The risks and strategies of using privacy as a business differentiator

Faces in binary code to represent privacy
(Image credit: Shutterstock)

In a modern business landscape that can see data breaches and leaks devastate a firm’s reputation, privacy is more important than ever. As users become increasingly aware of their privacy, it’s not difficult to work out why tech giant Apple has placed the area at the heart of its marketing strategy.

The iPhone maker – which continues to make headlines with its App Tracking Transparency feature that prevents firms such as Facebook from tracking iOS devices – calls privacy a “fundamental human right”, and this is boosting its reputation among users. Apple’s privacy ethos stands in stark contrast to Facebook, which, after the Cambridge Analytica scandal, whistle-blower allegations and multiple breaches, is under continued pressure from its users.

As the battle between Apple and Facebook rages on, there’s no doubt privacy is becoming a key factor when people decide which service to use. As Apple and other privacy-aware companies have already discovered, embedding privacy into your business offers multiple benefits, such as driving customer acquisition and retention by fuelling trust.

Respecting privacy goes hand in hand with regulations such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) in the UK. Under the regulation, firms are encouraged to be transparent and build privacy into their products and services from inception. In an age of fierce competition, standing out in a crowded market can be challenging. As privacy becomes increasingly central to all companies, therefore, how can you take advantage to differentiate?

Using privacy to stand out

High profile privacy infringements by big tech firms show just how easy it is to break trust, and how difficult it is to get it back. Trust is “hard to build, easy to break, and difficult to repair”, according to Bart Butler, CTO of ProtonMail, the privacy-centric email service provider. This, he adds, has helped fuel the growth of more privacy-focused solutions to take on those offered by big tech companies.

Respecting user privacy doesn’t just drive customer loyalty; it helps avoid expensive regulatory headaches too. Indeed, regulation and the resulting fines and compensation claims can be extremely costly, says Will Richmond-Coggan, a data protection and privacy expert at law firm Freeths LLP.

Being clear which information is being collected and how it will be used is “essential”, he says, adding it’s equally important to be consistent. “This means data subjects don’t have a rude awakening after discovering their information is being used for a purpose that is very different to what they understood when they provided it.”

While technology makes it possible to collect data quickly and effectively, organisations should consider whether it’s correct to do so, says Isabel Ost, a UK data protection and privacy lawyer in the KPMG Law team. She describes how poor governance, security failings and evidence of a deficient privacy culture “will turn away customers and reduce recommendations”.

In contrast, companies that incorporate privacy by design in line with legal and ethical principles will stand out from their peers. Part of this means winding privacy into the customer journey, as well as the wider business strategy, Ost advises.

At the same time, firms should let customers know how much they care, says Gal Ringel, CEO and co-founder of Mine, a company focused on data privacy. Ringel advises businesses to “let customers know you care about their data and work hard to protect them”.

“If your target audience is worried about data privacy, invest further efforts in solving any related issues and making your achievements known.”

Regaining trust after an incident

Companies get breached all the time, but how you handle incidents involving customer data can limit the long-term damage. In the event of a breach, firms must be media-ready, says Ost. As part of this, she says, companies need “a well-briefed communications team and a senior, credible, privacy-aware spokesperson”.

It’s vital that all staff are fully trained and able to anticipate questions, she adds, warning: “It only takes one poor or uninformed response – especially if a customer has a good understanding of their rights – to create a negative experience, as well as an investigation.”

It’s also important to respond quickly and decisively to incidents, says Richmond-Coggan. He points out that the UK’s regulated notification period to the Information Commissioner’s Office (ICO) following a data breach is “very short”, at 72 hours. “And,” he adds, “by the time that notification goes in, the business needs to know the extent of the issue and what they are going to do to put it right.

“Clear, coherent messaging to affected data subjects needs to follow promptly, ideally accompanied by an immediate suggestion of how the issue is going to be addressed, managed or eliminated.”

As part of this, firms need to be transparent and open about what went wrong. “Rebuilding trust starts by owning the mistake,” says Caroline Carruthers, CEO of data consultancy Carruthers and Jackson.

Data protection law and transparency

GDPR, and the UK’s interpretation of the regulation in the form of the DPA 2018, both outline an ethos of transparency regarding data collection and use. The regulations also focus on informed consent and privacy by design.

The main premise of the GDPR is to empower the end-user, says Simon Moffatt, founder of industry analyst firm the Cyber Hut. This includes “amplifying data protection by default, giving the end-user control over their data and allowing avenues for explicit consent capture and data use communication”.

UK data protection laws are very clear that people have a right to privacy, but it’s less obvious how businesses can differentiate themselves, says Carruthers. She likes the idea of a traffic light system for organisations “so you know how secure your data is and how compliant they are with the spirit of data protection laws”.

Of course, no such system is yet available, but experts agree that adhering to the regulation is a good start. It’s not a catch-all, however, with regulations also serving as a hindrance to a firm’s efforts to differentiate through privacy by design, Ost warns. In the case of the GDPR, any attempts to meet regulatory obligations must not be at the expense of a longer-term strategy that acknowledges privacy as a source of competitive advantage, she says.

“Consider how your organisation can meet the changing needs of customers and employees by building an ethical, privacy-aware culture and governance infrastructure, which puts the correct data at the right fingertips and consistently demonstrates transparency.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.