The road to compliance: A step towards bridging the privacy gap
This is a guest post by Katherine Noall, CEO of Sphere Identity.
We live in an information age that’s dominated by so-called smart devices and high-speed connectivity, where the world’s most in-demand resource is no longer oil, but data. A 2019 global risk report published by the World Economic Forum listed cyber attacks and data breaches as the fourth and fifth most serious risks facing the world today. The sharp rise in data breaches, along with the enforcement of privacy regulations, has caused companies globally to revisit their stance on consumer privacy. Now, business owners are beginning to realize the importance of data security and the legal importance of protecting customer data.
As brands grow increasingly digital, the responsibility for the safety of their customers’ online information becomes ever more critical. To enforce this, several privacy regulations such as the GDPR, CBPR, and PIPEDA have been enacted across the globe, in a bid to govern the security of sensitive personal data held by businesses and organizations. For many, the GDPR was a wake-up call, with the European Union (EU) delivering on its promise to hold non-compliant data controllers and processors accountable for their actions. Just after GDPR blows out its candles on the first birthday of the regulation, over 200,000 cases of breaches have been reported, with issued fines totaling to about €56 million—the lion’s share of which could be attributed to CNIL’s €50 million fine for Google.
However, the price of non-compliance isn’t just limited to fines. According to the Ponemon Institute’s 2018 Cost of Data Breach study, the average cost of a data breach is around $3.86 million, consisting of expensive technical investigations, regulatory filings, and lost business. On top of mounting costs and legal regulations, businesses are also faced with pressure from customers to reform the corporate attitude towards privacy. For example, following the Facebook, Cambridge Analytica data-sharing scandal, a study found that one in four Americans deleted their Facebook pages. The cyber threat landscape is constantly evolving, and organizations that lack the infrastructure to safeguard the personal information of their customers are left vulnerable to attacks and at risk of losing consumer trust. When that happens, consumers begin to look elsewhere for alternatives that can provide better security and transparency. The CA Technologies’ Digital Trust Survey and Index study in 2018 reported that more than half of the consumers have stopped using the services of an organization after a data breach, further showcasing how being data-compliant is a key factor in retaining customers.
Based on the report’s findings, it is evident that digital trust is correlated with the usage of online services. Consumers tend to inherently trust brands that take their privacy seriously, and in an era of depleting digital trust, businesses need to take responsive, sustainable action. Rather than regarding compliance implementation as purely a costly practice, it should be viewed as an upgrade to the customer experience. As control of personal data moves increasingly back into the hands of the user, organizations should recognize this contextual shift and use it as an opportunity to fundamentally rethink their customer relationships.
A transparent business-customer relationship not only builds trust, but also cultivates brand loyalty. Findings from a study by Label Insight revealed that 94% of consumers said they were more likely to be loyal to a brand that offers transparency, while 73% indicated that they would be willing to pay more for a product that offers complete transparency. When it comes to data privacy, by making the effort to improve transparency, choice, and control, businesses can boost their credibility and differentiate their brand from the competition. For instance, amidst rising distrust in the ability of big tech companies in protecting user data, Apple declared itself a champion for consumer privacy, emphasizing this in a recently launched Apple ad with the tagline: “Privacy. That’s iPhone.”
The GDPR, along with other privacy regulations, had been the catalyst for a fundamental shift in the digital economy, and a great start in improving consumer data protection. Undoubtedly, it has brought about greater public awareness about the value of personal data. According to a data privacy and security survey conducted by RSA this year, consumers now have stronger opinions about the ethical use of data, after a year of several high-profile data breaches and negative media coverage about company practices, such as The Marriott Hotels data breach that affected over 500 million individuals, MyFitnessPal that affected 150 million, and Quora, that leaked account info including names, email addresses, encrypted passwords of 100 million users. Consequently, consumers are reportedly uncomfortable with companies’ data collection processes and as many as 75% have taken action to limit the amount of personal information they share online.
While GDPR may not have brought about a sea of change in how businesses approached the processing, collection, and storage of customer data, it certainly was a step in the right direction. Compliance implementation was always meant to be part of a journey for organizations, and not simply a box-ticking exercise.
We are currently seeing a significant number of developments taking place around the globe in relation to privacy laws. At present, we can see two obvious trends for privacy legislation across the world — one that insists on strict law enforcement of such legislation and the second that takes a more lenient approach. The California Consumer Privacy Act (CCPA), for example, is the most comprehensive data privacy law in the United States to date, bringing groundbreaking privacy rights to Californians — ironically, the home of tech giants Apple, Facebook, and Google. In terms of expected development, one of the most compelling privacy law developments of 2019 is expected to occur in India. India’s draft bill introduces specific rights for individuals as well as distinct requirements processing entities and businesses will have to meet. However, there are countries that have recently introduced new data protection legislation that waters down the standards set by GDPR. For instance, Australia’s 2018 Privacy Act excludes businesses with less than $3 million annual turnovers and only requires the reporting of ‘eligible’ data breaches. While right now there are many regions holding back on policy implementation, still unsure of what measures to take, over the next five years, we can certainly expect to see further standardization of data rights across the world and a more global approach to data protection.
About the author
Katherine Noall is the CEO of Sphere Identity, a global identity blockchain-based identity platform for identity storage and on-boarding. Katherine has over 20 years of international management experience with technology companies such as AT&T-Unisource and Information Builders.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.