cost of Ownership of the program as low as possible while decreasing overall risk. Lastly, it will ensure requirements are properly translated into a comprehensive solution deployment in what is a high stakes environment.

In closing, data privacy is a burgeoning area which RevGen Partners believes organizations would be wise to get out in front of. All breakthrough technologies eventually require adjustments in their management to ensure safety, and this is data’s moment in that area.

 

Joe Humm is a director in RevGen’s analytics and insights practice. He has spent the past year assisting a multi-billion dollar services company prepare for the implications of CCPA.

 

Subscribe to our Newsletter

Please Check to Accept Our Privacy Policy