Organizations in Australia face a significant challenge with data. On the one hand, there is a demand for personalized services. Consumers are willing to share their data if it means better personalization.
On the other hand, there is a real concern about privacy, and while organizations are focused on finding ways to prevent data breaches, efforts to improve customer privacy protection are more haphazard.
Why organizations want data to deliver personalization
Personalization is one of the most valuable reasons to collect and use customer data. According to Versent's The Great Tech-Expectations report, more than 80% of consumers are more likely to do business with a company that offers personalized experiences.
Meanwhile, according to McKinsey, personalization reduces customer acquisition costs by 50%, increases revenue by up to 15%, and improves marketing ROI by up to 30%.
So it's no surprise that personalization is a key topic talked about in marketing circles and that IT teams are being asked to work with data to deliver better personalization. However, on the other hand, as The Great Tech-Spectaction report also highlights, only 16% of consumers think that companies are doing enough to safeguard their data, the critical information needed to provide personalized services.
There is a tension between the desire for personalization and the risks of collecting the data needed to achieve it, and Australian organizations have a long way to go to allay customer concerns about this. However, the real challenge is not due to the threat of cyber breaches, but, in many cases, because the data management effort is being directed in the wrong direction. Too often, organizations focus on preventing breaches and lose sight of the need to protect privacy.
Why personalization and customer data are becoming a risk minefield
Losing customer data, even if it is used for personalization, costs businesses a lot. Following the now infamous Optus cyber breach, the company lost 10% of its customers. Data from Bitdefender suggests Optus was lucky: 43% of Australians said they would take their business away from a company following a data breach.
The fallout from that breach (and several other high-profile ones in recent years) has meant that much of the rhetoric around data and risk at the board and executive level has focused on the breaches themselves and on try to put an end to them. But often that's not the real problem and it's not the underlying reason why these companies lose customers.
SEE: Australian IT teams are taking an “assume a breach” approach to cybersecurity.
Lack of privacy regulation is the real risk
While the risk of cyber breaches is real and must be managed, the real challenge Australian consumers face with their data starts with a regulatory environment that has been slow to catch up in these areas. Online data privacy is governed by the Privacy Act 1988 (Cth) and, as the name suggests, that law was introduced long before the digital age turned consumers into data mines.
Because the regulatory environment is so old, organizations have been able to capitalize on data without being held accountable for any risk. This is what the government has since begun to address with its Notifiable Data Breaches scheme and the Consumer Data Right, both introduced following the wave of high-profile data breaches at Australian companies.
At the heart of these efforts has been a simple understanding: Consumers are indeed willing to give up their data in exchange for the kinds of benefits that personalization can bring them: things become cheaper or simpler, for example. However, they also expect to be kept informed about what data organizations have and how they use it, and this is where the cracks in Australia's national data policies have traditionally been.
Australian organizations need to better understand security and privacy
Perhaps one of the biggest areas that companies get wrong is where they direct their energy toward data risk management. Much of the discussion around data currently focuses on security: the idea of preventing breaches in the first place or, if a breach occurs, strategies and methodologies to minimize the data that criminals have access to.
Interestingly, however, there are signs that Australians understand that breaches will occur (or, perhaps, as 60% of Australians report, believe they are inevitable) and that they would be willing to forgive the company even if they took their decision. business out temporarily. While 60 per cent of Australians believe a breach is inevitable, only 12 per cent of Australians say there is absolutely nothing an organization can do to win back their customers after a breach. What matters is how the breach is handled and how the organization has previously collected and handled its data.
Australians want more responsibility over the use of their data
What consumers are really concerned about, and where they are much less willing to forgive, is privacy, which is a different concept from security. As OAIC data shows, one in four Australians now expect organizations to only collect the information strictly necessary to provide the service.
This is an important privacy step as it means the amount of critical data that a criminal could access in the event of a breach is minimized. Additionally, in the event of a breach, Australians expect organizations to have a response plan that includes rapid and transparent communication and remediation measures for data that has been compromised.
Unfortunately, ASIC research suggests 58% of Australian businesses have limited ability to protect sensitive information and a third of businesses have no cyber incident response plan. What this means is that if those companies are breached, customer data will likely be exposed. at greater risk and the organization is unlikely to handle the matter in the timely and transparent manner that the customer needs to protect their privacy.
What a renewed focus on privacy would look like
Obviously, organizations must continue to apply a best practice approach to cybersecurity. However, for many organizations of all sizes in Australia, the tension between the desire for personalization and the risk of a breach can be resolved by taking a better, more proactive approach to privacy. This means:
- Having a clear privacy policy that customers can refer to, which will allow them to see how their information is being cared for and how they can delete it permanently, which will help build customer trust.
- Be aware of all personal information that is collected, as well as where it is stored, how it is used, and who can access it. For this reason, data discovery and labeling tools are as important as any security measures.
- Have policies to collect only the necessary data and not store it longer than necessary, either through regulation or to continue providing the personalized service.
IT has a role to play here in helping organizations move away from viewing data as purely a security issue. Additionally, as Australian regulation begins to catch up and requires a new regulatory approach to privacy, developing strategies and adopting solutions to manage privacy will be a central component of risk management in 2024.