Organisations in Australia face a significant challenge with data. On the one hand, there is a demand for personalised services. Consumers are willing to share their data if it means better personalisation.
On the other hand, there is a real concern about privacy, and while organisations are focused on looking for ways to prevent data breaches, efforts to do better to protect customer privacy are more haphazard.
Why organisations want data to deliver personalisation
Personalisation is one of the most valuable reasons to collect and use customer data. According to The Great Tech-Spectations report by Versent, more than 80% of consumers are more likely to do business with a company that offers personalised experiences.
Meanwhile, according to McKinsey, personalisation reduces customer acquisition costs by 50%, lifts revenues by as much as 15% and improves marketing return on investment by up to 30%.
So it’s unsurprising that personalisation is a key theme being talked about in marketing circles, and IT teams are being asked to work with data to deliver better personalisation. However, on the flip side of this, as The Great Tech-Spectaction report also highlights, just 16% of consumers think companies are doing enough to safeguard their data — the critical information needed to provide personalised services.
There’s a tension between the desire for personalisation and the risks of collecting the necessary data to deliver that, and Australian organisations have a long way to go to allay customer concerns around this. However, the real challenge is not because of the threat of cyber breaches, but in many cases, because the effort in managing data is directed in the wrong direction. Too often, organisations focus on preventing breaches and lose sight of the need to protect privacy.
Why personalisation and customer data is becoming a risk minefield
Losing customer data, even if it was being used for personalisation, costs businesses heavily. Following the now-infamous Optus cyber breach, the company lost 10% of its customers. Bitdefender data suggests that Optus got lucky, with 43% of Australians saying they would take their business away from a company following a data breach.
The fallout from that breach — and several other high profile ones in recent years — has meant that much of the rhetoric around data and risk at the board and executive level has focused on the breaches themselves and trying to put a stop to them. But that often isn’t the real problem at all, and it isn’t the underlying reason why these businesses lose customers.
SEE: Australia IT teams are taking an “assume-breach” approach to cyber security.
A lack of privacy regulation is the real risk
While the risk of cyber breaches is real and needs to be managed, the real challenge Australian consumers face with their data starts with a regulatory environment that has been very slow to catch up in these areas. Data privacy online is governed by the Privacy Act 1988 (Cth), and as that name suggests, that act was introduced well before the digital age turned consumers into mines of data.
Because the regulatory environment is so old, organisations have been able to capitalise on the data without fully being accountable for any risks to it. This is what the government has since started to address with its Notifiable Data Breaches scheme and Consumer Data Right, both introduced following the wave of high-profile data breaches across Australian enterprises.
At the heart of these efforts has been a simple understanding: Consumers are indeed willing to release their data in exchange for the kinds of perks that personalisation can return to them — things becoming cheaper or more straightforward, for example. However, they also expect to be kept informed about what data organisations have and how they use it, and this is where the cracks have traditionally been in Australia’s national data policies.
Australian organisations need to better understand security and privacy
Perhaps one of the biggest areas where businesses get things wrong is where they direct their energy to managing data risk. Much of the discussion around data is currently focused on security — the idea of preventing breaches in the first place or, if a breach occurs, strategies and methodologies to minimise the data the criminals get access to.
Interestingly, though, indications are that Australians understand that breaches will occur (or, perhaps, as 60% of Australians report, believe that they’re an inevitability), and that they would be willing to forgive the company, even if they take their business away temporarily. While 60 per cent of Australians believe a breach is inevitable, just 12% of Australians say there is absolutely nothing that an organisation can do to win their customers back after a breach. What matters is how the breach is handled and how the organisation has previously collected and handled their data.
Australians want better accountability over the use of their data
What consumers are really concerned with, and where they are far less inclined to forgive, is with regards to privacy, which is a distinct concept from security. As the OAIC data shows, one in four Australians now expect organisations to only collect the information that is strictly necessary to provide the service.
This is an important privacy step since it means that the amount of critical data a criminal would access in the event of a breach is then minimised. Furthermore, in the event of a breach, Australians expect organisations to have a response plan that includes transparent, rapid communication and remediation steps for data that has been compromised.
Unfortunately, ASIC research suggests that 58% of Australian companies have limited capacity to secure confidential information and a third of companies have no cyber incident response plan.What this means is that, if those companies are breached, the customer’s data is likely to be exposed to greater risk and the organisation is unlikely to handle the matter in the timely and transparent manner that the customer needs them to to protect their privacy.
What a renewed focus on privacy would look like
Obviously, organisations need to continue to follow a best practices approach to cyber security. However, for many organisations of all sizes in Australia, the tension between a desire for personalisation and the risk of a breach can actually be resolved by taking a better and more proactive approach to privacy. This means:
- Having a clear privacy policy in place that customers can refer to, which will enable them to see how their information is being looked after and how they can have it permanently deleted, which will help build customer trust.
- Being aware of all of the personal information being collected, as well as where it is being stored, how it is being used and who can access it. Data discovery and labelling tools are as important as any security measures for this reason.
- Having policies to only collect the necessary data and not store it for longer than is necessary — either through regulation or to continue providing the personalised service.
IT has a role to play here in helping to guide organisations away from seeing data as purely a security issue. Furthermore, now that Australian regulation is starting to catch up and require a new regulatory approach to privacy, developing strategies and adopting solutions to manage privacy is going to be a core component of risk management in 2024.