The Business and Societal Case for Privacy
American companies experienced nearly 500 data breaches in 2016 alone, and governments around the world are beginning to require more from private firms when it comes to protecting user data.
Most notably, the European Union’s General Data Protection Regulation (GDPR) became enforceable in May of this year. The new regulation requires companies to, among other things, receive consent from users in order to store their personal data—and it applies to all companies that serve European citizens, whether the company is based in Europe or not.
While compliance with a new regulation often seems burdensome to global firms, data shows that the type of privacy policies required under the GDPR echo a rising clarion call from consumers, who studies show are increasingly concerned about misuse of their data.
The nonprofit think tank Centre for International Governance Innovation (CIGI), in partnership with the Internet Society and the U.N. Conference on Trade and Development, has surveyed global Internet users about privacy and security since 2014. In its most recent survey of more than 25,000 Internet users from 25 countries, 52 percent of respondents said they’re more concerned about their online privacy than they were a year ago.
For 81 percent of these users, cybercriminals were the primary source of concern regarding online privacy. “Internet companies, such as Facebook, Twitter and Google, are a close second, with over 70 percent saying these businesses are a major source of concern over privacy,” Eric Jardine, a CIGI fellow who has worked on the survey since its inception, told TriplePundit.
A growing number of users are acting on their concerns: 12 percent reported making fewer online purchases in the past year, 10 percent have closed social media accounts, and 7 percent say they’re using the Internet less overall.
“The numbers indicate that despite how pervasive the Internet, social media and e-commerce have become, use of these technologies remains based upon trust,” Jardine told us. “When trust goes, the first and foremost reaction by users is to change how they behave. In the extreme, that means not using a service or using a service more selectively.”
Findings like these should make any company that handles user data stand up and take notice. We asked Jardine, who is also an assistant professor of political science at Virginia Tech and researches cybersecurity topics at CIGI, why companies should care about their customers’ views on data privacy and what they can do to re-establish consumer trust.
Data privacy is a competitive advantage
Research shows that robust and transparent data privacy policies can give companies a leg up on their competitors. When firms engage in consumer data protection and privacy efforts for less than one year, 66 percent report that they are effective in retaining customers, according to Boston College’s 2017 State of Corporate Citizenship Report. More than 80 percent say the same if they invest in data privacy efforts for more than four years.
A 2018 study from the U.K.-based Global Alliance of Data-Driven Marketing Associations (DMA) further underscores these findings. Nearly 90 percent of the global consumers DMA surveyed cited transparency as the key to trusting organizations. “Improving transparency and control for people will help companies be in a much stronger position to engage them within the data economy,” Chris Combemale, CEO of the DMA’s U.K. group, wrote in the report.
Helping people understand why and how their data is being used is even more important for Internet giants, e-commerce companies and other firms that do business online, Jardine told 3p.
“Building a brand that is privacy conscious would certainly help Internet companies keep and attract customers, especially since many of the large Internet platforms are U.S.-based but need to tap into global markets to ensure growth over time,” he explained. “If these companies cannot ensure that they will do their utmost to protect user data, global consumers will worry about the possibility of government surveillance or cybercriminals and choose to use an alternative service.”
Privacy demonstrates your values
Beyond the fear that customers may go elsewhere—and other risk-aversion considerations like regulatory compliance—safeguarding user privacy gives your company an opportunity to demonstrate that you care about your customers. “In the digital age, personal data is intrinsically linked to people’s private life and other human rights,” the nonprofit NGO Human Rights Watch concluded in a recent blog post. “Everything a person does leaves digital traces that can reveal intimate details of their thoughts, beliefs, movements, associates and activities.”
As companies collect more and more information about their customers—from identities and buying preferences to characteristics like race, sexual orientation and political affiliation—it grows harder for these firms to refer to themselves with words like “conscious” or “responsible” if they’re not doing all they can to prevent this deeply personal data from being misused. This social connection is core to any company looking to leverage business as a force for good, and it’s also a clear avenue through which to repair eroding consumer trust and put values front and center.
Such conclusions don’t appear to be lost on top global firms. Earlier this year, IBM surveyed 1,500 business leaders whose companies were deemed early adopters of the GDPR to better understand their motivations. A whopping 84 percent believe that proof of GDPR compliance will be seen as a positive differentiator to the public, and 76 percent said it will enable more trusted relationships with customers and business partners.
Trust is a two-way street
While regulations like the GDPR put the onus on the private sector to keep user data secure, Jardine told us that both companies and consumers will need to shift their mindsets in order to re-establish trust in an increasingly Internet-driven age.
“Users need to adjust their mental frames,” he explained. “Data stored online is not secure and always runs the risk of being compromised. It would be nice if it wasn’t so, but perfect security is impossible to obtain while still having anything even remotely resembling a functioning, useful system.”
While consumers are concerned about data privacy, research shows they’re still willing to share their data with companies in exchange for enhanced services. DMA’s study found that roughly half of global Internet users are “data pragmatists” who decide whether to share their personal information with an organization on a case-by-case basis, dependent on the benefits.
Still, trust plays a key role: 51 percent of consumers surveyed by DMA put trust in their top three factors that make them happy to share personal information with a company—and companies will need a multilevel approach to build that trust, Jardine said.
“Companies can help retain user trust by, first, providing as much security and possible and, second, making the aftermath of a malicious cybersecurity event less acute,” he told us. “Financial service companies do this already. If your Visa card is stolen, which may invariably happen, the company does an investigation and then covers the losses and issues a new card. Users trust that Visa works to prevent card theft, but they also know the company will help to minimize the adverse effects of a malicious event.”
Of course, not all companies are in the position to take such direct action. But taking steps to prevent data misuse—and clearly communicating how the company will respond to a breach if one occurs—remains paramount, Jardine said. “This sort of thing is harder for content intermediaries, as you cannot simply change out your personal photos or identity with the same ease as a credit card number,” he explained. “Nevertheless, keeping this dual focus on prevention and remediation is the best approach to building a trust-infused product.”
The bottom line
In response to findings like these, nearly 60 percent of companies surveyed by IBM said they’re embracing the GDPR as a business opportunity rather than an impediment. Over the next few months, in partnership with Symantec, TriplePundit will dive into how leading companies plan to do this.
We’ll explore the different ways that companies interact with vulnerable personal data—from user experience to supply chain management—and what they can do to better ensure privacy and security. We’ll discuss how the growing push for greater transparency impacts different teams across your business and talk through how companies can continue to innovate while maintaining privacy. You can keep track of the series here.