We are living in a data economy which can seem at odds with an increasingly privacy-driven world. This has led companies across industries to develop protocols around what data they can utilize, how it’s used and by whom ー leaving many to assume they must walk a tightrope between maintaining compliance with data regulation and achieving data-driven business outcomes.
The reality is this no longer needs to be an either-or. It’s time for enterprises to stop taking a “one-size-fits-all” approach to privacy and security in favor of a model defined by the context in which a dataset is collected and used. In doing so, they can accommodate the evolving data privacy landscape while collaborating with internal and external teams in new ways.
As Data Privacy Day approaches on January 28, it’s the perfect time for enterprises to reevaluate the way they safeguard data to ensure they’re maximizing its value while still mitigating risk to data subjects or brand safety.
Rethink privacy and security solutions
Traditionally, technology providers who handle customer data have applied arbitrary data access limits across their products, regardless of client business objectives. While this is done in service of being privacy-safe, what’s not taken into account is that a dataset’s unique characteristics ー including potential value to an enterprise or the mechanisms via which it’s collected ー contribute to different levels of risk tolerance.
Rather than select technology that treats all data the same, privacy officers should instead be empowered to selectively apply privacy-enhancing techniques to data in order to balance privacy risk with helping business teams execute. For example, rather than requiring that all data be aggregated or “fuzzily” altered within a platform, the platform should allow one to determine which datasets need extra protection based on a dataset’s sensitivity and team use cases. Differentially applying privacy techniques ensures teams won’t be limited to aggregate function analysis of data, for example, but rather can gain high-fidelity insight without risking consumer privacy.
The first step in accomplishing this is to no longer seek out “privacy” as its own product or set of features stuck onto an existing data platform, but rather select privacy-centric technologies which treat privacy as a steel thread running throughout the fabric of the product. Companies must focus on privacy as a core tenet on which data workflows are built and interconnected, all tying back to individuals’ right to privacy and choice. With that in mind, it’s time to overcome the preconceived notion that one set of explicit standards ー such as an arbitrary data aggregation threshold or encryption technique ー can determine privacy-safe vs. unsafe. Instead, take into account the context of each dataset within business objectives, which is then vital in determining the appropriate controls to put in place.
In trying to keep up with rapidly changing regulation, it’s easy to make policies based on what will meet legal requirements rather than consumer expectation or a company’s data-driven strategy. As legislation evolves and precedents are set, enterprises must move their policies beyond solely compliance-based risk evaluation frameworks to models that balance privacy preservation and data utility based on data context and use cases. Remember, all data is not equal.
Prepare for a more fluid model across all workflows, balancing what controls an enterprise wants around its data and what insights can be gleaned from it. At the end of the day, companies want value from data through customer insights and how they act on them. They want to be able to personalize, cultivate data collaboration, and monetize in new ways, depending on the type of data and how it can benefit the organization. In doing so, they can set their own business policies for what data can come into their environments, or what data they can share with third parties, all while remaining compliant and adapting to evolving regulations.
Improving internal collaboration and security
Historically, relationships can be challenging cross-divisionally between InfoSec, IT, Legal, and business or product teams in the sense that the internal conversations and ongoing education required for these teams to sync on protocols and security measures can be extensive. Moreover, policy enforcement between these teams without proper technical safeguards can result in the accidental ー or in rare instances, malicious ー leakage of data that would put an individual or business’ reputation at risk.
By taking a more contextual, technically enforced approach to data governance, the all-too-common risks associated with human-led processes can be eliminated and in turn, improve collaboration and enforcement between these internal teams. When the right technical controls are in place based on the data context, using privacy-enhancing techniques or in partnership with a reliable technology partner, enterprises no longer have to rely on the manual human processes that may lead to sensitive data leakage or re-identification risk.
Only this alignment between internal teams will allow an enterprise’s overall data strategy to flourish. Many of the world’s most successful companies, such as Amazon or Unilever, have gained sizable market share through data collaboration, starting within their own enterprise.
External collaboration is possible too
Once internal data can be securely transacted across teams, external data partnerships rooted in trust are a strategic next step in unlocking new insights. According to a new report from Winterberry Group, over 64% of organizations are already finding ways to collaborate with partners to share first-party data for insights, activations, measurement, or attribution. Though the concept of data sharing itself is not new, these numbers are expected to rise as the way in which businesses collaborate evolves in response to expanding regulatory and economic challenges brought on by the COVID economy.
These holistic approaches ー inclusive of data cooperatives, marketplaces/exchange, and technical data environments ー demonstrate ways businesses can safely collaborate with trusted partners and generate ROI while moving beyond one-size-fits-all models. As Winterberry’s data shows, data privacy does not need to compromise data utility because there are technical controls, such as aggregation thresholds or privacy enhancing algorithms, that can be employed to still achieve specific business objectives without putting data at risk.
Realistically, every organization has to make different tradeoffs, even within its own four walls. There may be a specific type of data that a business deems valuable, but it doesn’t want any of it leaving the organization. The further enterprises progress on the privacy spectrum to reduce risk, the further they may also reduce data utility or performance depending on how privacy-enhancing techniques are applied. This is necessary for some types of data, but for those that are less sensitive, the same organization could get maximum value from providing controlled access to pseudonymized data between trusted, external collaborators without exposing itself to unnecessary privacy or security risk. This is rooted in how an enterprise assigns permissions to data, where select data is available to partners who need it, for the use cases the data owner allows, with the right input or output privacy protections applied.
Namely, collaborative data access is effective in running successful customer-centric campaigns in a privacy-first way. Benefits include:
A richer overall profile and 360-degree view of customers, without violating data minimization or governance practices
Better customer experiences based on ability to track and enforce customer preference across contexts
The ability to create new customer experiences, audience refinement, outcome-based optimization and enhanced measurement capabilities
Access to valuable insights for companies which lack a first-party relationship with their customers ー i.e. “data rich” retailers coupled with historically “data poor” sectors like CPG or pharmaceuticals, which tend not to have direct access to first-party data
For businesses looking to flourish in 2021 and beyond, it’s important to apply context when evaluating where a dataset should sit on the spectrum of privacy and risk tolerance, so as to sacrifice neither privacy nor utility. For too long, infosec and privacy teams have been checking the usual boxes but missing the boat on achieving actual business outcomes and goals.
Transitioning to a more context-driven model where privacy and security remain core tenets of all workflows will ensure enterprises get actual value from data while remaining privacy- and security-first. Don’t let data exist only to collect dust. The solutions needed to maximize data’s value in a privacy-first way are already here.