The last decade has shown a rapid growth of concern among citizens about data privacy. Policy makers have made every effort to react upon that worry. As a consequence, regulations on data processing are being tightened. How do these changes have impact on data-driven entities?
Customer perception of privacy
Historically the word privacy has a strong physical connotation like in the expression ‘the privacy of her own home’. It is broadly considered to be a normal requisite for daily life, if not a legal right. However, in the data era this has drastically changed.
Nowadays, privacy is not only about ‘physical’ privacy, it also relates to ‘virtual’ privacy. It is about the protection of personal data and the right to preserve anonymity. To that extent, it still relates to a person’s comfort zone, although this is becoming increasingly difficult to define. A comparison may illustrate this.
Recent academic research on perception of sustainability found that people tend to behave more on evading material loss than on an abstract profit.
In an interesting experiment respondents preferred a lower price of tomatoes, yoghurt and coffee above an EKO (Dutch hallmark for organic products) hallmark. But that changed when the choice was between a cheaper product with a red crossed EKO label and the standard product, regardless if it came with a positive sustainability hallmark or none. Then the preference shifted towards the more expensive product.
Unfortunately there’s no such thing as an authorised red cross through privacy. Respected brands might substitute it by integrating protection of personal data into their set of values. But at the end of the day consumers will expect privacy to be a normal product feature, just as Tesla are sold without a petrol tank.
Differently stated, making data privacy an integral part of any proposition and deliver transparency on the issue is the only way forward: privacy by design!
The European General Data Protection Regulation (GDPR) that will come into force seamlessly joins that trend. It strengthens the position of EU citizens with regard to their data, making tough demands on organisations that collect data and raising financial sanctions on infringing the regulation.
Among the ‘civil’ rights to be established by the GDPR are: easier access to people’s personal data, transparency around how these data are processed and the possibility to explicitly object to it, data portability (transfer of data to third parties) and the right to be forgotten. For many institutions the processing measures in GDPR will set new obligations like the registration of data leaks, the appointment of a dedicated Data Protection Officer and the introduction of data protection impact assessments.
These boundary conditions however, pale in comparison to how data management systems are going to be affected by the rights described before.
The explosion of generated data in the last decade has also given way to aspire to a ‘360 degree customer view’. More data allows for better insights, may facilitate new points of view or just harness already available predictive models.
State-of-the-art data processing capabilities are an important requirement to successfully realise the ambition. Not only to arrange for the integration of data from different resources.
Above all, these capabilities are necessary to reach a more sophisticated level of data governance – privacy by design.
To become compliant with the GDPR and gain customer acceptance a new approach to data management is a conditio sine qua non. In the near future, data processors will not only be accountable on what they do, but will also actively have to support full transparency on what data they process and for what purposes it is used – e.g. profiling – and adequate data security.
The only foundation for this approach is an explicit consent given by the person whose data are at stake and stringent administration of this by distinguishing between different levels of consent e.g. give anonymous or personal data (customer vs. operator in control), let data evaporate instantly (the right to be forgotten) or transfer them externally new functionalities created by the GDPR are within reach.
The above figure may illustrate this. Assuming consent has been given to collect (anonymous) data for measuring response to campaigns and optimizing the website these can be used.
But if consent on use of personal identifiable information lacks the related data will evaporate and not be stored anywhere.
Having the consent administration in order, just as entities register an address or the birthdate on their customer records, is the basic condition to compliant data governance. This may drive data stream management technology to provide building blocks for embedding core privacy functionality in data governance such as:
– in-memory data collection and selective storage
– encryption of data on processing
– access to all data streams exclusively to the Data Protection Officer
– in house deployment of data streams (vs. cloud)
– extensive change logging
Finally, this approach will also facilitate external audits to prove the consent administration to be complete and meet all legal requisites.
Did you find this article interesting? Would you like to know more about this topic? Join our Live Webinar on April 19th.
In this webinar our host Clare Aitken together with our guest Herman Huizinga will discuss the changing data protection regulatory landscape, customer perception of privacy and unifying elements that stand out.
They will elaborate on key building blocks for a sustainable solution e.g.
- transparent consent management
- differentiation of level of consent
- flexibility towards multiple domains
- the art of verification
This post was written by Herman Huizinga, Chief Information Officer at O2MC I/O