Companies across all industries are under increasing pressure to become more data driven by expanding their customer data analytics initiatives. However, these initiatives often conflict with – and can be stymied by – evolving data privacy regulations if not proactively dealt with. I’ve spoken with companies across retail, telecommunications, financial services and the automotive industry who are all wrestling with this data utility/data privacy trade-off in key analytical areas such as personalization and predictive modeling. This leaves companies facing what can be an existential question. How can we use customer data to drive new business opportunities while at the same time protect that data and comply with new, complex regulations?
Despite the demand for analytics projects, most companies are struggling to move forward. According to a recent HBR survey, 69% of companies reported they had yet to create a data-driven organization, and 52% admitted they weren’t even treating data as a business asset, much less fully dealing with data as a potential liability.
For many companies, a critical obstacle to building customer data analytics initiatives is the growing challenge of data privacy. Evolving data privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), create compliance challenges. In addition, growing consumer awareness of their legal rights in the face of increasing privacy threats creates brand challenges, especially when a company is fined for regulatory non-compliance or suffers a data breach. Anecdotal evidence clearly reveals that companies are motivated by a fear of large fines or the potential loss of reputation. Without trust, customers are just one click away from switching to a competitor.
Other more ethically minded companies have actively sought out solutions to ensure data privacy compliance simply because it’s the right thing to do. As an example, a global financial services firm recognized that complying with the GDPR would reduce the depth of analytical insight available from its European merchant business intelligence solution, which leverages transaction data to enable merchants to benchmark their performance and identify growth opportunities. Putting compliance first, prior to the start of the GDPR, the firm sought out a third-party provider to independently anonymize the data, eliminating any data privacy concerns.
How can companies act ethically, protect their brands, and still become data-driven? By going all in on an approach to data privacy compliance that enables the business to be more agile and use data more effectively. Let us take a look at some of the strategies to get started:
1. Take a comprehensive approach to data privacy compliance
Despite the growing awareness in the boardroom of data privacy compliance requirements, a CGOC study found that only 57% of organizations train staff on data protection compliance, with only 25% doing regular training and audits. This surprising lack of follow through reflects the tunnel vision and piecemeal approach that so many organizations continue to have toward data privacy compliance.
For example, many organizations prepared for the GDPR by updating privacy notices on websites, creating data inventories, defining retention policies and conducting minimal internal awareness training. While useful steps, by themselves they do little to prepare the organization for the deeper operational changes required for GDPR compliance, including tracking what data is collected for what purpose, following specific retention rules for all data across the organization, and ensuring a sound legal basis for all data-related activities.
Achieving the right balance between data privacy compliance and data utility requires a comprehensive approach based on an ongoing collaboration among legal, records, security, IT and marketing, with a focus on putting essential technology and human safeguards in place.
2. Approach analytics projects with data privacy in mind
Strategies exist that can help companies protect data while moving forward quickly with their data analytics projects.
For example, many use cases don’t require analyzing personal data to derive insights or become a data-driven organization. For analytics programs designed to improve product profitability, or that drive digital transformation or customer segmentation, companies need to analyze large volumes of data to establish trends, but they do not need to be able to identify an individual within this analysis. Therefore, anonymizing data can ensure privacy protection while still providing valuable results.
Further, if personal data is rendered truly anonymous, that is, the individual can no longer be identified, data protection regulations such as the GDPR do not apply. Companies are also no longer subject to the limitations that apply to personal data. Provided the original data was lawfully collected, companies can use data from all their customers, not just those that consented to analytics being conducted. They can use the data for all use cases, and the data is not subject to retention requirements. Truly anonymized data is also not subject to the rights of the data subject, such as access requests, the right to be forgotten, or the right to object to processing. This approach creates a comprehensive data universe to unlock business potential for analytics programs by being able to access all data for past and present customers, consented and unconsented.
3. Be transparent with consumers about their data privacy rights
An Accenture study suggests that a $30 billion retail company could lose $4 billion in future revenue following a material drop in trust. Consumers are increasingly aware of data privacy issues and their rights. A Trūata survey found that 60% of consumers are uneasy with companies using their data for analytics. Some 74% are also nervous about their personal details being sold to third parties, and 65% say they are more likely to be loyal to a company if they trust them to use personal data properly.
Doing the right thing can encourage and maintain consumer trust, so companies must be proactive and transparent about how they use sensitive data. They must also demonstrate how they are acting ethically and responsibly with their customers’ data. It is increasingly unrealistic and counterproductive to burden customers with the responsibility of reading reams of privacy notices to try to figure out whether a company is acting ethically.
Achieving the right balance between the desire to maximize data analytics initiatives and the demand for protecting privacy will often require an iterative process as enterprises work toward a culture of privacy and embrace the “spirit” of privacy regulations, that is, putting customers and consumers first. However, it is important to keep in mind that companies can turn privacy compliance into a competitive advantage by focusing on data quality not quantity, by building consumer trust, and by using privacy as a differentiator to establish brand loyalty and preference.