Mage Data strengthens its data security posture with the ISO 27001 certification. READ MORE >

August 25, 2022

Taking a Privacy-First Approach in a Data-Driven Organization

Insights from data have clearly transformed business, and consumer data is, perhaps, the most highly valued. Today, data-driven organizations are using insights from consumer data to better understand customer pain points, develop new products and services, and personalize their marketing and advertising efforts.

But consumer data increasingly comes with its own indirect costs. Consumers and employees are much more aware of the data that is being collected, and they have definite opinions about how and when it can be used, and by whom. Trust and consumer loyalty are at stake, and increasingly stringent privacy laws, like Europe’s GDPR and Brazil’s LGPD, are creating compliance risks on top of that.

So is the idea of being a truly data-driven organization just a pipe dream? Not at all: There are still good reasons for collecting, analyzing, and using consumer (and employee) data—and ethical ways to do it. But data-driven organizations must figure out how to balance the imperative to make better business decisions based on data and business intelligence with their responsibility to keep consumer data safe.

Being a Data-Driven Organization in a Data Privacy World

Being a data-driven organization requires more than collecting data, of course. Understanding the context for that data, as well as how it should be used to make good decisions, are equally important. These cannot be “one off” activities: They must be woven into the very fabric of the culture.

The same should be said for data privacy. Data privacy concerns should be on everyone’s mind, and not just the purview of a compliance officer. Indeed, data privacy needs to be part of “data-driven leadership” as much as data-driven decision-making.

Still, good decision-making comes from having adequate data, and many leaders worry that data privacy laws (such as GDPR, CCPA, COPPA, etc.) will restrict what they can collect and use.

Fortunately, the opposite is true.

People the world over generate some 2.5 quintillion bytes of data every day. The average enterprise-sized company stores about 347.56 terabytes of data by itself. That’s more than enough to extract some usable insights even if just a few consumers opt to share some of their data.

What is needed is good data management. Consumers have shown that they are willing to share data when they see that doing so is relevant to their goals and to the kinds of offers a company is making. Consumers also want companies to be transparent about data collection, and have the freedom to “opt out” of that collection (or any subsequent transfer or use).

When companies can provide those things, it’s not a barrier to being data driven—it’s actually a competitive advantage.

The ROI of Data Privacy and Good Data Management

Indeed, there is a proven ROI to good data privacy management. Cisco’s Data Privacy Benchmark Study 2020, for example, found that:

  • Most organizations see very positive returns on their privacy investments, with more than 40% of companies seeing benefits at least twice that of their privacy spend.
  • Strong correlations exist between an organization’s privacy accountability and things like lower breach costs, shorter sales delays, and higher financial returns.
  • The vast majority (82%) of organizations making B2B purchases view privacy certifications (such as ISO 27701 and Privacy Shield) as important factors when selecting a product or vendor in their supply chain.
  • As for consumers, 86% say they “care about data privacy” and want more control; 79% of consumers are willing to invest time or money to better protect their privacy.

Furthermore, research by McKinsey found that consumers have much more trust in companies that voluntarily limit their collection and use of personal data, and that respond to data breaches in a timely manner. That trust translates into dollars, especially for service industries.

5 Elements of a “Privacy First” Approach

If all this is true, what is the way forward? What exactly should a data-driven organization do to leverage best practices in data privacy? There are at least five elements:

Getting Leadership Involved

Data privacy won’t be achieved overnight, and it won’t be achieved at all unless C-level executives are on board, especially the CTO/CIO. The CMO should be involved as well, given that marketing is both one of the primary collectors and one of the primary users of data (for both customers and prospects). Marketing teams thus have a responsibility to be good stewards of data, and have a vested interest in finding new ways to use data responsibly.

Upgrading Privacy Standards

A few decades ago, data privacy standards did not even exist. Today, 128 countries have data legislation in place, covering more than 5 billion citizens. And the penalties for non-compliance can be steep.

But companies need to think beyond the bare minimum that compliance requires. For example, it behooves large companies to review their opt-in policies and procedures, even for things as simple as email lists. Privacy statements should be rewritten in plain language and made available on demand. Ad retargeting should receive increased scrutiny, and the use of cookies in browser windows will need to be phased out.

Most importantly, companies need to make it a policy not to ask for information unless they can show that such information is directly relevant to a product or offer. While this is not part of any compliance law, it is the #1 practice to instill trust in the minds of consumers. (Not asking for too much information comes in at #3.)

De-Identifying Datasets Religiously

When non-identifiable information is linked to personally identifiable information (PII) in a dataset, it has a contagion effect, and individual privacy is lost. For example, think of a report on regional spending trends that contains data on individual purchase patterns—and inadvertently contains names and credit card details.

This is unacceptable, of course. Thus all PII should be removed from datasets, whether used internally or by a third party. Things get dicey, though, when re-identification enters the picture: Private data can possibly be reconstructed if the data set is not de-identified properly. The process of de-identification requires organizations to think critically about the connections between their data, and how those might be used by bad actors.

Insisting that Any Data Sharing is Privacy Compliant

It is not uncommon for third parties to provide analysis services to companies that collect sensitive data. For example, a bank in the U.S. might outsource some of its development and analytics work to firms located in Europe or India. That bank will want to make sure that any method for sharing data, to or from the vendor, is compliant with their data privacy policies. This kind of request is no longer a “should” for most companies, but a “must.”

Invest in Compliant Technology for Privacy

Finally, companies need to make investment in the technologies that help ensure data privacy—things like sensitive data discovery, dynamic data masking, and encryption, for example. No longer is it sufficient to simply avoid questionable technology, such as third-party tracking cookies. Users want to know that companies are taking positive steps to ensure their data is kept safe.

Again, keep in mind that companies that are already doing just this are seeing huge positive returns on the investment. And making the right investment will also ensure that companies have enough data to work with when it comes to decision-making time.