This story was created by Fast Company for Grant Thornton as a part of a content series that explores the impact of innovation and technology.
Data privacy is on everybody’s minds these days. But while some companies see this as impeding growth, smart business leaders are embracing it to spur innovation.
Consumers want privacy. But we also take eager advantage of products, apps, and tools that rely on our personal data. These conflicting demands can make it challenging for companies to determine how best to both protect and make use of their customers’ data. They can also make it challenging to innovate, as executives balance privacy concerns with product development.
However, a growing number of companies are adopting a proactive and holistic approach to privacy and innovation, inviting privacy leaders to collaborate with product teams from the outset. In a panel entitled “The Economy of Trust: How Data Privacy Is Driving Innovation” at the fourth annual Fast Company
Innovation Festival on October 24, three experts discussed corporate culture, data breaches, and the opportunities for growth that data privacy presents. Here is an edited excerpt from that conversation.
In the past, privacy issues were often treated as a pesky afterthought. What are your peers saying about privacy these days? William Min, chief privacy and data governance officer, Western Union:
Companies that think they have unlimited rights to personal information and can use it for whatever they want are going to get left back.
Mathew Newfield, chief information security officer, Unisys:
In a lot of the organizations that I work with, as well as my own, we’re starting to see a fundamental shift at the executive and board levels, where people are coming to the realization that it’s their data, too. They’re thinking, this is information about myself and my family and my friends all over the world. So how do I want my data handled? And they’re bringing that viewpoint directly into the business.
Derek Han, principal cyber risk and data privacy specialist, Grant Thornton:
The core privacy issue today is data management: not only how to use data, but how to protect data. And then also being transparent about how we use data. We’re also starting to think about eventually transferring some ownership of that data to individuals, as opposed to the company. Privacy leaders are focused not only on addressing compliance requirements, but also thinking about how we can tackle areas such as data management to help the business become stronger and grow faster.
The unfortunate reality for most brands seems to be that it’s not if you’ll be breached, it’s when. How does that dynamic affect innovation? MN:
If you look at the biggest cyber events in the last few years, you’ll see that the companies that were transparent did not see innovation stifled at all. You just have to work immediately and openly with regulators, law enforcement, and the people who are impacted.
The problem is a lot of corporations want to wait until they know everything before they say anything, which is the exact opposite of what you should do. But if you’re transparent, a breach doesn’t have to stifle innovation.
It’s critical to make sure that you’ve learned lessons from a breach. You have to continue to improve your security processes and think critically about the type of data that you’re collecting. For instance, did you really need to have that type of information in that particular database?
It’s an ongoing exercise. And sometimes, unfortunately, you learn lessons from situations with bad outcomes. But I’ve had experiences where public reaction was actually positive because of the way a breach was handled. By being transparent with those affected by the incident, customers should feel, “The company took this seriously. I’m going to trust that they’ve actually fixed the problem. They’re more secure than they probably were before. So they’ve earned my trust back.”
There’s a perception that corporate privacy executives mostly like to tell business leaders “no”. Is that culture changing? MN:
A lot of my peers are very old school. They’re focused on risk avoidance and risk transference. Their response to a new idea is, “That sounds scary to me. I don’t want anything to do with it.”
The only way to change that attitude is through collaboration and lots of communication. It takes time, but you can do it pretty easily if you really want to. A lot of companies in the Fortune 500 have changed their cultures very successfully. People are starting to catch on. It’s not so scary or so revolutionary anymore.
There’s an emerging privacy mandate that’s driving people to work more closely. I work with our privacy officer, legal counsel, and information security professionals, and then also business, IT, and operations folks. When you get all these people working together, creativity will come out of it.
For example, we’re having a lot of conversations about privacy by design: making privacy not only a compliance feature, but a customizable benefit. We talk about offering customers privacy by product and even by feature.
I work hard to build relationships with colleagues on the business side, so my team and I can get plugged in early on. There are a lot of solutions out there, and it’s very, very rare that we can’t come up with something that actually makes sense. But it’s a lot easier to do it up front than to come in at the eleventh hour when a product is ready to roll out but hasn’t been vetted properly.
Where do you see opportunities for innovation related to privacy? DH:
Some of my clients are starting to come up with really innovative solutions related to searching [for] and extracting user information. In the next three years, I can guarantee there’ll be some innovation to actually sell a privacy solution as a product. You’ll see very tangible business value from the privacy field.
It’s going to be interesting to see some of the ways blockchain is adapted for privacy. There are also interesting conversations happening about user names and passwords being an antiquated form of protecting your privacy.
Along with changes in technology, there are definitely going to be dilemmas. The companies that figure out how to solve some of those issues will continue to thrive. Take artificial intelligence and machine learning. On the one hand, from a pure privacy-regulatory standpoint, you should only hold and capture the least amount of data that you really need for the purposes for which you need to process it.
But in order to build AI models and make them more valuable and accurate, more data is better. That’s the sort of issue that’s going to come up increasingly often. People like us get to help figure out how we solve that to address both the business needs and the needs of our customers.
In addition to the issues addressed above, all three of our experts agree that it’s highly likely that Congress will pass a federal data privacy law at some point. In an ideal world, they say, the legislation would incorporate existing best practices, meaning companies that are up to date on protecting consumer data would have little to fear.