The complex interplay between trust, privacy and cybersecurity was discussed by a panel of experts during a session at the Okta Forum 2022 event in London, UK, this week.
Enza Iannopollo, principal analyst at Forrester, noted that the “relationship between privacy, trust and security is quite interrelated,” with research showing that consumers see the protection of their personal data as the biggest element of developing trust in organizations.
Yet, “companies still have work to do in this area.” Iannopollo cited data showing that 33% of European consumers believe that no company will keep their data secure. Therefore, organizations should focus on two main areas to enhance their data security, thereby growing customer trust. These are:
- Understand which requirements apply to you. Iannopollo noted that this is a major challenge for organizations, especially those that operate globally, with 137 countries identified as having security and privacy regulations. “It’s actually pretty difficult to focus on the right principles,” she commented.
- Think about the data. After you have understood which principles you need to comply with, “think about data,” said Iannopollo. This involves knowing what data you need to protect and where it is. This is a challenge in itself as “data is everywhere.”
Following on, Bianca Lopes, serial entrepreneur, investor and identity expert, commented that the definition of an identifiable attribute varies between different jurisdictions. Therefore, “I don’t think the definition of privacy is the same and easy to interpret.”
Ben King, VP of customer trust at Okta, agreed that the evolving international privacy and security landscape is a significant challenge for organizations, particularly those that are in the process of scaling their business. “Scaling that service when you’ve already designed your privacy program can be quite challenging because the regulations and customer expectations can be very different from country to country.
He added that another big issue is “data protection and privacy versus innovation.” This relates to how organizations use data to create frictionless experiences for customers, which can be very overbearing and even frightening for people; for example, customized adverts following a Google search. “We have an obligation to turn the dial down in terms of the data we keep,” he acknowledged.
The added complication of different regulators taking varying approaches was then highlighted by Iannopollo. This includes the type of data that needs protecting and how it should be protected. “That is another big challenge for organizations – especially international organizations – face when thinking about their privacy.”
The final part of the discussion looked at the shift to decentralized models of identity. Lopes noted a “pendulum swing” in conversations from the move to decentralization, from the growing use of digital identifiers and verifiable credentials to discussions around Web 3.0, “where nobody’s going to own anything, and we’re going to have to get self-sovereign identity (SSI) attributes.” She also highlighted the importance of “intent economics,” which “look at the probability scenarios of people repeating a particular pattern.”
This approach has been used to extract value in the modern advertising world. However, “where does that value truly reside?” Lopes argued that conversations around decentralization “needs to be about equitable distribution of access and value rather a conversation about who owns what.”
King argued that we should, are, and will go to a decentralized identity model, for example, through SSI. In the meantime, the control mechanisms around that ecosystem must be established. This is because “we can put the ownership of identity to the individual citizen, but they’re probably not the best people to secure it.”