A privacy reset — from compliance to trust-building

“Our approach to privacy and data protection is grounded in our belief that customers own their own data,” said Satya Nadella, CEO of Microsoft. "Our privacy principles include a commitment to be transparent in our privacy practices, to offer meaningful privacy choices, and to responsibly manage the data we store and process."

Many companies are launching features that let them interact and track what people do on their business websites and apps, and that help them personalize the messages and offerings that each customer receives. If a consumer has a good experience with a site, they’re more likely to stay longer and buy more.

Companies most concerned with the “user experience” include business-to-business (B2B) enterprises beginning to offer products and services directly to consumers (D2C), and companies launching an application for the first time. These organizations would do well to take a proactive approach to privacy.

Proactive privacy means encoding privacy into your application or website from the very beginning, even while you’re prototyping ideas, and keeping privacy in mind at every step along the way to deployment and beyond. One way to make sure privacy stays top-of-mind is to embed checkpoints for privacy impact assessments (PIAs) throughout the product development life cycle — positioning you with your product teams to avoid last-minute roadblocks that could slow down your go-to-market and undercut business objectives.

The principle of “privacy by design, privacy by default” increasingly mandated by privacy laws requires the technical experience of privacy engineers. Working alongside product development teams, designers, IT and compliance/legal professionals, the privacy engineers implement appropriate technical and organizational measures such as pseudonymization and differential privacy.

One caveat: Be on the lookout for dark patterns in your design that have the effect of subverting or impairing user autonomy, decision-making or choice. The newly enacted Colorado Privacy Act as well as the California Privacy Rights Act state that user consent obtained through the use of dark patterns is not valid. Privacy-conscious product developers avoid dark patterns that steer users into making certain choices, restrict the number of choices, or obscure essential information.

Consumers generally have little transparency into or control over what happens to their data once an entity has collected it. Only half are even aware of their device controls over data collection, according to a recent Consumers International survey. But enterprises can win customer trust by volunteering information such as “data used to track you,” “data linked to you” and “data not linked to you” clearly and simply. This growing trend, akin to privacy nutrition labels, provides consumers more confidence and helps them make better decisions when sharing their data with companies.

What’s changing: Include your privacy team, especially the privacy engineers, in product development meetings from the earliest stages to make sure that data privacy gets its due, and that the design does not manipulate users or trick them into giving you data that they may not be comfortable providing.

“Privacy cannot be a luxury good offered only to people who can afford to buy premium products and services,” said Sundar Pichai, the CEO of Google and parent company Alphabet. “Privacy must be equally available to everyone in the world.”

Intelligent automation like AI can improve innovation and help you create products highly desired by consumers, but the technology brings inherent data privacy risks. In the EU, officials recently proposed banning or tightening controls over live face scanning and other AI technologies that could endanger people’s safety or violate their rights.

AI “magnifies the ability to use personal information in ways that can intrude on privacy interests by raising analysis of personal information to new levels of power and speed.” If you don’t properly govern your use of AI and inform your teams about what’s legal and what isn’t, your company could be at risk of breaking the law and losing consumer trust. For better governance, you’ll want to bring together data-science teams and other developers with those involved in acquiring AI solutions such as operations and human resources and core teams, including privacy.

Use an accountability approach that rests on these four pillars: transparency (disclosing how you use algorithms in decision making), explainability (providing retroactive information on how algorithms were used in specific decisions), risk assessment (evaluating and mitigating risks in advance using PIAs and other analyses), and audits (evaluating privacy practices after the fact to improve your program).

What’s changing: Using AI responsibly means continuously self-monitoring to help identify potential bias and new sources of risk, and to always be adapting. Build frameworks and toolkits to assess your AI models to make sure that they are fair and ethical and that you can explain how they work.

“Even before the pandemic, data governance was emerging as a critical ESG risk when evaluating investments in the technology and communication sectors,” said Martin Jarzebowski of Federated Hermes. “As industries evolve, whatever their state, ESG evolves with it, unearthing specific vulnerabilities vital to stakeholders and, as such, enterprise itself.”

Leading executives, intent on increasing investor trust, see the linkage between transparency and ethical use of data as a means to further drive ROI from their ESG initiatives. Forty-two percent of the US respondents to PwC’s 2021 CEO survey ranked cyber and data privacy second among 11 areas in which, they said, more should be done to measure threats.

In fact, privacy and data security is an ESG investment priority — a priority equal to, if not bigger than, climate change, according to PwC’s survey on ESG practices and attitudes.

Investors increasingly include data security and privacy factors in their analysis of material risks and growth opportunities. ESG assets are on track to exceed $50 trillion by 2025, more than a third of the projected $140.5 trillion in total global assets under management, according to Bloomberg Intelligence’s (BI) latest ESG 2021 Midyear Outlook report.

When it comes to how data privacy programs are rated, ESG rating agencies are looking for demonstrable accountability. They systematically comb the public space for reliable evidence that companies are meeting the agencies’ privacy expectations. According to one rating system, the Morgan Stanley Capital Investments Industry Materiality Map, data security and privacy account for a considerable share of overall ESG ratings in certain sectors, including Internet and direct retail marketing (29%), communication services (24%), education services (18.8%), hotels (15%), financials (10.3%) and info tech (9.9%). The greater the transparency a company provides in these heavily-weighted domains, the more improvement in its ESG score.

What’s changing: The more details a company is able to attest to publicly about their privacy and security programs, the higher their scores are likely to be across the various ESG agencies. The SEC is expected to soon create formal regulations on ESG disclosures, including those related to cyber and privacy.