The longstanding tug-of-war over customer data privacy recently hit a tipping point – leaving far too many organizations flat on their heels.
We first saw this shift in mid-2018, when the EU General Data Protection Regulation (GDPR) officially came into effect, including provisions that provide EU citizens with control over how companies can use their personal information.
Then just months later, we learned about data breaches – massive in both size and scope – at U.S.-headquartered Facebook and Marriott. Facebook has long been scrutinized for the vast amounts of personal information that fuels its ubiquitous social platform. Now, hospitality customers are also thinking about all that data that makes frictionless guest experiences and loyalty programs possible.
According to a PwC survey, only 25% of customers believe that most companies handle their sensitive personal data responsibly. Moreover, 87% of respondents say they will take their business elsewhere if they don’t trust that a company is handling their data responsibly.
It’s also worth noting that the survey was conducted before the Facebook and Marriott hacks were even announced.
What does this mean for your business?
Plan for greater accountability and oversight
We just took a look back at events that are bringing conversations about the future of customer data privacy and protection into the blinding light of day. The PwC report succinctly summarizes the challenges of here and now:
“If your customers don’t trust you to protect their sensitive data and use it responsibly you’ll get nowhere in your efforts to harness the value of that data to offer customers a better experience.”
You’re probably all too familiar with the rule of thumb when it comes to customer trust: It’s hard to win, and a lot easier to lose. We’re still in the early days of changes in regulations, accountability, and strategies that companies will pivot to in order to avoid protect reputation – and indeed, revenue. Here are some predictions that I think will help you navigate the change ahead:
- GDPR enforcement will pick up momentum In 2019. Google has already been fined $57 million (which the company is appealing) for, among other things, making its agreement terms obscure and difficult to access and burying its opt-out options. If you do (or plan to do) business in the EU, your organization needs to be in compliance.
- The U.S will see its own data privacy regulations. With the California Consumer Privacy Act of 2018, many tech companies actually embrace the idea of having consistent guidelines, rather than a patchwork of standards. Apple CEO Tim Cook asserts, “We will never achieve technology’s full potential without the full faith and confidence of the people who use it.”
- The Chief Identity Officer will enter the C-suite. Remember when organizations added Chief Digital Officers to lead digital transformation – in turn, leading to the need for Chief Data Officers, to explain, organize and exploit the value of data? Many companies will see a need for a Chief Identify Officer to codify policy and practices in the digital, privacy, compliance and security domains.
- Organizations will need rational data retention policies. During Anthem’s 2015 data breach, 78 million records were exposed, yet the healthcare provider and its affiliates only served 69 million customers; the remainder were likely former customers. Such lack of oversight sets organizations up for risk and stiff fines.
- Your supplier contracts will need to be re-examined. Given the domino effect that many observers anticipate GDPR having outside the EU, it’s a good time to review your partners’ policies, procedures and security controls to ensure that you don’t have any unwelcome surprises down the road.
We just finished observing the 12th annual Data Privacy Day – but recent events have underscored how there’s still considerable work ahead to ensure that we’re hitting the moving target of delivering customers meaningful experiences while protecting their personal information.