Getty Images/iStockphoto
Data protection: How privacy can be a benefit, not a burden
With the growing number of data breaches, consumers are becoming increasingly concerned about how their data is used. Organisations can take advantage of this trend by treating data protection and user privacy as product features
Data privacy has been viewed as a burden that carries with it significant costs and few tangible benefits. This has been compounded historically by the aim of gathering as much data as possible about users, thus providing greater opportunities for monetising the data, such as through targeted advertising.
However, the market for privacy-friendly products and services is growing. “You do see more and more consumers looking at privacy settings and how companies are processing their personal data,” says Paul Breitbarth, director of strategic research and regulator outreach at privacy compliance software firm Nymity. “It will very much be an advantage for companies to process personal data in a correct and privacy-friendly manner.”
The monetisation of user data through targeted advertising, based on online behaviour, can be a major revenue stream for many organisations. But the administration and processing of data for such purposes can be expensive.
Since the European Union’s General Data Protection Regulation (GDPR) became part of UK law under the Data Protection Act 2018, data protection requirements have become much more rigorous. Before this, organisations could have irresponsibly offset the financial penalties for not complying with previous data protection regulations with the money saved by not investing in data protection policies. This is now no longer viable because the cost of a data breach is so much greater – in both tangible and intangible terms.
As well as the reputational damage that can result from data breaches, regulatory bodies, such as the Information Commissioner’s Office (ICO), can fine organisations that are found to be infringing data protection laws. In the case of the Data Protection Act 2018, organisations that are found not to have complied can be fined up to £17m or 4% of their global revenue, whichever amount is higher. But it could be argued that the naming of such companies causes just as much concern because of the reputational damage it can cause.
Given the number of high-profile data breaches in the past decade – from the Sony PlayStation Network (PSN) hack in 2011 to the LinkedIn data breach in 2016 – consumers have been increasingly aware of how valuable their data can be and the potential dangers from it being leaked.
A consequence of this is consumers being increasingly wary of buying products from organisations that have suffered data breaches. For example, in 2016, cyber security experts advised consumers not to purchase Vtech toys for their children following the company’s handling of a data breach.
An example of the damage caused by a data breach occurred at the time that Yahoo was acquired by Verizon. In June 2016, Verizon announced that it would acquire Yahoo for $4.8bn. However, three months later, Yahoo disclosed that it had suffered a data breach in 2014, which affected more than 500 million user accounts – this was later revised to all of its three billion user accounts.
Paul Breitbarth, Nymity
After the details of the breach were released, Verizon renegotiated the deal to $4.5bn, a drop of more than $300m, which was accepted by Yahoo. Also, Yahoo was later ordered to pay compensation and costs totalling $85m (£68m).
In response to growing concerns about user privacy, more and more successful organisations are leading the way by not monetising their user data. Nymity’s Breitbarth says: “Large data scandals, such as Cambridge Analytica in the UK, and the almost daily reports of massive data breaches, will make consumers more alert and more concerned about what is happening with their data.”
Apple has taken a notable stance in favour of user privacy, showcasing privacy-conscious features and settings in its conferences and promotional campaigns. When Apple released its iOS 8 operating system in 2014, it began encrypting the contents of all its iOS devices through users’ passcodes, making it impossible for the company to access customers’ data on their devices.
Rather than harvesting user data, Apple has chosen to focus on developing high-end consumer electronics. That said, its default search engine is Google, which does harvest user data. Also, some encryption specialists have criticised Apple for its encryption methods not being secure enough.
Profiting from data privacy
Another company profiting from data privacy is the internet search engine DuckDuckGo. While it still uses advertising as part of its revenue stream, it is not personalised and no user data is used for this purpose. Some may argue that the lack of personalised search results diminishes the user experience, but DuckDuckGo still exceeded a billion search requests a month in January 2019.
The key element for organisations embracing “privacy as a feature” is for it to actively promote these aspects. However, this should not eclipse the core functionality of the products. Privacy functionality can be marketed as an additional product feature, emphasising how the organisation respects its users’ data by not selling information to third-party suppliers.
One of the key advantages of an organisation embracing user privacy is to enhance its image and reputation. An organisation that is seen as protecting user data and respecting users’ privacy will undoubtedly be rewarded with customer loyalty. Simon Jeffrey, director of enterprise core solutions at NICE Systems, says: “If people are finding a certain bank is protecting them better, and they have not seen that bank all over the news with data breaches, they might feel they are more secure. Customers would be happier to pay to change to that supplier if they feel it is more secure.”
However, actual functionality will always be more important than data privacy. There have been several attempts to market products based purely on data privacy, such as the Blackphone by Silent Circle, but this is a challenging marketing strategy. Silent Circle was forced to make 15% of its workforce redundant in 2016 after sales of the first Blackphone were far lower than it had projected.
Simon Jeffrey, NICE Systems
Seth Goldhammer, senior director of solutions marketing at LogRhythm, says: “The primary marketing that we perform is about how we recognise concerning activities and how we prioritise which one of those concerning activities warrants attention. Privacy is usually a secondary conversation.”
One of the core advantages of organisations choosing to not monetise their user data is that they save significant resources by not being required to invest in costly data processing and associated administration. Also, by not harvesting their users’ personal data, they save on hardware costs by not requiring as much storage capacity.
Another cost to be considered is that of ensuring an organisation’s data protection policies meet the requirements of regional data protection legislation. This can be high, especially if data protection consultants are employed. Such costs can be mitigated by taking a “spend-to-save” approach.
Employing consultants on an ad-hoc basis may be inexpensive in the short term, but over time, these costs will add up. Instead, where resources permit, organisations can invest in training their staff to become compliant with data protection policies. This may be costly initially, but the long-term savings should more than compensate.
Data protection rules must be understood
Amy Lawson, chief marketing officer at Mojo Mortgages, says: “Businesses don’t need to recruit large compliance teams or use external consultants; they need to make sure that the rules around data protection are fully understood across all areas of the business, to mitigate risk. Taking the time to do this upfront will reduce headcount in the long term, and will also help to ensure the business remains agile.”
Adapting an organisation’s approach to data privacy is likely to entail organisational challenges and some internal resistance. This is usually from some stakeholders within the organisation who do not accept the benefits of incorporating data privacy into corporate operations. Invariably, they can see only the cost burden, and the associated difficulties of implementing new policy, without appreciating the value that such intangible benefits can bring.
“Most privacy professionals understand the value of good privacy practices, but management is still concerned about the time and money spent on privacy and data protection,” says Breitbarth.
This lack of understanding can be overcome by educating an organisation’s key stakeholders on the value of such intangible benefits. Phil Slingsby, head of governance, standards and assurance at IT services firm GCI, says: “Providing the context behind why data protection is important, rather than just telling them, creates much better individual ownership. It also ensures data protection is embedded in the business, rather than being seen to be the problem or responsibility of a compliance or audit team.”
If possible, it is optimal for organisations to adopt such user privacy practices right from the start to keep disruption to a minimum.
Respecting user privacy, and no longer being able to monetise user data, obviously presents a greater challenge for some companies than others. Organisations that already incorporate multiple revenue streams into their business model can more easily balance not monetising user data with the reduced costs, alongside promoting their new user-privacy features.
Read more about GDPR and business
- Security, including data protection, should demonstratively benefit the organisation and ultimately result in information being utilised and exploited in a positive way.
- Despite the fact that the GDPR has been in full effect for a year, the true effect of the regulation is yet to be felt and organisations should ensure they keep their eye on the ball, says leading privacy law firm.
- The first year of the EU’s GDPR has demonstrated the value of IBM’s investment in machine learning-based automation and the importance of having the right strategy and systems in place.
- A year after the official implementation of the GDPR, it is important to highlight the positive opportunities that compliance provides and the insights breach reports are providing, say Deloitte consultants.
Organisations that rely heavily, or in some cases solely, on monetising user data will face a significant challenge, because it will mean a greater shift in their business operations – but not an insurmountable one. One of the core challenges will be that consumers have become used to getting services for free online, such as social media and online news sites.
Paywalls (one-off payments to access content online) and other subscription-based online services (a monthly payment for regular access to content) have had mixed results. Web-based media companies such as Netflix and Spotify are perhaps best placed to adapt to privacy-friendly business models, as they are providing a physical service – access to the latest films and music.
Spotify, for example, offers a free service where users listen to adverts based on their preferences, as well as a paid-for service that is free of adverts. However, both companies rely on aggregating their content, based on users’ habits.
Alternative business model
An alternative business model is the one used by Avast, where home users can install the basic antivirus software for free, while those willing to pay for a premium service are provided with greater protection, including a ransomware shield and data shredder. Avast also offers enterprise-grade security packages that are designed to operate across a corporate network.
Data protection is being increasingly regulated around the world, but privacy has been found to have greater marketable value in some regions than others. LogRhythm’s Goldhammer says: “In the Americas in general, we do not hear a lot of questions around user privacy. Corporations will make a statement that what occurs on a corporate network is owned by the corporation. In Europe, and even pockets of Asia, we see strong arguments for privacy as part of user monitoring programmes.”
Many people feel that in the future, we will probably see more, and potentially conflicting, regulation around data protection. Breitbarth says: “We are not done with privacy legislation yet, as it is still being discussed in Europe, and the GDPR is far from perfect. We may see some updates from there as well, especially after the first evaluations in the coming years.”
With the number and scale of data breaches increasing every day, consumers are becoming ever more aware of the value of their data and the cost to them if it falls into the wrong hands. This awareness is leading to data privacy being viewed as an increasingly valuable commodity. Staying ahead of the growing trend for privacy, as well as pre-empting customers’ concerns, can deliver genuine competitive benefits.