Protecting consumers in a digital age
The ongoing threat of global cyber attacks and the continuing occurrences of identity theft makes us increasingly aware of the importance of protecting our privacy online. High profile incidents, including the worldwide cyber attack by the Wannacry ransomware in May 2017 and Yahoo’s data breaches in 2013 and 2014, have left us feeling vulnerable.
According to the latest Australian Community Attitudes to Privacy survey, 69 per cent of Australians are more concerned about their online privacy than they were five years ago – and 58 per cent would avoid dealing with a company if they were worried about the misuse of their personal information.
So protecting consumers’ privacy makes sound business sense. Trust and reputation are significant assets and once lost, are hard to re-establish.
However, consumer data is also valuable. In an age of big data analysis and artificial intelligence, it provides rich opportunities for increased revenue, as well as improved product design, customer experience and policy decisions.
This is the ongoing tug of war between open data sharing, and individual control. Between convenience and security, exploitation and protection. Striking the right balance requires businesses to:
Australians may soon be even more aware of security breaches, when the Data Breach notification legislation comes into effect in February 2018.
Public and private sector organisations governed by the Privacy Act will need systems in place to ensure they are aware of data breaches, and act on them promptly if the breach is likely to result in serious harm to the individuals involved.
They will need to notify any affected customers who are likely to be at risk of serious harm as soon as a breach is detected and then also report the incident to the Privacy Commissioner.
The transparency of the legislation will ensure information security is taken seriously. However, it will also require some judgment as to what amounts to a serious data breach.
NAB’s Acting Chief Privacy Officer, Saara Mistry, who spoke at a privacy awareness event hosted by Australia Post, said this comes down to “putting ourselves in our customers’ shoes, and asking what the consequences would be for them in a particular incident.”
But Telstra’s Chief Privacy and Compliance Officer, Jason Holandsjo, who spoke at the same event, noted that the new legislation is simply a “floor of obligations for all enterprises. If you’re a truly customer-centric organisation, you would already have a process in place if something does go wrong.”
Embedding privacy as part of an organisation’s culture is key to earning and keeping the trust of consumers. By applying privacy principles through every decision stage – from product development and marketing to legal and human resources – you can create a framework where security is part the DNA.
At a minimum, organisations need clear opt in and opt out procedures. Consent needs to be informed – which means being transparent about what data is being collected, what it will be used for, who it will be shared with, and what rights the consumer has to their data.
In short, organisations should only request the information they need for a specific purpose – not what they want. Reducing the amount of data collected also reduces the risk of disclosing it inappropriately.
Privacy needs to be a preventative measure. If organisations wait for a breach to identify vulnerabilities, it’s too late. At the very least, virus and malware solutions need to be up to date, and a data retention procedure should be in place for securely destroying data when it is no longer needed or when consent is removed.
Although governments and businesses want to link and match data sets from third party sources to develop a richer understanding of our profiles and behaviour, consumers are still wary. The Australian Community Attitudes to Privacy survey found that although a third of Australians are comfortable with the government sharing their personal information with other government agencies, just 10 per cent are happy for businesses to do the same.
Strict security measures, such as encryption and protected ‘need to know’ access to third party data, can improve confidence in the way information is protected. But organisations also need to be completely transparent, and provide both choice and control.
This means privacy agreements need to clearly and succinctly answer questions such as:
- Why is the data being collected and by who?
- Who else will have access to it? Will it be sold on?
- How will it be stored, transmitted and accessed?
- Will it travel across jurisdiction boundaries?
- Can law enforcement agencies or pubic authorities access it under specific circumstances?
- How can I opt out or have the data removed?
As devices become increasingly embedded in our everyday activities, and technology enables rapid and scalable attacks, meeting the different needs of both organisations and individuals will be increasingly complex.
We need to think beyond box-ticking compliance when it comes to privacy. And by making information security principles part of an organisation’s culture, it is possible to put consumer safeguards in place without limiting the potential and value of using their data.
A single digital identity could unlock billions in economic opportunity
To find out more about our research into digital identity, read our white paper: A frictionless future for identity management.