Blog article

See all stories »

Channels

Group

External | what does this mean?

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Data privacy – the new Normal in Digitization

The raising prominence of Data privacy:

As per the market stats published by Statista, the amount of data/information generated, gathered, copied, and consumed is expected to reach 180 zettabytes by 2025!

And a majority of the data generated is on customer and customer only! All of this can be used to infer valuable insights and patterns on the customer and also be used to predict customer lifecycle, thereby attracting more business.

No wonder “data is the new oil”. It is only fair to say that the power of data is yet to be fully unleashed.

On the other hand, the way the data is collected, used, and disseminated has come under tremendous scrutiny as the lack of oversight and security has led to unauthorized access and usage of sensitive information.

The constant grievance of the customers is that they don’t have a view of the data collected by organizations and the usage of the same. In many cases, the data is used/shared indiscriminately and this has led to many risks for the customers as well as reputation damage to the organizations involved. All of this has led to an increased clamor for Data privacy and data security.

What is being covered in Data privacy regulations:

Driven by the concerns of data misuse, Data privacy regulations are now being rolled out in many countries across the world. GDPR in European Union, POPI in South Africa, CPPA in Canada, and CCPA in California, VCDPA in Virginia to name a few are leading this change. While there are Data privacy/protection regulations for each jurisdiction, some of the common themes across all of these are as below:

Data Collection: To follow a minimalistic approach for data collection, capture only the essential information. Predominantly, all these laws cover the interest of individual data namely, Personally Identifiable Information (PII) and Personal Health Information (PHI).
Consent: The customer approves whether they agree with the information that has been collected and the purposes for which the information is proposed to be used
Data de-identification: Customer data should be de-identified during rest as well as in transit. This can be through techniques like masking/encryption
Data dissemination: The data is made available only for the relevant purpose as approved by the customer and is made available only to authorized people
Modification and Deletion: Every individual has the right to request for amendment of the data and deletion. The organizations are expected to completely remove the traces of the customer data as the customer has the “right to be forgotten”
Portability: If the customer would like to move to another service provider, it should be facilitated
Notification of breach: In case of any breach of data protection, say any unauthorized access or breach of confidence, this should be reported by the organizations. Organizations are also expected to have a dedicated owner for Data protection
Penalties: Any violation of data privacy requirements leads to severe penalties and can lead to reputation risk as well as business risk. For example, Amazon was fined to the tune of $877 million by Luxembourg for non-compliance with GDPR.

What is in it for businesses:

The flurry of regulations in the Data privacy field and the implication of financial penalties has led to the increasing importance of this subject in software development. In a nutshell, the responsibilities of organizations now expand to cover the data privacy of customer information.

Some key principles that can be imbibed to handle this requirement include:

Privacy strategy: At the organizational level, a Privacy strategy covering the objectives and the scope are essential. It is important to understand to know the answers to what, why, where, and how of Data privacy, namely what data needs to be protected, why is it important from a business perspective, where is it likely to be stored, and how to roll out the privacy mechanisms. The answers to these questions would set the direction for the tools, process, and people involved.

Privacy by design: While the Privacy strategy is needed at the strategic level, at the operational level, “Privacy by design” is a must-have. As GDPR rightly points out, Privacy should be considered as part of the stated requirements and factored in early at the analysis and design stages and not considered as an afterthought. Privacy has to be factored in at every stage of the software/ product life cycle to cover the approach for storage, de-identification, level of access, and so on. It should be an inherent part of the impact analysis.

People power: Software is not the solution to every problem! People and processes need to go hand in hand to ensure that the software is built and used for the right purposes. With Data Democratization being the need of the hour, with democratization comes huge responsibility too. Hence it is of utmost importance that every employee understands the implications of data breaches and acts responsibly. Designated Data protection officers and regular Data privacy audits would help reinforce the process.

The future of Data privacy:

Data Privacy is being influenced and shaped by emerging macroeconomic and social changes.

For instance, Gartner predicts that by year-end 2024, around 75% of the world’s population will have its PII data covered under modern privacy regulations. This trend would influence the Data privacy strategy as the nuances of multi-jurisdiction impact will need to be factored in, especially when the data lies distributed across multiple countries.

From a social perspective, the behavior patterns of GenZ customers need to be factored in. Considering their penchant for ease of use, their caution, and their preference for better authenticity needs to be balanced.

As AI becomes all-pervasive, it is also seen increasingly as a double-edged sword in the case of Data privacy. While there is an accusation that increased use of AI can unobtrusively collect more than required customer data, Forbes has sighted that when designed well, AI can be non-intrusive and isolate the PII from the buyer’s behavior and buying patterns thereby mitigating data privacy risk without impacting business needs.

Overall, Data privacy is here to stay and would be one of the critical success factors for any business to succeed. Rather than seeing Data privacy as a cost center and an overhead, approaching it as a trump card to win would be an intelligent move. When harnessed carefully, it can be used as a powerful tool to reinforce customer confidence and help build a strong foundation for customer loyalty.

2349