Until very recently, individuals appeared happy to offer unfettered access to their personal information in return for free services such as messaging, fitness apps or music. As a result, privacy was viewed by most organizations as a regulatory inconvenience and personal data was treated as just another corporate asset.
Indeed, in the run-up to the General Data Protection Regulation (GDPR) that went live across Europe in May of this year, the prevailing sentiment of organizations was to do the minimum necessary to comply with the regulation, often just with a few spreadsheets. Microsoft Excel probably has a 99% market share of privacy-enabling technologies!
However, I have a sense that the genie is now out of the bottle and major digital disruption is gaining momentum as I write.
Regulation is the catalyst but transparency is the driver
Updated privacy regulations such as the GDPR are being implemented in over a hundred states and countries around the world. But it’s not the complex regulatory environment per se which should grab our attention – rather it’s the transparency that it is imposing on businesses. For example, breach events which were previously unpublicised are now being forced into the public domain. Whilst these will be subject to regulatory fines, some of which might be quite severe, of greater concern for these businesses is that their reputations are being tarnished, their shareholder value eroded, and their top executives given their marching orders.
Knowledge is power, and individuals are starting to reassess the benefits of sharing their data. Hot on their heels is an army of class action lawyers hoping to pick up on any transgressions.
These shifting attitudes to privacy are creating new fault lines in the digital landscape in much the same way that streaming has done to the media industry and fintech to the world of banking. By the time that it was recognized as a threat, for many it was already too late. CEOs can no longer afford to ignore privacy and rely on the compliance department for a superficial paint job.
In short, privacy has become a strategic business issue. Yes, the fines for non-compliance are big, but that’s not what is (or at least, what should be) pushing it to the top of the C-suite agenda.
Understanding the value proposition
Instead, it’s the impact and the value proposition that good personal data governance entails.
The Cambridge Analytica scandal at Facebook highlights how a data breach at a small, obscure partner organization can cause massive damage to both market capitalization and business reputation for the principal. Facebook has the resources to contain the situation, but, for many businesses, such an event would represent an existential threat.
As individuals start to reassess the benefits of sharing their personal data, the market for this data will become increasingly competitive and only organizations that can demonstrate they can be trusted and offer value will be the winners.
In contrast, those that offer no more than recycled platitudes as an apology for a breach event, or respond to access requests using a regulatory template, will be marginalized.
Put another way, the current ‘surveillance by design’ culture – with value derived from behavioral tracking – will move towards the inverse ‘privacy by design’ approach. Transparency and privacy will generate greater value.
That value proposition shines through to the business cases that organizations are using to determine their level of investment in data governance technologies and platforms. A business case for new privacy technologies that headlines on mitigating fines or automating regulatory reports is the clearest signal to the CEO that they are tracking in the slow lane. Instead, the focus has to be on enabling the business to thrive in a transformed digital trust environment.
The world has changed
Businesses will have to take a different approach to how they manage personal data in this brave new world. This requires both a technological and cultural shift which must be driven from the top. Only when they have proved themselves to be a reliable and trustworthy data guardian will individuals be willing to provide the personal data that they now know (or at least, are beginning to grasp) has so much value.
And that means CEOs are going to have to stand at the forefront of this transformation and drive their organization’s next steps. They will have to demonstrate to stakeholders (partner organizations, regulators, staff, and customers) that their business has the right level of processes and standards in place to ensure personal data is treated like the gold dust it is. It doesn’t belong to the company – it belongs to the individual. It’s not a nice-to-have, it’s a strategic business necessity.
