As consumers’ views on personal data evolve, it’s time to re-think data privacy
By Kris Lovejoy, Global Consulting Cybersecurity Leader, EY
Today organizations are standing at a crossroads when it comes to data privacy. In one direction, a series of high-profile data breaches and scandals in recent years has eroded consumers’ trust in organizations and led to them becoming ever more vigilant about their privacy. This consumer vigilance, combined with a regulatory drive to tighten the rules around the handling of personal information, has led to organizations becoming increasingly risk-averse about monetizing their customers’ data.
In the other direction, however, the outbreak of the COVID-19 pandemic has revealed a willingness among consumers to share their personal data, if doing so is in the public benefit or if it brings them advantages such as discounts or tailored services. This suggests that many organizations could monetize their data more effectively than they are doing at present, provided they approach it in a way that aligns with both their own purpose and consumers’ expectations.
In light of these mixed messages, what is the right direction to take regarding consumers’ data privacy? The EY Global Consumer Privacy Survey 2020 suggests that organizations need to take a balanced approach to data privacy, which recognizes consumers’ vigilance regarding their data, as well as their willingness to share it in certain circumstances.
A trend in consumer vigilance
As it turns out, in the current environment of breaches and the pandemic, consumers are much more aware of the personal data they are sharing now. In fact, more than half (54%) of the consumers who responded to our survey said they are more aware now of the personal data they’re sharing than before the pandemic. It is not just a health crisis that has driven awareness. Other developments, such as how some media platforms may be linked to exerting influence over current events and legislative change, including the European Union’s General Data Protection Regulation and the California Consumer Privacy Act are also sharpening the focus on awareness. We also found that generally speaking, younger generations are much more aware of their privacy rights, and the implications of sharing data, compared with older generations. For example, in the past six months, 45% of Millennials and 49% of Gen Z have always or often shared COVID-19 health data with an organization, compared with just 21% of Baby Boomers.
In fact, trust in how data is being collected and shared has been a concern for some time, and the survey revealed that this trend is set to continue. Significantly, the majority (56%) of consumers said that their trust in an organization’s ability to collect, store and use their data would be damaged if the organization shared that data without their overt consent. Almost half (48%) said they would lose trust in an organization if it suffered a data breach or a cyber-attack, while 43% would become mistrustful if an organization asked for data unnecessarily.
Data monetization is another topic of concern that emerged from the results, and the findings offer some invaluable insights into how organizations can build sufficient trust with consumers to be able to monetize their data effectively. Significantly, the most important considerations for consumers when sharing personal data with an organization are secure collection and storage (63%), followed by control over what data is being shared (57%), and trust in the organization itself (51%). And an organization’s ability to counter data breaches and cyber-attacks ranks second as the factor most likely to boost consumer confidence.
Meanwhile, consumers are actively educating themselves in the area of data privacy. The findings indicate that in the six months prior to the survey, 45% of consumers had taken the time to understand how a company uses their data, 36% had willingly shared health data related to their COVID-19 status, and the same proportion had chosen not to provide personal data or asked an organization to remove their data due to reputational concerns around its usage. As a result, organizations that expect to monetize the data they collect – whether that’s by collecting internal data to improve operations, or by deploying better-targeted campaigns or discounts for current and prospective customers to generate more revenue – should be mindful that consumers are paying much closer attention.
Altruism, but with limits
While the research shows that consumers are more mindful regarding who is using their data, and how it is being used, it also uncovered a trend toward altruistic data sharing. Indeed, more and more consumers are seeking out brands that use their data to help others — as long as they are adequately protected and remain in control of what they share.
Half of the consumers surveyed said they pandemic has made them more willing to part with their personal data, especially if they know it is contributing to the research effort and/or community wellness. This creates a real opportunity for brands with a deep sense of purpose to build trust with consumers, which, in turn, will allow them to responsibly tap the potential of consumer data.
This tendency to share data for altruistic purposes is particularly pronounced among younger consumers. More than a quarter (26%) of Millennials and 22% of Generation Z respondents said that helping to maintain or improve the life of someone they do not know is one of the three most important considerations when agreeing to share data with an organization. Also, almost two-thirds (61%) of consumer respondents in Asia-Pacific said they are more willing to share their personal data if it contributes to the COVID-19 research effort and/or community wellness.
The survey further highlights that context is crucial for consumers when it comes to sharing data. Around two-thirds (65%) of respondents said they would share medical information with a medical institution to improve their healthcare experience, and 54% would share demographic data with a retailer in exchange for discounts. Yet only 39% would share their online search history with a large technology company in return for more personalization.
Getting the balance right
It is clear from the research that while consumers are sensitive about how their data is handled, they can be persuaded to share more of it with trusted organizations that use data in meaningful, purposeful, and responsible ways. Organizations can build trust by clearly communicating to their customers what they are doing around data protection. They can also give consumers greater control over the data that specifically relates to them. If trust isn’t built – or if it is breached – organizations risk losing their customers to competitors.
Once trust has been established, organizations can start to explore how they can monetize consumers’ data in ways that will create value for them and help to further build trust. They should consider what kinds of data their customers might be willing to share, and under what conditions.
Proceed with caution
Depending on who you ask, perspectives, and priorities on privacy certainly differ. For example, in collaboration with the International Association of Privacy Professionals, EY professionals interviewed privacy practitioners and privacy leaders from around the world.[1] Practitioners implementing privacy on the ground across business sectors focused on the most immediate challenges relating to privacy. They highlighted employee privacy protections and virtualization challenges as the top priorities as they prepared for work-from-home and return-to-work transitions. For policymakers, regulators and academics, the focus is more around bigger-picture societal concerns, citing the increase and normalization of surveillance by governments and commercial actors as their top priority.
Consumers, understandably, have their own priorities, and require a customized approach. In the past, many organizations have understandably been extremely cautious around consumer data privacy, but this has come at a cost – both the financial cost associated with cyber protection and the commercial cost associated with missed revenue opportunities. With CIOs now under pressure to do more with less amid frozen budgets and changing consumer expectations around data, the time has come to reassess this super-cautious approach.
As we stand at the crossroads – balancing the perspectives of consumers, requirements of regulators and needs of the business related to data privacy and protection – businesses need to re-evaluate their overall privacy program and approach. Perhaps the new reality offers a unique opportunity to enable strong security to create trust, allowing customers to share more data and derive more value.
If this pandemic has taught us anything, insights that could make a big difference to consumers may well be hiding behind masses of untapped data. While this may be deemed a heretical statement for a cybersecurity practitioner to make, perhaps we should be reconsidering our role and the programs we implement to protect data and privacy, with a new bias toward promoting and expediting – not limiting – a trusted value exchange.
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.
[1] Privacy in the wake of COVID-19
About the Author
Kris Lovejoy is EY Global Consulting Cybersecurity Leader. World-renowned in cybersecurity, risk, compliance and governance, she was a keynote speaker at this year’s CERIAS Security Symposium and was named by Consulting magazine as a Women Leader in Technology. She has been quoted in publications that include Forbes, Fortune, USA Today, Federal News Network and Risk Management. Before joining EY, Kris was CEO of an AI-driven network security company and the general manager of a multinational information technology company’s security services division, charged with building end-to-end cybersecurity programs for clients worldwide. Kris can be reached online at https://www.linkedin.com/in/klovejoy/ and at EY.com.