The theme for this year’s Data Privacy Week campaign is ‘take control of your data,’ designed to encourage consumers to better manage their personal data that is being collected online by businesses.
With growing user awareness of organizations’ data practices amid high profile legislation like the EU’s General Data Protection Regulation (GDPR) and increasing media coverage of privacy and data breach stories, it is vital that businesses improve transparency and trust with customers with how their data is stored and used.
This includes demonstrating value exchange, the idea that consumers are getting sufficient returns for the personal data they are providing to businesses.
Infosecurity Magazine spoke to Joe Jones, Director of Research and Insights for the International Association of Privacy Professionals (IAPP) about these themes, as well as the impact AI technology is having on consumer attitudes to data privacy.
Infosecurity Magazine: What can businesses do to increase trust and transparency with consumers around their collection and use of personal data?
Joe Jones: I think that's the challenge of our time now – users and consumers are becoming a lot more au fait with personal data, how it's processed by organizations, and trust is important. To use the Dutch phrase, ‘trust arrives on foot, but it leaves on horseback.’ It's hard won and easily lost.
Our research at the IAPP shows that one of the most important things that businesses can do up front is to work on comprehension and clarity.
So being very clear and accessible as to what it is that you are collecting and how you are going to process that information. That's hard because technologically we've never been more advanced and the things that organizations can do with data has never been more complex.
We ran a survey last year of over 5000 consumers around the world, and only 29% reported it being very easy or somewhat easy to actually understand what a company is doing with their data. We've all seen privacy policies, they can be quite dense and even impenetrable to understand.
Then there's a lot of apathy. We live in such a service and digital content driven society now, a lot of people are just clicking through. They either don't care at all or don't care enough to engage in the density of what's presented to them, but they would care more if it was clear and plain what it is that's being done with their data.
When we asked consumers what is the top action that you would want companies to do to improve privacy, the answer was writing a simpler, clearer privacy policy. That was flagged by 30% of consumers.
IM: How important is it for businesses to ensure there is value exchange with customers when managing their personal data and what can be introduced to facilitate this?
JJ: This goes to the root core of that contract, the exchange between a consumer providing their data and in exchange getting something that they deem valuable.
"I think the average consumer understands that AI is data hungry"
On one side of the ledger is the content or the service they're consuming – how good are the movies on Netflix, how good is the functionality of my social media platform?
On the other side of the ledger is this sense by the consumer that they are either in control and/or that they have choice.
That is becoming increasingly important for businesses, it's not just the value of the services or the products that they provide, but it's the value of that data protection, data privacy interaction with the consumer.
We're seeing trends around monetization, users being offered money or discounts off of services and products. Users are also having more control and there’s certainly an increase in user interfaces like control boards or platforms where users can go in and toggle on or off different settings.
We're also seeing a rise in what many in the industry called nutrition labels, that more transparent disclosure of how well a company is performing with respect to their data privacy practices.
IM: To what extent are you seeing the growing use of AI impact consumer attitudes around data privacy?
JJ: This is massive. The discourse around AI in particular is magnifying consumer understanding and consumer attitudes around data privacy.
There’s a spectrum – on one end there’s the sci-fi, dystopic understanding. Then in the here and now prosaic, I think the average consumer understands that AI is data hungry.
Its own existential risk is it depends on its ability to collect vast amounts of data. And there are collection issues – consumers want to know what information is being collected about them.
Then there are pervasive issues around how that data is subsequently processed. There are concerns that I think have risen to the top of public consciousness around what's going into the algorithm. Is bias being baked into it, and how does that all manifest with the outputs of the model, such as discrimination?
These are serious impacts that affect people's lives. The public are becoming used to stories of AI being life-saving and AI having altogether adverse impacts.
It's really seized public consciousness and the consciousness of law makers and regulators and I think this is going be a real trend going forward as AI becomes an increasingly integrated part of everyday consumer life.
IM: Do you think organizations can use AI tools effectively to enhance their data privacy practices?
JJ: Absolutely yes. It might not be the most sexy headline when we are used to AI finding cures or speeding things up. But AI tools’ ability to do things at scale, more efficiently and in some cases more effectively, is being leveraged for privacy compliance.
We ran a survey in the middle of 2023 and a quarter of the organizations that responded said that they are currently using AI or intend to the use AI in the next three years to help with their privacy compliance. That figure rises to 40% for larger companies.
There's another trend that I think is going to be important. This is that organizations that approach AI governance in a strategic way, with dedicated resource professionals doing the work, clear guardrails and organizational governance, will pay dividends to their privacy work.
AI governance is going to be a multi and interdisciplinary exercise. It's going touch many facets of an organization, including legal compliance, the C-suite and marketing.
The lessons learned from doing that work in AI will pay dividends to work on privacy compliance writ large.