The ever-increasing need for access to data for business development purposes and the increasing regulatory requirements, have catapulted data governance into the business environment. This means that data needs to be managed, controlled, and developed in accordance with existing business principles of asset management. However, the value of privacy in a business context must be assessed using the same criterion used for any other business initiative and the viability of proposed new initiatives needs to be assessed using the same metrics that executives apply when assessing investments within other business areas.
For the privacy professional, this requires the use of a skillset that is not necessarily a standard component in the toolbox of privacy experts. It raises the question: How do you quantify the value of reduced risk, and how do you articulate the value of customers trusting that you will handle their personal data properly?
Why invest in privacy?
In a competitive business environment where resources are scarce and we are constantly being asked to do more with less, the privacy professional needs to be mindful that he or she is in fierce competition for allocation of resources. That companies do not invest enough in strong privacy practices is not entirely surprising. Nearly half of all companies will also consciously underinvest in IT-security to ensure profitability – despite having experienced security incidents in the past.
Ultimately, the privacy professional needs to be able to justify the value of privacy in a business context. Often it will be difficult for the privacy professional to show a direct and short-term financial benefit of an investment in sound privacy management. A frequent mistake is therefore to try to explain and justify privacy investments as a toll that needs to be paid to avoid fines and sanctions. This puts privacy work in an unfortunate light as a pure compliance activity and not a business supporting activity.
Numerous articles have been written and surveys conducted to explore the value of privacy and how it influences consumer behaviour. At the same time, other scholars have put forward arguments that consumers pay little attention to privacy when required to exchange other goods or benefits for greater privacy. Very few have however substantiated their claims with extensive data demonstrating how an emphasis on privacy can ultimately lead to increased business profitability.
Conversely, the most concrete example of the tidal shift in the view on the importance of privacy among the world’s leading data driven companies, was the prominence privacy had at the CES 2020. From Google, to Apple, to Facebook, they all pushed privacy to the forefront of their offerings and the new services they showcased at CES 2020.
So, the question is, how can you as a privacy professional make your senior management see what the GAFAMs have already realised. What business case can you build? What data can you use to prove your point? And what business areas do you need to consider from an operational perspective?
Privacy in a business context
A couple of useful sources of data on the importance of digital trust are available. Salesforce, and Cisco have both carried out recurring and extensive studies that track the link between profitability and trust/privacy. The Cisco study is interesting as it addresses the link between increased trust as a result of strengthened privacy practices and the return on investment (ROI) resulting from the strengthened position. Companies like IBM have looked at the business opportunities that privacy practices will create.
Perhaps not surprisingly, the studies support the notion that effective operationalisation of privacy will ultimately have a direct impact on the services that a data driven company provides to its customers. This means that when attempting to describe the impact of any privacy program, it should have a wider focus than only the immediate compliance related and risk reducing activities.
In particular, privacy resources need to consider their potential impact on the wider strategic agenda and demonstrate how privacy can support the overall perception of the organisation.
By focusing merely on data protection as a compliance activity, privacy functions are forfeiting the opportunity to position themselves as a critical business enabler.
The journey towards positioning the privacy function as a critical business enabler and making a clear case for the value of privacy in a business context, requires the privacy professional to consider how she can transform the privacy function into becoming an opportunity for the organisation.
This exercise obviously requires buy-in and support from senior management. This is best achieved if data management is handled as a component in the overall data strategy for the company. With a starting point in the current and future need of data for business purposes, the data strategy should cover and provide direction for topics such as data governance, data security, data management and data privacy. This is best approached as a top-down exercise – starting with the mission, vision, values and strategic objectives of the organisation, in which the privacy professional should find the guidance that she can use to structure the transformational activities of the organisation. When first engaging with senior management the privacy professional therefore needs to make it clear, that the program will not set a new direction for the organisation, but instead that the program will support the organisation in reaching its overall strategic objectives by supporting the business and not vice versa. The value coming from the program will stem from three different but mutually supportive domains:
- Strengthened data governance will allow the organisation to obtain improved and increasingly relevant insights from the data it holds, allowing the company to offer more relevant and advanced services to customers.
- Strengthened customer-focused business practices relating to the use of data will increase customer trust towards the corporation. I will revert to what value this has from a business perspective.
- Strengthened data management will reduce the risk of unforeseen incidents and non-compliant use of data, with a subsequent reduction in overall business risk.
A bank is struggling with an overall negative perception of the company because of negative media coverage following some unfortunate business practices in the past. The bank has moved on, but the negative image of the bank has stuck. The bank is looking at how to improve its image and is willing to invest in long term program to address these matters.
The privacy professional sees how the vision and mission of the bank is to provide market leading financial services, but she also sees how the bank has failed to adapt its services to the need and expectations of the market today, and how the bank has lost ground to competitors. She recommends a long-term program to re-establish customer belief and trust in the bank. The program will not stand just in a data protection and privacy pillar, but will build on a broad foundation of customer focused trust-building initiatives, ranging from more transparent bank products, a better and more simplified portfolio of online services, strengthened IT-security practices, a range of CSR activities consisting of eLearning on how to stay safe while being online, and finally a number of strengthened data protection practices and capabilities that will allow customers to better manage their own data.
How to make the case for privacy
Inspired by the direction provided by the corporate data strategy, the privacy professional can, as part of a v-team including other internal relevant functions (e.g. strategy, IT-security, markets, analytics/BI), identify the market opportunity to be pursued. This opportunity then needs to be broken down into a chain of supporting activities, where the intended market position is supported by a number of clear offerings or claims that allow the corporation to stand out from its competitors. These offerings however need to supported by a number of concrete activities that allows the market claim to be credible. To say that “we take our customers privacy very seriously”, or “you can trust us” simply isn’t credible without a symphony of concrete activities supporting and validating the claims. This is where the privacy can support the organisation in taking a broader and more valuable market position.
Business enabling capabilities such as analytics, service development and efficiency gains through better data, are critical elements in any business case showing the value of improved data management and governance.
Often these areas are however looked upon as individual pillars, or even worse, considered mutually exclusive. The fact of the matter, however, is that in order to get to great data driven products and services that are relevant for your customers, organisations need to consider and implement sound governance and practices for a number of areas.
Why trust matters
In a world where access to data increasingly requires meaningful consent, it is difficult to exaggerate the importance of digital trust for the adoption of new services and how it can nurture an increased willingness among users to share information with the specific data controller. The recent discussion on the use of various applications for Covid-19 tracing and tracking purposes is an excellent example of the reaction when solutions are implemented without the required level of digital trust having been established.
For organisations, the importance of trust should not be underestimated. Salesforce has assessed the business implications of trust:
However, it is important to understand, that perceived value will differ from customer to customer. In their article “What shoppers really want from personalised marketing“, McKinsey & Co introduced the:
As relevance, timeliness, perception of loss of privacy and overall trust in a company will be subjective and based on individual experiences with the brand and the customer’s literacy with regards to privacy, the perceived value of an offer or activity will be unique. The resulting diverging expectations from customers on how their data will be handled and how much weight they assign to the different parameters, requires companies in their data strategy to plan for a flexible handling of customers.
Digital trust bears considerable business influence – from customer loyalty to customer spending. It will connect companies more intimately to their customers, and it will make customers more likely to be loyal to brands that live up to their expectations. These are critical parameters in an increasingly digital economy where companies are having to fight hard to position themselves as the company that should merit the customer’s attention. As mentioned above, the GAFAMs have recognised this for some time already, and are consequently investing massively in strengthened data management and then actively starting to market their capabilities within this domain. It is also prudent to remember that customer trust and loyalty is hard earned but very quickly lost. One public breach incident, in which it becomes apparent that an organisation failed to implement appropriate policies and controls around the protection of the personal data of customers, can have devastating long term consequences.
Making the case for the value of privacy in a business context can be difficult. The difficulties of putting numbers on the return of investment of a new privacy initiative often means that privacy professionals resort to justifying the initiative as only being a risk reducing activity. This limits the value and scope from a business perspective and maintains privacy as a compliance activity.
By putting privacy and sound data management into a broader business perspective, the privacy professional will be able to position data protection and data management initiatives as enablers of the overall strategy of the organisation.
The privacy professional can help his or her organisation by putting privacy management on the agenda of the overall data strategy of the organisation. This will allow for a meaningful discussion by the senior management of the value of privacy in a business context, and the position of the organisation on critical topics such as data analytics, data governance, data security, data management and data privacy.
With this strategic topic part of the agenda, it will be much easier for privacy professionals to articulate (or justify) the value of effective data management, incl. data protection, and they will be able to do so not only from a compliance perspective, but also from a business perspective.