Data is your company’s biggest asset. Many critical business decisions are based on insights from the data you hold. Biometrics, AI, the Internet of Things (IoT), and other technologies create even more opportunities to further use data to benefit your business.
But the more data you have, the greater the privacy and security risks. In the first half of 2019 alone, there were 3,800 breaches that exposed 4.1 billion records—more than half of the world’s population! No wonder consumer trust is at an all-time low. A recent Ping Identity survey, aptly titled “Trust and Accountability in the Era of Data Misuse” found that 81 percent of customers would no longer engage with a brand online after a data breach. One-fourth of customers would completely disengage from a brand following a data breach.
“There’s no question, businesses risk losing customers and damaging their brands if they lack strong, transparent data protection practices,” says Richard Bird, chief customer information officer at Ping Identity.
PwC: To Build Trust in Data, Put Privacy First
Respondents in a recent PricewaterhouseCoopers (PwC) survey plan to invest in data to deliver the greatest value to customers in their industry and to be the “most efficiently run organization in their industry.” Survey results also indicated that these executives lack confidence in their data’s quality and in their ability to protect that data. For these reasons, PwC analysts say companies need a “data trust strategy”—not just a data strategy. Rather than focusing only on creating value with data, companies need to mitigate “against the potential for value destruction, such as the cost of privacy breaches or the risk of relying on inaccurate data.”
Thirty-seven percent of survey respondents who have a process for assigning value to their data consistently involve their data privacy team in this process. Analysts call these executives data trust pacesetters. The data trust pacesetters are experts at using data to improve their bottom line. What’s more, they view expanding privacy regulations as an opportunity to create trust and collaboration within their organization, rather than merely seeing these laws as a barrier
5 Characteristics of Data Trust Pacesetters
PwC’s analysis indicates the five areas in which pacesetters stand out. These traits “show how a coordinated approach contributes to handling regulations around data protection and privacy as they come, welcoming opportunities rather than fearing obstacles.”
Data trust pacesetters:
- Include the data privacy team when valuing data. New data-driven solutions create new risks. By embedding risk management into their data development efforts, pacesetters can identify and help protect against possible problems before disaster strikes.
- Routinely value data. In addition to assigning value to their data, pacesetters make sure that value is consistently applied to all data sets. They use marginal cost-benefit analyses on each data element to decide if it is worth acquiring. In the future, companies will have to refine their data valuation methods. Laws such as CCPA which require businesses to “use and document a reasonable and good faith method for calculating the value of their consumer’s data” will speed this process along.
- Are ethical in their use of data. Pacesetters take a value-based approach to data. Among other things, this means defining responsibilities across the organization to ensure the data is ethically used. They use technology to help with data protection, management, and governance. If asked to choose between profit and privacy, 60% of respondents in the PwC survey said they’d choose customer privacy.
- Use best practices in data engineering. Pacesetters build design tools that include both privacy and security into their products, services, and systems. Rather than using the databases of yesterday, they develop collaborative platforms that help identify missing data as well as gaps in quality, usability, security, and potential risks.
- Set up a collaborative data governance team. This cross-functional team unites “value creators” from the business side and “value protectors” from risk, IT, and cybersecurity. Together, they develop data policies and practices that support customers, employees, regulators, and the business.
Put Privacy First with Incident Response Management
As part of building their data trust strategy, company leaders need to determine how they will respond to the growing number of data privacy and security incidents. Regulators in both the United States and globally have expanded their definition of personal information, tightened their timelines for breach notification, and increased fines for noncompliance. And, as we’ve seen, consumers are more aware of their privacy rights—and wary of companies who don’t adequately protect their information. Only 25% of consumers think that companies responsibly handle their private data.
A consistent, well-planned method for managing incident response helps organizations satisfy regulatory requirements and demonstrates good faith to skeptical consumers. A strong incident response program:
- Involves collaboration across privacy, security, legal, and product teams. Understanding legal risks, implementing privacy policies and procedures, safeguarding data, and applying the appropriate controls for that data throughout the organization and within the company’s products and services—each is a critical aspect of a strong incident response program.
- Is based on the latest breach notification laws. These are always changing, so your incident response program must be built on what PwC calls “a real-time inventory of privacy regulations around the world.”
- Must be continually tested. Incidents can happen in an instant—a lost laptop containing unencrypted data, a ransomware attack, even misplaced paper files. Tabletop exercises are an excellent way to evaluate your team’s incident response readiness.
- Uses benchmark data to continually improve. As Mahmood Sher-Jan, RadarFirst CEO and founder, once wrote, “Privacy professionals operate, in many ways, in the dark: you may think you’re doing well, but without knowing the benchmark for how others in the industry are doing, you will never be able to accurately assess the performance of your privacy program…. Benchmarking helps you know where you rank, and make better, more data-driven decisions for improvements.”
- Uses privacy automation. Every incident is unique—the applicable regulations, its cause, the sensitivity of the data compromised, and so on. Automation in incident response eliminates the subjectivity that is inherent in manual approaches. Leveraging technology ensures consistency, accelerates the decision-making process, and eliminates the risk of over- and under-notifying.
Make Privacy Your Top Priority in 2020
The analysts at PwC noted: “If decision-makers within an organization cannot trust their data, or their ability to protect that data, then the data is not just useless, it’s actually a source of risk. Companies that build their business models on inaccurate or unsecured data risk breaches, regulatory scrutiny and damage to their reputation.”
On the other hand, “a data trust strategy turns data into an engine for continuous growth.” To fuel that growth and rebuild consumer trust, companies need to put privacy first. Applying best practices for Incident response is an important first step.