By Mary K. Pratt
Contributing writer, CSO |
The way Yaron Cohen sees it, companies today must do in the digital world what came naturally to neighborhood merchants who saw their customers every day. “In the old world, when people used to go to the corner store and meet the same shopkeeper every day, he’d know their tastes and what they’d buy and would personalize the experience for them,” says Cohen, a user experience researcher focused on digital strategy.
“But now we’re in a place where everything is mechanical. In the world of e-commerce there’s no human connection, and so to understand that customer, you have to collect data. This is where privacy problems start.”
Organizations of all sizes and stripes are collecting increasing amounts of data on individuals as they seek to create better customer experiences and deliver personalized services. A study of 1,000 executives from Skynova, which offers online invoicing for small businesses, found that 86% of the 1,000 business owners and executives it surveyed gathered data from its customers. It found 75% of businesses with fewer than ten employees did so, compared to 93% of those at organizations with 100-plus workers. The study also showed that 64% collected data on their customers from their social media sites.
Yet collecting and using all the data creates problems, as Cohen points out. Organizations risk the data being stolen in a cyberattack, and they risk collecting or using data in ways that run afoul of the myriad data privacy laws that have emerged in recent years around the globe.
They also risk alienating the very individuals they’re trying to serve with their data-driven user experience (UX) initiatives. A 2021 KMPG survey brings that dichotomy into focus. It found that 70% of the 250 business leaders surveyed said their companies increased collection of consumer personal data during the prior year. Yet 86% of the 2,000 general population respondents said data privacy is a growing concern for them, 68% said the level of data collection by businesses is concerning, and 40% don’t trust companies to use their data in an ethical manner.
Business leaders seem to be taking note: KMPG found that 62% agreed that their companies should do more to strengthen data protection measures. Enterprise executives are now trying to determine how to create policies and practices that guarantee they have and can use the data needed to enable UX – including personalized digital interactions and services – while also safeguarding user privacy and data security.
Getting that balance right is non-negotiable, says Damon McDougald, global digital identity lead with professional services firm Accenture. “Consumers are concerned about the data that they have to provide to get a service, where that data goes, and whether that data stays with the company,” McDougald says. But at the same time “a good customer experience and a bad customer experience is the difference between keeping or losing customers.”
There is, of course, no magic formula to calculate the right balance, but UX and privacy experts say executives can take to find the proper trade-offs between enabling user experience and supporting data privacy.
Karena Man, a technology consultant who leads the data practice and the West Coast Tech Officers practice at management consulting firm Egon Zehnder, says security and privacy execs should anticipate pushback from some of their business-unit colleagues as they seek to implement and enforce data protection measures. Product leaders, marketing managers and others will “feel like you’re removing arrows in their quivers,” Man says, noting that security and privacy chiefs are still often seen as the hall monitors trying to lock down data.
To counteract that reputation, she says security and privacy heads should work with their counterparts in products, marketing and sales to understand UX and customer journey concepts. “The chief security officer needs to think of him or herself as a business leader with [subject matter expertise] in risk, security and compliance and as someone who can think through how to enable the business to grow,” she adds.
McDougald agrees, saying it’s overdue. “A lot of organizations are siloed and talk to each other very infrequently; I’m not seeing a lot of conversations happening,” he says. But defining what tradeoffs between enabling a great user experience and maintaining the right privacy levels requires a host of executives to work together. “It’s imperative that the security organization partners with the product owners and the lines of business to help them understand privacy needs and meet those requirements.”
At the same time, Rebecca Herold, CEO of The Privacy Professor, a consultancy, says security and privacy chiefs need to help the business-unit heads understand the complexity of data regulations. Herold says she has worked with organizations where business leaders make faulty assumptions about what data they can use in which ways. For example, she says she has met marketers who believed user information they obtained from online sites was public and therefore not personal data that required privacy protections by law.
“Those outside of the security or privacy office often don’t know what data they have that could be considered as personal, or they may be using it in ways that they don’t realize creates risk or violates regulations in the name of customer experience,” explains Harold, who also serves on the Emerging Trends Working Group at the professional governance association ISACA.
Collaboration, experts say, helps all stakeholders – security, privacy, risk, legal, marketing, sales, products – better align the UX activities with privacy rules. “It helps make sure the privacy policies are supported by whatever they’re doing in user experience,” Harold says.
Additionally, cooperative efforts allow teams to be more deliberate about determining the data they need rather than gathering whatever they can, a distinction that can reduce risk by keeping data collection, storage and use to the minimum necessary.
Cohen says that cooperation also creates more opportunities for the stakeholders to develop, articulate and enable user-facing requests for data – in other words, opt-in and opt-out features – something that some laws, such as the European Union’s General Data Protection Regulation (GDPR) requires.
Cohen says he believes organizations should present users with clear, understandable details about what data is being collected and how it’s being used. He also says organizations should create easy-to-use opt-in and opt-out features which allow users to select varying degrees of data-sharing – and to correct wrong data– throughout the data’s lifecycle. It’s about “legibility, agency and negotiability – and taking these three guiding principles and designing a system around them,” he says.
Cohen and others say they see more enterprise executives paying attention to such issues. A 2022 Pulse Survey on managing business risks from professional services firm PwC shows that cybersecurity and privacy as well as customer experience are indeed receiving similar attention from the executive suite, with 49% saying they’re increasing investments in the former area and 48% boosting spending in the latter.
“It’s absolutely on companies’ minds,” Man says. That in turn has made stakeholders outside of the security and privacy functions receptive to incorporating parts of those disciplines within their own work, according to experts.
For example, Herold says she has run tabletop exercises with marketing pros, who walked through UX ideas and the data they’d need to enable them while she helped them learn to analyze for potential security risks and privacy violations. “You’re then providing them with training that they can use,” she says.
Herold also recommends security and privacy teams teach other stakeholders to conduct privacy impact assessments on proposed UX initiatives so they can catch issues early and course correct. “They can still do the user experience, but they’re doing it in a way that also protects privacy,” Herold says.
Meanwhile, Man says she worked with a CISO at a content company who taught the product team how to conduct threat modeling, which they now use when developing new features to identify privacy issues that could violate any regulations or enterprise policies. “This allows them to think about the risk they’re opening up and weighing it against the features they’re trying to enable,” Man explains.
Man says the CISO was able to get the product team to adopt this approach in part because she had appealed to its “sense of stewardship,” noting that the team wouldn’t want its work to be the cause of a breach or a regulatory action. “That approach,” Man adds, “is something that really resonates.”
Copyright © 2022 IDG Communications, Inc.
Copyright © 2022 IDG Communications, Inc.
Collaboration is key to balance customer experience with security, privacy – CSO Online
By Mary K. Pratt