GDPR signals rising tide of privacy issues

Proactively address data privacy to build competitive advantage

Download RFP
Cyber securityThe EU’s General Data Privacy Regulation (GDPR), which took effect in May 2018, together with recent high-profile incidents involving compromised consumer data at large U.S. organizations, have heightened awareness around consumer data privacy. In the U.S., evolving consumer attitudes are also driving new privacy regulations, such as the recently passed California Consumer Privacy Act of 2018 (CCPA), forcing organizations to rethink the way they do business.

Data-driven organizations face the most significant privacy concerns. These are organizations that collect and control consumer data and integrate that data into their business model by, for example, monetizing the data or using it in marketing efforts, or that maintain relationships with third parties that do so. Data-driven organizations need to be transparent with individuals about how and why they process their data to avoid costly fines and litigation.

A flood of data privacy concernsTo date, data protection regulations in the U.S. have been industry-specific. Patient health care information and financial sector specific regulations are examples. But GDPR’s scope is forcing enterprises to change their operations and could serve as a model for more expansive data privacy legislation. California’s new CCPA provides elevated rights to California consumers and has many parallels to the GDPR. Even if other states do not follow the EU model, many U.S. businesses have EU customers and will need to become GDPR compliant. Many of those organizations have indicated that they will extend GDPR protections to all of their users.

In general, GDPR provides individuals with a right to be clearly informed when their data is being collected, to be provided a copy of their data, and to require companies to delete all data collected from an individual upon request (the right to be forgotten). Until recently, consumers seemed relatively unconcerned about their data. Most willingly provided their data in return for improved service or access to online platforms or programs. Apart from financial data, such as credit card and bank account numbers, many consumers were unconcerned about their data being collected, tracked, monitored and mined.

Three trends have changed these attitudes:

  • Increasing digitalization: Consumers now conduct so many activities online that they realize that their data exposures extend to all aspects of their lives. Many also realize that they are engaging in quid pro quo transactions, in which they may be consigning ownership of their data, or at least permitting uses they had been unaware of, in exchange for unclear, unequal or dubious benefits. Consumers are also increasingly refusing to thoughtlessly agree to unclear or unfavorable terms of service.
  • Increased media coverage: Media coverage of security breaches and exposures of consumer data—along with increasing digitalization—may create uneasiness among consumers who once automatically signed complicated terms of service agreements. In addition, more sophisticated consumers are realizing that their data and user generated content has monetary value and are more consciously evaluating the organizations that stand to gain from it.
  • Increased regulatory attention: EU consumers tend to be more sensitive than their U.S. counterparts about data privacy, which helped drive GDPR. However, U.S. consumers, particularly those in younger and more educated cohorts, are increasingly sensitive to data privacy. They can be expected to assert their rights and to reward companies that respect those rights. Also, while unlikely in the near future, the prospect of U.S. regulatory action remains a possibility.

The rising tide of consumer focus on data privacy presents an opportunity for businesses to build trust with consumers. Organizations that emphasize customer-centricity and transparency, and that facilitate users’ data privacy rights regardless of regulatory demands, stand to benefit from consumer trust and participation, particularly when competitors fail to do so. Given the foundational nature of trust, organizations that take proactive steps stand to deepen and lengthen relationships—and enhance their reputations—can gain competitive advantage.

Data privacy is good business Data-driven organizations have the most to gain—and lose. These organizations should consider ways of enhancing their strategies for gathering, using, sharing, maintaining and protecting customer data.

This does not necessarily require a total overhaul of policies and procedures. It’s possible for many data-driven organizations to continue doing much of what they have been doing, at least outside the EU. Yet it does signal a need to handle consumer data and communicate related policies in a responsible, transparent, respectful manner.

Companies should also clearly explain what consumers gain by sharing their data. Benefits might include more relevant news and offers, better information on which to base decisions, reduced clutter and distraction, and expedited shopping, investing, communication, payment and shipping. In any relationship, people reveal things to gain something in return. Making data-based revelations more transparent and reciprocal can build strong digital relationships. Your organization’s size, capabilities and technological infrastructure, consumer relationships and risk appetite will shape your response. Developing an optimal response calls for viewing the matter not only from a regulatory-compliance perspective, but also as a value proposition and a competitive issue.

How to build a data privacy advantage The more data-driven the organization, the more critical it is for management to respond appropriately to consumer concerns about their data.

Here are steps to consider:

  • Assess the value of the data. Ascertain the role and value of consumer data in your business model. The more important any particular type of data is to your enterprise, the more important it is to build trust that such data will be handled responsibly.
  • Evaluate your current practices. Review your current policies and procedures around data gathering, tracking, maintenance, sharing and retention, and your practices for communicating those policies and procedures to consumers. Ask basic questions: What data are we collecting, sharing and maintaining? Why? How do we use this data? Who has access to it and why? How do we protect it? Identify all risks—including reputational risks—associated with potential breaches, misappropriation or misuse of the data.
  • Take a strategic approach. Consider the upside of enhanced data privacy in your policies and procedures and greater transparency in your communications. In what ways might this propel your marketing efforts and improve business performance? Which customer relationships or revenue streams are you putting at risk? Which ones could you improve?
  • Identify useful modifications. Examine the data lifecycle, from acquisition to archiving or deletion. Identify potential improvements based on the role and value of the data, your current risks and desired risk profile, consumer attitudes (which you can learn by surveying your customers or audience) and other industry- and company-specific factors. You can change what you are doing or change how you communicate about it, or both.
  • Empower the consumer. You can increase transparency while reducing risk by empowering the customer. First, be open and specific about the data you collect, what it will be used for, what the customer gains in return, and how you safeguard their data. Second, provide plain-language terms of use and policies rather than agreements larded with legalese. Third, enable consumers to control—via opt-in, active consent or non-consent and similar mechanisms—the data they provide and the uses to which it will be put.
  • Review third-party relationships. If your organization outsources consumer-data collection, processing, storage or management, understand what your providers are doing and the risks to your organization. More than ever, due diligence in screening, selection, contracting, relationship management and oversight—along with periodic audits--is needed in working with vendors and partners who handle your customers’ data.

There are costs and risks associated with these steps, ranging from updating processes to reductions in customer participation. But there are also risks associated with suboptimal practices, including losing market share to more trusted competitors and the prospect of devastating reputational damage. Data-driven organizations can act now to gain competitive advantage. Start by assessing current practices and developing proactive responses tailored to your organization and customers or audience. The disadvantages are few, while the potential advantages include greater customer loyalty, enhanced trust, improved word of mouth, higher barriers to customer attrition and reduced regulatory, legal and reputational risk.

The opportunity and advantages will accrue to leadership teams who see the rising tide and get moving, instead of treading water.

Contacts Vishal Chawla
National Managing Principal, 
Risk Advisory Services
T +1 703 847 7580

Derek Han
Cyber Risk
T +1 312 602 8940

Chris Smith
Strategy & Transformation
T +1 425 214 9820

Siddiqui, Sonia 
Cyber Risk 
T +1 703 562 5971