Privacy within the digital transformation: four major principles

Cybersecurity and digital trust

Posted on

Ensuring the respect of privacy in a digital world not only requires integration into every project, but integration into every company culture. This approach will also facilitate compliance with new regulations in the respective countries.

This blog post is a part of a series of articles which is itself the result of a synthesis on Privacy at the digital age published on our website. 

Many projects aim at digitalising business processes and customer relationships in order to optimise existing processes, introduce customer proximity or offer new services

The following examples, based on Wavestone’s consulting experience, illustrate such trends. Historically, postmen, meter readers and service technicians have worked with paper (address databases, meter-reading or maintenance documentation). Work is organised according to the tasks to be performed and can usually be operated alone and independently throughout the day, before information is collected and consolidated at the end of a work shift.

The dematerialisation of such paper-based processes is intended to help organisations or agents in their activities by collecting data, better organising the work to be performed and sequencing tasks. This digitalisation process occurs in different sectors for specific purposes. For example, in the energy sector, smart meters create innovative opportunities around energy saving and fraud management through the collation of consumption data. In the insurance sector, accumulating data on customer preferences enables the personalisation and customisation of services and the development of additional offerings.

Such developments require the collation and manipulation of masses of personal data.

Cybersecurity alone is not sufficient for protecting digital privacy

To protect personal data so crucial to the digital market, organisations will pursue cybersecurity measures, such as secure transfer protocols or data encryption. However, we may question if such measures are sufficient, while concerns over data misuse, profiling and automated decision-making intensify.

An IT security-oriented approach alone is not sufficient. To address the fears over the respect of privacy, it is essential for organisations to reassure individuals by guaranteeing the non-manipulation of data without their prior knowledge and against their will.

Four Major Principles

The following guiding principles are to be applied in the collation and use of personal data

1- Communicate transparently and explicitly,

informing individuals on the data that is collected about them even if not directly obtained from those concerned. Our survey essentially illustrates this meaning of privacy to citizens: what kind of information is accessible about me, and to whom? It also means sharing the reasons behind data collection and the intended usage. Under no circumstances should data be collected without the purpose of collection disclosed to the persons concerned. Recent sanctions from regulators have illustrated that such activity is always exposed in the media, with heavy reputational impact and lost customer confidence often the damaging consequences. Building a relationship of trust takes years, whereas losing it only takes minutes.

2- Minimise the collection and storage of personal data

Less data collected about an individual means a lower risk of unauthorised and non-compliant use. For existing data, it is possible to process data while minimising risks through the use of “declassifying” techniques such as anonymisation, pseudonymisation (replacing direct identifiers with “codes”), randomisation (randomly generated data which retains the statistical value but conceals the origin) or generalisation of data sets.

Regarding data sharing and exchange, mathematical methods facilitate the exchange of data between two organisations, whilst ensuring data anonymity. When selecting such methods, it is important to assess their limitations. A poorly executed “sensitivity reduction” can still directly lead to the source of original data. For example, this can involve deleting the name but keeping the date of birth, place of birth and address.

Such methods enable organisations to optimise the customer relationship in two ways: by providing a better understanding of the digital customers’ profile and by demonstrating respect for customer privacy. This is the path chosen by Apple through the concept of differential privacy to differentiate from competitors Google and Microsoft.

3- Ensure individuals are in control of their personal data

not by generating value through the access to data, but rather by providing individuals with control over their data, allowing services to develop based on their needs.

This approach, labelled “self-data”, can be applied in the context of an energy consumption optimisation project, an example of which is to ask customers to indicate the temperature in their homes to record the potential cost savings associated with heating reduction. An individual will then be informed of the potential cost savings by autonomously using and managing a self-data Cloud platform, connected to his personal equipment to enable the cross-analysis of data through consultation of his digital thermometer and energy bills.

Use cases for self-data are also subject to research in the insurance sector, with some insurance companies contemplating the complete removal of client spaces to instead install them on self-data Cloud platforms. The insurer will then have access to the data belonging to his client but is no longer in ownership of that data. Beyond self-data, such trends may even lead to the “Green Button” mechanism where individuals explicitly validate access to their data at any time. This principle, albeit difficult to implement in practice, can be restricted to particularly sensitive data, such as health data.

4- Implement a win-win model

by clearly demonstrating the benefits generated by collecting and using data, not only for the organisation but also for individuals. Such benefits can be shared with customers through various means, such as additional services, rebates and compensation.

This approach may even drive the ease in adoption of new uses in an environment where increases in market share carry significant impact.

Ultimately, we are able to identify several levers in motion for building an honourable circle of trust when using an individuals’ data with respect and for the purposes of increasing the level of confidence.