The way Yaron Cohen sees it, companies today must do in the digital world what came naturally to neighbourhood merchants who saw their customers every day.
“In the old world, when people used to go to the corner store and meet the same shopkeeper every day, he’d know their tastes and what they’d buy and would personalise the experience for them,” says Cohen, a user experience researcher focused on digital strategy.
“But now we’re in a place where everything is mechanical. In the world of e-commerce there’s no human connection, and so to understand that customer, you have to collect data. This is where privacy problems start.”
Organisations of all sizes and stripes are collecting increasing amounts of data on individuals as they seek to create better customer experiences and deliver personalised services.
A study of 1,000 executives from Skynova, which offers online invoicing for small businesses, found that 86 per cent of the 1,000 business owners and executives it surveyed gathered data from its customers.
It found 75 per cent of businesses with fewer than ten employees did so, compared to 93 per cent of those at organisations with 100-plus workers. The study also showed that 64 per cent collected data on their customers from their social media sites.
Yet collecting and using all the data creates problems, as Cohen points out. Organisations risk the data being stolen in a cyber attack, and they risk collecting or using data in ways that run afoul of the myriad data privacy laws that have emerged in recent years around the globe.
They also risk alienating the very individuals they’re trying to serve with their data-driven user experience (UX) initiatives. A 2021 KMPG survey brings that dichotomy into focus. It found that 70 per cent of the 250 business leaders surveyed said their companies increased collection of consumer personal data during the prior year.
Yet 86 per cent of the 2,000 general population respondents said data privacy is a growing concern for them, 68 per cent said the level of data collection by businesses is concerning, and 40 per cent don’t trust companies to use their data in an ethical manner.
Business leaders seem to be taking note: KMPG found that 62 per cent agreed that their companies should do more to strengthen data protection measures.
Enterprise executives are now trying to determine how to create policies and practices that guarantee they have and can use the data needed to enable UX – including personalised digital interactions and services – while also safeguarding user privacy and data security.
Getting that balance right is non-negotiable, says Damon McDougald, global digital identity lead with professional services firm Accenture.
“Consumers are concerned about the data that they have to provide to get a service, where that data goes, and whether that data stays with the company,” McDougald says. But at the same time “a good customer experience and a bad customer experience is the difference between keeping or losing customers.”
There is, of course, no magic formula to calculate the right balance, but UX and privacy experts say executives can take to find the proper trade-offs between enabling user experience and supporting data privacy.
Collaboration among business, privacy and security teams is critical
Karena Man, a technology consultant who leads the data practice and the West Coast Tech Officers practice at management consulting firm Egon Zehnder, says security and privacy executives should anticipate pushback from some of their business-unit colleagues as they seek to implement and enforce data protection measures.
Product leaders, marketing managers and others will “feel like you’re removing arrows in their quivers,” Man says, noting that security and privacy chiefs are still often seen as the hall monitors trying to lock down data.
To counteract that reputation, she says security and privacy heads should work with their counterparts in products, marketing and sales to understand UX and customer journey concepts.
“The chief security officer needs to think of him or herself as a business leader with [subject matter expertise] in risk, security and compliance and as someone who can think through how to enable the business to grow,” she adds.
McDougald agrees, saying it’s overdue. “A lot of organisations are siloed and talk to each other very infrequently; I’m not seeing a lot of conversations happening,” he says. But defining what tradeoffs between enabling a great user experience and maintaining the right privacy levels requires a host of executives to work together.
“It’s imperative that the security organisation partners with the product owners and the lines of business to help them understand privacy needs and meet those requirements.”
At the same time, Rebecca Herold, CEO of The Privacy Professor, a consultancy, says security and privacy chiefs need to help the business-unit heads understand the complexity of data regulations.
Herold says she has worked with organisations where business leaders make faulty assumptions about what data they can use in which ways. For example, she says she has met marketers who believed user information they obtained from online sites was public and therefore not personal data that required privacy protections by law.
“Those outside of the security or privacy office often don’t know what data they have that could be considered as personal, or they may be using it in ways that they don’t realise creates risk or violates regulations in the name of customer experience,” explains Harold, who also serves on the Emerging Trends Working Group at the professional governance association ISACA.
Risk, customer experience improvements enabled by collaboration
Collaboration, experts say, helps all stakeholders – security, privacy, risk, legal, marketing, sales, products – better align the UX activities with privacy rules. “It helps make sure the privacy policies are supported by whatever they’re doing in user experience,” Harold says.
Additionally, cooperative efforts allow teams to be more deliberate about determining the data they need rather than gathering whatever they can, a distinction that can reduce risk by keeping data collection, storage and use to the minimum necessary.
Cohen says that cooperation also creates more opportunities for the stakeholders to develop, articulate and enable user-facing requests for data – in other words, opt-in and opt-out features – something that some laws, such as the European Union’s General Data Protection Regulation (GDPR) requires.
Cohen says he believes organisations should present users with clear, understandable details about what data is being collected and how it’s being used.
He also says organisations should create easy-to-use opt-in and opt-out features which allow users to select varying degrees of data-sharing – and to correct wrong data – throughout the data’s lifecycle. It’s about “legibility, agency and negotiability – and taking these three guiding principles and designing a system around them,” he says.
Cohen and others say they see more enterprise executives paying attention to such issues. A 2022 Pulse Survey on managing business risks from professional services firm PwC shows that cyber security and privacy as well as customer experience are indeed receiving similar attention from the executive suite, with 49 per cent saying they’re increasing investments in the former area and 48 per cent boosting spending in the latter.
“It’s absolutely on companies’ minds,” Man says. That in turn has made stakeholders outside of the security and privacy functions receptive to incorporating parts of those disciplines within their own work, according to experts.
For example, Herold says she has run tabletop exercises with marketing pros, who walked through UX ideas and the data they’d need to enable them while she helped them learn to analyse for potential security risks and privacy violations. “You’re then providing them with training that they can use,” she says.
Herold also recommends security and privacy teams teach other stakeholders to conduct privacy impact assessments on proposed UX initiatives so they can catch issues early and course correct. “They can still do the user experience, but they’re doing it in a way that also protects privacy,” Herold says.
Meanwhile, Man says she worked with a CISO at a content company who taught the product team how to conduct threat modelling, which they now use when developing new features to identify privacy issues that could violate any regulations or enterprise policies. “This allows them to think about the risk they’re opening up and weighing it against the features they’re trying to enable,” Man explains.
Man says the CISO was able to get the product team to adopt this approach in part because she had appealed to its “sense of stewardship,” noting that the team wouldn’t want its work to be the cause of a breach or a regulatory action. “That approach,” Man adds, “is something that really resonates.”