Interview with Jessica Tay the Information Security Executive Advisor at KPMG. We discusses whether a privacy charter should be created for the internet to protect our data from being misused or whether we should be embracing the opportunities sharing data brings

In what ways can internet data be misused?

Whilst companies operate within the boundaries of the law, the use of data remains a very grey area around what is perceived to be ethical behaviour rather than the legal infringement of personal privacy.

Misuse of internet data could include tracking browsing on other websites, collating and analysing user social media posts and preferences, cross referencing public and purchased information to build rich pictures of users.

This data can then be used to target consumers via personalised advertisements for a corporation’s and third party products, amended pricing and offerings, and even for analysis to be sold on as a separate product to another company.

On a personal level, when an update is shared on Facebook or Twitter about getting engaged, users wouldn’t expect online banking pages to automatically update to offer deals on joint mortgages. After all, without explicitly updating details with the bank, it isn’t normal for them to have that information.

Users will have different perspectives on this issue – some will feel it provides them value by having their world arranged around them to suit their personal tastes and needs, whilst others will feel uncomfortable with the feeling that their personal privacy has been invaded.

How would an internet charter protect users?

Often where users share data online about themselves, they do so to connect in a purposeful way – for example, LinkedIn for professional purposes, Facebook for sharing with friends and family, etc. The stark reality is that many users have no idea how the data they share online is used. This is beginning to change, but the reality is that even where one becomes aware of the implications of sharing their data, what has already been shared is extremely hard to erase.

With regard to an internet privacy charter, the focus would be to address the issue of companies seeking to use data outside what is directly provided to them by the user.

An internet charter would allow users to identify corporations who are willing to respect the boundaries of personal data privacy and commit to using only data which the user has provided directly.

 Companies would need to actively make the decision not to use personal/private data in the public domain or purchase 3^rd party data beyond general market trend information.

If an internet privacy charter is put in place, users will enjoy greater personal privacy, experience a reduction targeted marketing to entice them to increase their spend and greater protection should a data breach occur. They will also have freedom of choice to explore new products and items in a way they choose rather than these products being pre-selected for them based on an algorithm. It will encourage users to assess their choices and promote proactive research and questioning.

It draws an important line between the individual and the company – returning balance to the customer/company relationship as there currently is a large imbalance between the two entities. This imbalance exists as companies possess superior resources and information to know a great deal more about the customer (including their personal life) than vice versa.

To draw a parallel, it’s a bit like an employer knowing everything about an employee’s personal life by assessing data available in the public domain, i.e. “John, I noticed your night out with your friends was cancelled today on Facebook so I presume you have time to stay late to help out with this project”.

What are the main benefits to companies who choose to adopt a privacy charter?

Companies owe a duty of care to their shareholders to generate sales, growth, and profit and to provide value for their owners. The debate regarding a privacy charter therefore needs to be built upon not only ethical but monetary grounds to ascribe benefits to the business rather than just being perceived as additional cost and regulatory pressures on the business.

The main benefit to companies adopting such a charter will be reputational – being seen to be a daring forerunner in rebuilding the bridges of trust between companies and the individual.

Information available on users is now at unprecedented levels and is difficult for the individuals to truly restrict what a company chooses to do with this from a business context. There is fatigue around the lack of trust between the consumer and the corporation – questions around the integrity of business processes and the lack of concern for the individual and the unwavering focus on profits and sales with a high cost to the consumer.

Adopting a privacy charter would also be akin to going organic or making a stance to source goods ethically – a statement to the customer that the business respects the individual and the boundaries that exist between what is personal and what is truly public. The choices of how to use the information available now rest more with the corporation than with the individual due to the difficulty of control by the user.

As increasing data regulation is imposed on companies, it is perhaps wise for companies to consider if there is a first mover advantage in being seen to pro-actively and willingly adopt these changes as it creates positive PR for these companies and create a buzz amongst customers as a company who cares about its customers – which may prompt a flight to “quality” – i.e. the company which is enjoying a renaissance in its customer relations through respecting the customer.

Change is on the horizon and it is up to companies to willingly embrace this and seek to optimise the value of these changes ahead of the competition.

What are the main risks to businesses choosing to adopt a privacy charter?

Whilst the privacy charter remains optional, it could be seen as paying lip service to this charter, a lack of management engagement throughout the company or where certain staff act in contravention with company policy due to their incentives.

A company must be truly committed throughout the organisation and ensure that there is commonality of purpose in pulling towards the goal to be seen as an ethical company that customers should trust in and be loyal to in the long term.

The reduction in data usage, collation and analysis will also generate less data assets for a company to control and a reduced IT estate will be required. With increasing legislation on a company’s responsibilities for information protection, the need to protect key information assets, a more manageable information estate will translate to less potential fines and potential reputational damage should a breach occur.

A risk that some might voice is the fear of being left behind the competition who will continue to engage in heavy information analytics. A review of the amount of additional value truly derived by the firm from their current approach should be honestly reviewed and an understanding of the premium required for a different approach calculated alongside the changes in operational cost as well as projected additional sales and customer loyalty dividends.

How can companies incorporate policies in order to protect their customers better?

Companies can ensure that their staff are fully trained and aware of what their data privacy policies are in all areas of the business, paying special attention to how it relates to the specific tasks the areas are engaging in.

In addition, where a company has made the decision to sign up to a data privacy charter, it should ensure that employees are not incentivised to use customer’s data in a way that breaches the company’s data privacy policy to minimise infractions that could lead to reputational harm.

What can individuals do to protect themselves?

Individuals should seek to understand what their personal stance on data privacy is and define what they deem acceptable or desirable given their individual circumstances. Being aware of any tracking cookies that are installed, what information they disclose on social media sites and understanding what the policies are of each retailer before deciding to shop with them are essential for individuals to protect themselves.

Additionally, users should ensure that where they are provided with suggested choices, especially for high value items, that they should not assume that the suggestions provide the best value for money or a necessity and conduct their own market research to determine the best choice for their circumstances.