In my last couple of articles, I introduced a business strategy that Gartner calls
ContinuousNEXT – an evolution of what we now call ‘digital transformation’ into a business that is constantly able to adapt and change. I’d like to continue on this theme for a few more articles and in this one I will focus on data privacy and how it can be continuously improved.
Data privacy is a big concern for many customers. According to a PwC survey,
only 25% of customers believe that most companies handle their sensitive personal data responsibly. More importantly, 87% of those same respondents say they will take their business elsewhere if they don’t trust that a company is handling their data responsibly.
Europe already has its General Data Protection Regulation (GDPR), which is far more rigorous than any of the standards applied in the US – although things are changing. The
California Consumer Privacy Act (CCPA) became law this year and various states are working on their own legislation, starting with the New York SHIELD Act. The regulation of data is changing quickly in the US and American companies that have customers overseas need to be aware of local regulations.
GDPR provides a useful framework for companies to follow. It defines how you should be looking after customer data, when you should delete it, and your responsibilities if there is ever a data breach – accidental or through the activities of hackers. In summary, it forces companies to explain why they are asking customers for their data and what they intend to do with it.
The IBM Security Institute estimates that the average cost of a data breach in 2018 was almost $4m, that’s up 6.4% in 2017. This is the cost of lost customers, compensation to customers who are directly affected, and damage to your reputation. Then there is the fine from the regulator. When you are trying to rebuild your business after a data breach the European regulator can fine you up to €20 million (USD$ 22m), or 4% of the annual worldwide turnover of your company – whichever figure is greater. Recently Google was fined €50 million (USD$55m) in France, British Airways was fined £183 million (USD$239m) in the UK and Marriott International suffered a £99 million fine (USD$129m).
For all these reasons, the changing regulatory environment, increasing expectations from customers, and the increased security threat, the only safe option is to be continuously assessing and improving your data security and privacy standards. This is one area of your business that is never going to stand still – regulators and customers constantly need to be monitored so you can meet their expectations.
I believe there are five key arguments to consider when planning how you should move to a continuous improvement of data security standards:
GDPR enforcement will pick up momentum. We have already seen American firms like Google receiving serious fines from Europe. If you do (or plan to do) business in the EU then compliance with GDPR is essential.
US data privacy is coming. As mentioned, California and New York are already implementing measures, but other states are following soon. You need to take this legislation seriously. Apple CEO Tim Cook asserts, “We will never achieve technology’s full potential without the full faith and confidence of the people who use it.”
The C-Suite will soon include a Chief Identity Officer. We used to see a Chief Digital Officer leading digital transformation programs, but now many companies will see the need for a Chief Identity Officer to codify policies and practices in the digital privacy, compliance, and security domains.
Organizations need to plan rational data retention policies. What are you doing with all that customer data that you collect? When is it retired? When are customers removed? When Anthem suffered a data breach in 2015, 78 million customer records were compromised, yet the healthcare provider only served 69 million customers – even former customers were exposed.
Supplier contracts need to be reviewed. Given the domino effect that many observers anticipate GDPR having outside the EU, it’s a good time to review your partners’ policies, procedures and security controls to ensure that you don’t have any unwelcome surprises down the road.
Even this shortlist should make it clear that your data privacy strategy needs to be continuously improved. With regulators and customers constantly requiring improvements and security threats constantly changing, the only way to really protect your customer data is to build a strategy that seeks to constantly improve how you are managing their data. ContinuousNEXT is an excellent framework that really addresses the reality of how data privacy needs to be managed today.