Companies that want to differentiate themselves will have to take a long, hard look at their practices around safeguarding customer data. Practices need to comply with the relevant laws, of course, but they also need to be rooted in ethics. Risk governance technologies make it easier than ever before for companies to be both compliant and ethical – and prove to customers they can be trusted.
20 July 2022 • 4 min read
In the beginning was the business, and the business was with data, and the business was data… Whether your company is large or small, personal data is the foundation of trade – helping to derive customer insights, drive personalized services and make accurate market predictions.
Then came the law: regulations stated that personal data is owned by the people who generate it, and not company property; that those collecting data have to give users full control of how it is treated, and carefully safeguard personal information.
The natural human reaction to a new rule is to find the quickest way to appear compliant by modifying one’s behavior as little as possible – even if doing so ignores the spirit of the legislation. This is generally possible, because the law has shades of gray. Ethics, however, can be seen as binary – decisions and behaviors either align to your values, or they don’t.
Business ethics are a relatively recent phenomenon, having for many years been viewed as superfluous. But business is a matter of trust, and today people are more aware of how their data is collected, used and turned into money. They are also informed daily about breaches and worried about a sense of ‘surveillance’ that undermines their privacy.
It is precisely this growing lack of customer trust in organizations that is transforming the perception of ethics from a cost to a market differentiator.
Trends show how people don’t trust that organizations will keep their data safe, nor that they will collect clear consent. There are also fears that organizations will sell data without permission, or store more data than necessary. It is precisely this growing lack of customer trust in organizations that is transforming the perception of ethics from a cost to a market differentiator.
In this complex scenario, current and emerging technologies are key in making sustainable, ethics-driven choices.
To cultivate the trust of customers sharing their data with companies, it is necessary to be clear from the outset. The more consciously data is shared, the greater value it brings to those collecting it. The law requires that companies explain in simple, concise terms what they intend to do with data, to whom it is eventually transferred, why, and in what form.
Beyond that, blockchain technology could be used for consent management to ensure consent is continuously tracked, and that every subject can revoke consent if they wish. Blockchain could also be used to provide visibility to data subjects of every instance of access, transfer, transformation and deletion of their data, both at the level of a single organization and potentially also at the level of aggregate systems such as a market sector, or even a country.
Personal data that organizations collect is usually the result of several campaigns executed over time. The regulatory framework evolves. The social environment changes. Organizations merge with each other or transfer branches to other companies. Top management revamps the business model to align with or anticipate the market.
Technologies make it possible to maintain an up-to-date, comprehensive and detailed view of all the personal data processed by an organization – this enables the execution of subjects’ rights and supports the risk management process, but is also a deeply ethical choice in itself.
Therefore, often companies don’t have full knowledge of the personal data they manage, or this knowledge is spread over many operational functions without an integrated overview. Technologies in the data risk governance domain make it possible to maintain an up-to-date, comprehensive and detailed view of all the personal data processed by an organization, as well as determining the exact distribution of the relevant data for each individual.
This enables the execution of subjects’ rights and supports the risk management process, but is also a deeply ethical choice in itself, because it generates awareness and a sense of responsibility, and enables cascading others’ choices.
Much of the data that companies collect is not used for either contractual or statistical purposes – but because it might be useful someday.
Instead, the ethics-driven choice is to collect only what is needed and eliminate what is not. This serves the privacy of the data subject, decreases the impact of a possible data breach and makes the business more environmentally sustainable by decreasing its carbon footprint.
To maximize value, data is often moved around and shared with third parties. This widely increases data-related risks, sets specific needs in terms of consent management and may reduce customers’ trust.
Today, however, it is possible to acquire insights from data without accessing or transferring the data itself, such as via an Internet of Trusted Data (offering both auditable verification of identity and data credibility), as well as homomorphic encryption (making it possible to analyze encrypted data without revealing it).
Using these new technologies, data is kept safer in fewer places, and the algorithms only exchange non-identifying statistics. Therefore, corporate functions can ethically work together to facilitate the flow of insights, with the common goal of acquiring maximum value from the data.
Privacy regulations require that data is deleted if explicitly requested by the customer or after a given period. In complex business ecosystems, the deletion process can be onerous and challenging, given the extreme fragmentation of data that, in many cases, exists among business applications.
Again, the detailed knowledge of data distribution provided by data risk governance plays a key role here: full data observability can provide the tools to set an effective retention policy and help business functions to be fully aware of the risks of non-deletion.
In most cases, data protection is done through technology that provides access control. The concept is absolutely valid, but in a time when the risk of data exfiltration increases daily, it’s necessary to identify supplementary security measures. Technologies such as Information Rights Management (IRM) or Attribute-Based Encryption (ABE), for instance, greatly enhance data security by protecting not only the container, but also the content.
Truly embracing the defense-in-depth approach can demonstrate to customers that an organization is treating their personal data as carefully as they would.
Reviewing data protection policies by considering risks holistically, and truly embracing the defense-in-depth approach (the use of coordinated, multi-layered security measures), can demonstrate to customers that an organization is treating their personal data as carefully as they would.
The fact that many global technology companies are putting the care of customers’ personal data at the center of their business is no accident. Privacy ethics is a reality, and its implication in terms of increased consumer trust is already visible. Ultimately, it’s no longer a nice-to-have: almost all players across many market sectors must embrace ethics – or lose market share.
There is an expanding tangle of growing business needs, more stringent privacy regulations and higher standards of ethics. Luckily, technology can help us unravel it – providing better outcomes and higher trust not just for customers, but for the organization itself.
Discover more in
Data privacy