What do you know about your data?
Annelies Moens, recognised global privacy expert and Managing Director of Privcore discusses why data and its governance is important to most, if not all, organisations and why leaders and directors need to embrace it.
Why leaders and directors should take care
Data is an asset or a liability depending on how it is managed and in this sense, every organisation (business, government and not-for-profit) is a data business. As an asset or a liability, data is a core topic with which leaders and managers must make themselves comfortable and familiar, and is an essential component of corporate governance.
Furthermore, a lot of data in organisations is about people, their lives, what they do, where they go, what they buy, what they like, what they say, what they look for, what they do for entertainment and so on — it is personal information and thus in many instances is subject to privacy and data protection requirements. Data is so integral to organisations, that it must be treated as core business. Data protection and privacy also have the added dimension of being considered a human right as recognised in the UN Declaration of Human Rights, the International Covenant of Civil and Political Rights, and in many other international and regional treaties.
Trust & privacy – from the top, down
Some of the top-valued companies globally, including Amazon, Apple, Facebook, Alphabet (Google) and Microsoft are individually worth billions and collectively made more than US$900bn in the past year. As these companies are data businesses relying on personal information, they understand the value of their customers’ data.
In order to lead successful organisations, leaders and directors need to develop a vision that enables their organisations to make decisions which build trust with their customers. Customer trust and customer privacy go hand in glove and the governance of data is not something that can be relegated effectively to compliance and IT functions without board oversight and direction.
Governing your data – what you need to consider
Trust and social licence
The 2018 Edelman Trust Barometer reveals that trust is in crisis around the world. In 20 of the 28 economies surveyed, business, government, NGOs and media are generally not trusted. Yet for innovation to flourish, trust is vital; and innovation depends increasingly on the use and sharing of data.
In Australia, the Office of the Australian Information Commissioner’s Community Attitudes to Privacy Survey 2017 shows that ‘one in six [citizens] (16%) would avoid dealing with a government agency because of privacy concerns, whilst six in ten (58%) would avoid dealing with a private company’. Boards need to think about how their organisations communicate with stakeholders. How do they build and shape expectations with customers? It is certainly not shaped by the terms and conditions of products and services.
The term ‘mass customisation’ refers to our present-day era where we have taken the handmade bespoke aspects of the pre-industrial era and the mass production capability of the industrial revolution era to be able to produce customised items at scale.
In our mass customisation era there is a need for customer centricity, where we need to understand our customers at an individual level in order to provide for their bespoke needs. Yet at the same time, ensuring an organisation has a 360-degree view of a customer is NOT a customer-centric approach, as customers may not want to fully reveal themselves to organisations. Customers may want to be able to choose what they share.
Privacy is all about giving the customer control of what happens with their data — making them the driver and the reason for our products and services. As such, customer service and managing failure, including data breaches, are becoming increasingly crucial touchpoints in determining the level of engagement and goodwill customers have towards brands and institutions.
Increasing number of data breaches
Being able to manage failure is increasingly important as more and more organisations are subjected to data breaches owing to either their own inadequate security practices, system/human failures or unfortunate external attacks against which they cannot fully protect themselves.
The more data that leaves controlled and protected environments, the more we are polluting our data ecosystem. Identity fraud increases, trust diminishes (both ways between customers and organisations) and billions of dollars are wasted. Indeed, an Australian expert on data breaches testified before the US Congress on the impact of such breaches on identity verification, and outlined that static knowledge-based authentication is becoming increasingly risky in a post-breach data world. It is becoming increasingly crucial for organisations to focus on cybersecurity to ensure they have control of the data for which they are custodians.
Technology is rapidly dictating our policies as legislatures and policy makers struggle to keep up. We are in a world where it is easier to keep data than delete it and it is easier to create systems that retain data. An increasing amount of data will be collected about people as more devices become connected to the Internet of Things, which saturates our lives.
We have new technologies that are affecting massively the handling of individuals’ personal information; consider:
- Automated driverless cars and the collection of masses of data from sensors, voice and behaviour.
- Automated algorithmic decision making and artificial intelligence affecting our day-to-day lives.
- Social credit scoring.
- Biometrics and facial recognition in private and public spaces.
- Digital identity management.
- Cloud services through which data storage and processing is outsourced.
While none of these technologies are inherently bad, they can rapidly lead to massive increased individual risk, through over-collection of data, data breaches and misuse, or out of context use. These issues can be minimised with appropriate governance, which will be needed in order to retain customer trust.
Leaders need to help shape and influence the direction technology takes
We are at a pivotal point in history — how we lay our foundations now will determine the kind of society we will live in. Technology is changing our lives rapidly both for good and bad. We need to build core human values and ethics into our products and services. We must keep individuals at the centre and build technology that respects human values, including privacy and security. Outlined below are examples of innovation where privacy is at their core, as well as those that provide us with a few more challenges and grey areas.
Examples of innovation that have privacy at the core
- Trade Me — Transparency Report: In 2017, Trade Me published its fifth Transparency Report to give insight into how it works with law enforcement and government agencies to help keep its website trusted and safe. The Transparency Report helps keep law enforcement and government accountable for their requests for customer data and deters customers from criminal activity on Trade Me.
- Tresorit: End-to-end encryption cloud service, where only customers can see their data.
- Startpage — Anonymous searching: Google search results with privacy protection — no collection of personal information or what you search for.
- Wire: Secure conversations and video calls with end-to-end encryption.
Examples of innovation, but without privacy at the core?
Great technology can be implemented badly without security and privacy by design. Some of the examples below are for illustrative purposes only and are now being rectified by the companies themselves, regulators or being litigated.
- Vtech Electronics: Connected toys, apps and platforms collecting personal information without notice and consent, and not taking reasonable steps to secure the data.
- Vizio, internet-enabled TV: Collecting what viewers watch and selling it to advertisers without viewers knowledge or consent through snooping pixels.
- Uber, ride sharing: Collecting information about customers’ mobile phone battery life and identifying that customers are willing to pay more for rides when their battery is running low on charge and Uber admitting that it actively concealed data breaches.
- Bose, headphones: Allegedly collecting the music you listen to and selling it without permission.
What leaders and directors can do to build trust
Develop a culture of respect
The importance of culture cannot be underestimated. In an independent review of the Accident Compensation Corporation (ACC) in New Zealand following a data breach that occurred in 2012, culture was the biggest transformational issue for ACC. It had had inconsistent practices around respecting personal information, which led to numerous incidents of inappropriate handling of personal information. Today, New Zealand government agencies have privacy maturity assessment frameworks in place and a chief privacy officer who operates across the whole government, so that confidence and trust in New Zealand government can grow.
Make privacy part of risk management frameworks
According to the World Economic Forum’s 2018 Global Risk Report, alongside extreme weather events and natural disasters, cyberattacks and data fraud/ theft are the top three and four likely risks to occur. As such, privacy needs to be part of risk management and assurance processes.
Make leadership accountable
What gets measured gets done. If no person at senior executive level or board level is responsible for the decisions their organisation makes with respect to what happens to customer data, the direction the organisation takes will likely be dictated by factors other than core values, such as respect for personal information.
Monitor key indicators such as input from customers, suppliers and employees
Listen not just to senior executives, but also to customers, suppliers and a broad set of employees. Consider how fast bad news travels to leadership and whether privacy is a regular board agenda item. How are failures and complaints managed within the organisation?
Collaborate with the regulator
Regulators with collaborative approaches tend to have more successful regulated outcomes (plus most complaints are negotiated settlements). The New Zealand Privacy Commissioner, as an example, is taking an innovative regulatory approach by introducing a Privacy Trustmark, whereby it is willing to indicate services or products that take data protection seriously and give customers confidence their personal information will be respected and protected.
It is incumbent on leaders and directors to know what goes on in their organisation in terms of the handling of personal information; only then can they steer their organisation to adopt and develop innovations that respect one of their most valuable assets. Failure to do so is likely to lead to customer dissatisfaction and loss, regulatory intervention, fines, shareholder and customer litigation and class actions, and decline in share value and profits.
This article has been generously provided by the author, Global Governance Initiative affiliate Annelies Moens, for sharing with the GGI community. It is based on a presentation she prepared for the Australian Institute of Company Directors’ Australian Governance Summit, 1st to 2nd March, 2018, Melbourne, Australia and published in the Journal of Data Protection & Privacy, Vol. 2.1, 2018. United Kingdom.
Annelies Moens, CIPT, FAICD, CMgr FIML is a widely recognised global privacy expert and thought leader, trusted by business executives, government and privacy professionals with close to 20 years’ experience. She is Managing Director of Privcore and cofounder of the International Association of Privacy Professionals in Australia and New Zealand. She held elected roles during her six year Board term with the Association, including as President. She has held several senior leadership roles, including as Deputy Managing Director of a privacy consultancy, External Relations Manager at an online legal publisher, Group Manager and Chief Privacy Officer at a copyright licensing agency, and Deputy Director at the Australian privacy regulator. She has an MBA in general international management (distinction) from the Vlerick Business School in Belgium, is a qualified lawyer, has undergraduate degrees in computer science and law (first class honours) from The University of Queensland, Australia. Contact Annelies at firstname.lastname@example.org