Companies Are Waking Up to a Reality Where Consumers Control Their Personal Data
Top of mind for most security, identity, risk, compliance, and privacy professionals are subjects like consumer identity and access management (CIAM), privacy by design, customer experience (CX), and the European Union's General Data Protection Regulation (GDPR) legislation. KuppingerCole's recently concluded Consumer Identity World 2017 conference in Seattle tackled those subjects under the umbrella of balancing user experience, privacy, and security for the connected consumer.
Subject matter experts from Sila Solutions Group participated on two panels at the conference. Sila Managing Director Brad Pittiglio spoke as part of the "Customer CIAM Case Study" panel, and Sila Cybersecurity Lead Tom Fleming spoke on the "Customer Experience (CX) & Privacy" panel.
Below are their observations and takeaways from their respective panels, as well as thoughts from the conference in general.
Data Control Shifts from Companies to Consumers
Historically, companies have developed their own corporate privacy policies. By defining their own rules as they saw fit, they could collect and monetize consumer personal information, which holds significant commercial value.
"Today, terms of service and privacy policies are written by companies to meet their business needs and objectives," said Pittiglio. "They are purposely opaque, granting a company as much freedom to capture, distribute, replicate, analyze, sell, or otherwise use your personal information as they see fit—in perpetuity. Users accept these policies without full understanding, and have little to no ability to fully undo that decision at a later point. This is exacerbated by limited rules and regulations, at least within the United States, that provide some baseline level of protection for users and their personal information."
As new regulations come into effect, however, control over personal data is beginning a global shift from corporate control back to the individual user. This change is primarily due to the European Union's (EU's) General Data Protection Regulation (GDPR) regulation, which goes into effect May 25, 2018. GDPR will hold companies accountable to discrete, user controlled data confidentiality, integrity, and disclosure requirements. Any company in the world doing business with EU citizens and collecting their personally identifiable information must comply.
Under these new regulations, users will have to explicitly opt-in for companies to collect and use their data—whether for marketing purposes or to sell to other vendors. That means there is no global opt-in ability; companies must get explicit opt-in approval for discrete usage scenarios. People will be able to navigate to a preference page and click through a series of check boxes that specify what data companies can capture, and how it will be used. Users will also need full ability to modify incorrect information, as well as transparency on how that information will be stored and secured.
These changes in privacy control are all part of GDPR regulations, which include the baseline requirements for user privacy rights. Companies can't violate those fundamental rights—regardless of what they may include in their privacy policies.
"Shifting the ownership and responsibility to the consumer will drive a lot of change," said Fleming. "It is an industry disruptor. There is a change in the workflow, systems, and processes. If the consumer decides that they want to purge all company instances of their data, then companies must find a way to mine their archives and do just that.
"Some things will be very difficult to achieve. But the intent is clear. The big takeaway is that privacy is coming. The fact that we don't have anything like GDPR in the U.S. is not going to slow it down. Companies that do business with European customers must comply, even though it's not a U.S. regulation."
Consumer complaints will be handled by privacy authorities, and fines for non-compliance could be as much as four percent of a company's worldwide gross sales.
Privacy by Design Improves the Customer Value Chain
Turning data control over to consumers offers opportunity to provide touchpoints for consumer interaction. Companies that see the opportunity in this will realize what's called a "privacy advantage" that can improve customer relationships and brand if designed thoughtfully. Privacy will add to the customers' value chain by empowering them with control over their personal information. This can build trust and increase opportunities to incentivize information sharing and customer satisfaction.
The challenge for companies will be in transforming privacy preference pages into positive interactions.
"I think the vision right now is to build a conceptual model that makes it easy for consumers to recognize," said Fleming. "What types of data am I now in control of? What are those data elements? Who is going to have access to my data? How do I erase it? The key is to make it easy for them to control it, and then also give them incentives to share data.
"This will drive incentive programs built around sharing data. You can only imagine what the possibilities are once they have the customer's ear."
Customer Privacy Control Will Necessitate a Technology Layer
In addition to development of a business-driven customer-friendly user interface (UI) where consumers can select and manage privacy preferences, there will need to be systems in place that manage consumers' digital identities and tie into the overall IT environment. It will be vital to execute on this technology layer to manage data access controls as it is these systems that manage digital identity and protect privacy.
In addition to technology, data governance processes such as data modeling and data lineage are required to trace where this data resides because it has more than likely replicated and permeated throughout a given company. This provides insight on where it sits, and how it's being used, stored, and protected so that decisions can be made on how it needs to be updated and adapted moving forward.
"Companies are not customizing and baking in privacy preferences just yet, but there are a lot of technology initiatives and standards developments that are happening right now in customer identity and access management," said Fleming. "The technology industries are organizing, activating, and building new standards."
CIAM as a Profit Center
A regulatory environment where consumers are empowered to self-enable their privacy settings can also create new business models for CIAM platforms. For example, the same CIAM platform used by consumers to self-initiate can be a tool for further interaction between companies and end users.
Whether it's for consent or acceptance, CIAM is not only a mechanism to collect information from end users it can also be a platform to help solve other problems companies are facing. That means the CIAM use case can become one of a profit center to help organizations meet some of their business challenges.
Improving the customer relationship part of the sales organization is one area where this applies. In this example, companies can expose application programming interfaces (APIs) for marketing and sales to extract data and run analytics.
"That raises questions such as: how do we start building better APIs for other parts of the business to consume this information, while respecting the new privacy settings?" asked Pittiglio. "Many companies are trying to retrofit these capabilities into existing systems. At the same time, we're seeing new CIAM software vendors in the marketplace that are building comprehensive, cloud-based solutions with rich analytics, CRM, and marketing capabilities built-in.
"It's going to be interesting to see what functions get baked into a CIAM product, and whether that supplants the movement of data through APIs to external existing, purpose-built, or cloud-based CRM and marketing related systems. From a business-to-consumer standpoint, CIAM is past the hype cycle. It's now in full blown implementation mode."