GDPR is not enough to win back customer trust

Person holding a smartphone with a busy city centre backdrop
(Image credit: Shutterstock)

Digital leaders continue to develop innovative services that make use of customer data. Those services can create significant benefits for consumers, yet research suggests the general public remains unconvinced about the ability of enterprises to treat their information with care.

While regulation and technology provide a means to help build trust, businesses must do more to ensure customers are comfortable with the exploitation of their data for the development of new services.

Detective superintendent Andrew Gould, who is the National Cybercrime Programme lead at the National Police Chiefs' Council, says technology companies often push tools with high capability into the marketplace without taking commensurate responsibility for security and encryption. The end result is that too many IT firms - and the businesses who use these products - are too reliant on consumers acting in a secure manner.

"If we're relying on consumers to educate themselves, I think we're giving industry a free path - and that's not right," says Gould, who joined an expert panel on digital risk at a recent security event run by RSA Security in central London. Gould, who has worked in both counterterrorism and organised crime, says IT industry and business leaders must take more responsibility for data integrity.

"We must all think about how technology can be used and abused," he says. "When a company is developing an Internet of Things product to help network a house or adjust lights in a smart city, they can create fantastic social benefits, but these organisations aren't necessarily thinking about how people with malicious intent will try and use these tools and the information they produce."

Companies blamed above all others

The event in London coincided with the launch of a global survey by RSA Security and YouGov. The research, which surveyed more than 6,000 adults across France, Germany, the United Kingdom and United States, suggests there is a growing disconnect between how companies exploit client data and how consumers expect their information to be used.

Less than half (48%) of consumers believe there are ethical ways companies can use their data. As many as 57% of consumers, meanwhile, blame companies above anyone else, even a hacker, in the event of a data incident. The research suggests a consumer backlash in response to high-profile data breaches and a consequential loss of trust.

Neira Jones, partner at cross-sector advisory specialist Global Cyber Alliance, recognises the concerns around trust and says success in terms of combating fraud should come down to rules and regulations. The recently enacted General Data Protection Regulation creates a new set of obligations for vendors and businesses. However, Jones questions the extent to which rules have been effective so far, both nationally and globally.

"Regulators will always be behind the times - not because they want to be but because that's the nature of the beast," she says. "It often takes years for regulation to come to fruition. In the meantime, there's a collective responsibility - for individuals and organisations - to understand what is happening and what it means when our world becomes increasingly digitised. Because that digitisation is not going to stop."

Privacy before personalisation

Jones is keen to see much more focus placed on the context for data collection. The RSA survey results highlight how consumers do not want personalised services at the expense of data privacy. Just 17% of survey respondents view tailored advertisements as ethical, and only 24% believe personalisation to create tailored newsfeeds is ethical.

"We have to move towards context and attribute in regard to the activity being undertaken - the whole movement shouldn't be about looking backwards and collecting masses of data, but moving forwards and using the insight for something good," says Jones. "We need to use the layers of technology to help understand context, such as how using payment data represents more of a risk to an individual than reading a news item."

Andy Kravitz, head of fraud systems and controls at Lloyds Banking Group, also believes business leaders need to start taking more responsibility for data privacy. Kravitz says he and his IT leadership peers in the banking industry are investing significantly in technology and are creating strong controls in terms of card fraud. But there is no room for complacency.

"Fraudsters are always moving on and they're looking for the weakest link in the chain," says Kravitz. "These days, that often means not attacking banks directly but instead trying to get hold of card information through a data breach. That might mean going to the customer and using social engineering tactics to get them to pass over their details or move their money."

Ethical processing

Kravitz says organisations cannot afford to take the level of consumer awareness regarding data use for granted. Consumers often make assumptions around the high level of information integration between organisations, and it's these assumptions that create expectations around service levels and challenges for enterprise IT managers, says Kravitz.

"For example, consumers will book a flight on their credit card and assume - because we as a firm know about this booking - that we also know all the data associated to their travel plans," he says. "Yet as a bank, all we actually know is that you've booked a flight - we don't know when you're flying and where to. So, data often builds an expectation around access and trust that goes far beyond the information we've actually got."

Kravitz suggests the only sensible course of action is for firms like his own to think much more carefully about how they exploit information. "At Lloyds, we talk a lot about data privacy - how we protect it and how we constrain how data is used. If I'm trying to protect the customer, how much can I use data to make the right decisions, whether that's about stopping fraudsters or giving our customers a seamless experience?" he asks.

"I want to support the clever and interesting use of data to do these things, but I must also think about how to do that securely and ethically. As a digital leader, you have to think about how much data you and your team can you use on behalf of the customer. So, you need to think about how many factors you should use in combination to create the best experience for the customer and where, as a business, you should draw the line."

Mark Samuels
Freelance journalist

Mark Samuels is a freelance writer specializing in business and technology. For the past two decades, he has produced extensive work on subjects such as the adoption of technology by C-suite executives.

At ITPro, Mark has provided long-form content on C-suite strategy, particularly relating to chief information officers (CIOs), as well as digital transformation case studies, and explainers on cloud computing architecture.

Mark has written for publications including Computing, The Guardian, ZDNet, TechRepublic, Times Higher Education, and CIONET. 

Before his career in journalism, Mark achieved a BA in geography and MSc in World Space Economy at the University of Birmingham, as well as a PhD in economic geography at the University of Sheffield.