As organizations look to improve the consumer experience and secure the competitive advantage associated with brand trust, it’s important that they use consumer information in the most appropriate way.
With the increased digitization of public and private sector services and rising expectations from customers, organizations now have access to more user data than ever before. And as privacy concerns and regulatory scrutiny grow, the importance of knowing and understanding your data is paramount.
Under a growing number of data privacy regulations across the globe (the General Data Protection Regulation for European citizens, the California Consumer Privacy Act in the US and the General Personal Data Protection Law in Brazil, to name a few), consumers have gained legal rights to support increased visibility, transparency and control around the data organizations have gathered about them. This has helped consumers make informed choices about the companies they interact with.
With regulators imposing harsher penalties for insufficient oversight for data privacy, organizations need to break down siloes and create a shared and secure single source of truth for customers — a digital identity.
The emergence of a digital identity
A digital identity is a way to identify someone electronically and confirm they are who they say they are. With a secure digital identity, organizations get a standardized, interoperable approach that can help reduce risks by eliminating redundant points of failure for authenticating a customer’s identity.
As it stands, the digital identity model is fragmented, with different public and private entities managing identity in their own silos. This can lead to a frustrating and disjointed digital experience and expose users to risks. (But digital identity isn’t something any single jurisdiction can solve on its own. Public and private sectors should work together to realize the vision of a secure digital identity infrastructure.)
When the topic of digital identity comes up, people often raise concerns about privacy. But let me assure you that, when implemented correctly, digital identity can enhance privacy. Organizations just need to have the right safeguards in place.
While some may question whether digital identity will compromise individual privacy rights, risks can be mitigated by architecting systems to help minimize the amount of transaction data collected as part of identity verification.
By establishing clear privacy principles upfront, you can embed the necessary protections into these systems.
Enter privacy by design, at the ground floor
Data privacy should not be addressed as standalone, and it also cannot be assured solely by compliance with regulations. Privacy should become the default and be embedded into any solution’s foundation — into the design and operation of IT systems and business practices to help prevent privacy vulnerabilities.
Enter privacy by design, a philosophy to design core privacy principles into the technology themselves from the start. It requires digital IDs to be engineered and designed with built-in data minimization rules in place “by default”. It’s also about being proactive and not reactive: anticipating risks and preventing invasive events before they happen.
In fact, it’s a core component of a broader customer data and analytics strategy, which can help maximize privacy protection and lead to new growth opportunities. This approach can also help build digital trust with end users and drive widespread adoption, and has the required scale to deliver many of the benefits of digitization.
There are several key topics that have emerged around the topic of privacy and digital identity:
- Putting privacy on the board agenda: Privacy governance is more prominent than ever. Boards are now looking at the impact of these privacy concerns and acknowledge that managing digital identities is a matter of corporate governance. From a board perspective, the consequences of an identity-related breach include potential legal liability, regulatory sanctions, brand damage and the theft of intellectual property and sensitive information.
- Reducing overcollection: The more data you have, the more your risk can increase. As a result, overcollection — and over-retention — of data has been a top concern. Recent regulations have prescribed rules about data minimalization, ensuring that a business can only ask for the minimum amount of data required for a given transaction Now, more attention is being paid, because if regulators come to your door, you need to demonstrate compliance. And not only is data overcollection unsafe, it’s also a hassle; users are put into a position to reshare the same data with different institutions, introducing privacy risks that can potentially expose individuals to unnecessary profiling and tracking.
- Finding privacy champions: Resourcing around privacy has become an extreme challenge. It’s important for organizations to foster privacy champions. And without staff, it’s hard for champions to live on the front lines.
- Determining “where privacy lives”: There’s also been a shift in thinking as to where privacy should live within an organization. This opens the door for the chief privacy officer (CPO), who is responsible for how personally identifiable information is collected, stored, shared and transmitted, and ensuring regulatory compliance.
- Anonymizing data: There’s a new focus on data anonymization — the act of processing data so it’s irreversibly de-identified. According to KPMG in the US’s data privacy survey, 48 percent of the American population would be more comfortable with companies collecting and using their personal data if it was made fully anonymous. But some organizations are struggling with it. What’s more, incomplete anonymization may result in re-identification as the data is combined with previously collected, complex data sets, including geo-location, image recognition and behavioral tracking.
Have you considered where identity fits into your digital consumer experience?
Now is an optimal time to revisit leading practices around data management as a fundamental building block to privacy compliance. If it’s done right, the world can be securely connected to the digital economy and organizations can take meaningful action to build consumer trust.