Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Digital Disruption and Consumer Trust - Resolving the Challenge of GDPR
1. Digital Disruption and Consumer Trust
Resolving the Challenge of GDPR
Richard Veryard
GDPR Making it Real – DAMA UK and BCS DMSG – 12 June 2017
2. 2
The GDPR challenge
The trajectory of
innovation may
possibly diverge
from the
trajectory of
consumer
expectations,
thus opening up
a trust gap.
The Innovation
Curve
Consumer
Expectations
Trust Gap
3. 3
Four Types of Trust
Definition GDPR Consequences
Authority
Trust
Trust is based on a
central authority.
Data Protection standards
defined by GDPR and
enforced by Information
Commissioner.
Enforcement
Penalties
Commodity
Trust
Trust is based on a
negotiated
exchange.
Explicit consent. Consumer
gets something in return for
consent.
Compensation
Network
Trust
Trust is based on
the community.
Good practice enforced by
the internet.
Reputation
Damage
Relationship
Trust
Trust is based on
authentic
relationships
between people.
?? ??
4. 4
Who gives their real
email address to get
free coffee shop wifi?
Cycle of Mistrust
Date of birth:1st January 1970
Email address: rubbish@junk.com
Based on your data, we think you might
like to buy yet another book on Privacy.
5. 5
“When you look at systems like Facebook, all the hints
and nudges that the website gives you are towards
sharing your data so it can be sold to the advertisers.
They’re all towards making you feel that you’re in a
much safer and warmer place than you actually are.
Under those circumstances, it’s entirely understandable
that people end up sharing information in ways that
they later regret and which end up being exploited.
People learn over time, and you end up with a tussle
between Facebook and its users whereby Facebook
changes the privacy settings every few years to opt
everybody back into advertising, people protest, and
they opt out again.
This doesn’t seem to have any stable equilibrium.”
https://www.edge.org/conversation/ross_anderson-the-threat
Cycle of False Trust
Ross Anderson
May 2017
6. 6
Different Types of Consumer
• Digital Literacy
• Facebook
Smartphone
Generation
The Innovation
Curve
Consumer
Expectations
Trust Gap
7. 7
Different Types of Innovation
Data
Big Data
TotalData™
Consumer
Expectations
Trust Gap
The Innovation
Curve
10. 10
Some technological
innovations may threaten
privacy
• Facial Recognition
• Customer Instore Tracking
• Employee Location Tracking
Some technological
innovations may enhance
privacy
• Encryption
• Tokenization
• Pseudonymization
Technological Change
11. 11
The Choice
Maximum Engagement
• Create a trustworthy
data protection
environment.
• Actively seek data
subject participation
and consent.
• Gain competitive
advantage from
customer centricity
and trust.
Minimum Viable
Compliance
• Add essential
measures and
procedures (e.g.
encryption, consent).
• Fix systems and
processes to achieve
GDPR compliance
with minimum change
to business as usual.
Minimum Engagement
• Store and use as little
personal information
as possible.
• Delete most personal
information.
• Use verified secure
third parties for
essential transactions
(e.g. payments).
• Forsake customer
insight and
personalization.
Trust
Customer
Centricity
Data Frugality
Data
Avoidance
13. 13
GDPR Work Packages
Data Discovery
•Identify all business processes, systems,
applications, data stores and other
places where personal data are
collected, stored, transmitted and used.
Risk Assessment
•Identify business and technology threats.
Evaluate high-impact threats.
•Assess the adequacy of existing security
and governance mechanisms to protect
against these threats.
Policy Assessment and
Alignment
•Review existing policies against GDPR
requirements
•Review policy adherence and
enforcement
•Identify and implement policy and
governance changes
Customer-Centric View
•Survey customer view of data protection.
•Identify any trust issues from the
customer perspective.
•Understand the factors that will lead to
customers granting or withholding
consent.
Technology Review
•Identify any new / recent technologies
that raise privacy concerns.
•Identify and evaluate relevant privacy
enhancement technologies.
•Select, adopt and configure privacy
enhancement technologies as
appropriate.
Privacy by Design
•Establish architectural principles and
structures to promote privacy
•Establish privacy impact assessments for
new solutions and technologies
Consent Engineering
•Build and implement standard modules
for consumer consent
•Establish business processes and
practices for consent and
withdrawal/erasure.
Privacy Engineering
•Establish robust systems and processes
for data encryption, tokenization,
detokenization and pseudonymization
•Establish secure mechanisms to prevent.
detect and repair any breaches
Governance
•Determine responsibilities for data
protection, including Data Protection
Officers.
•Align existing governance structure and
processes with the requirements of
GDPR, and/or establish additional
structure and processes.
15. 15
Step 2 – Discovery
Triage Easy and obvious first? Hmm
Challenging first Risk-based approach
What to
look at
Business processes Important, because we need to know
why/where personal data is used
Business policies Data sharing agreements
Application / data Is there an application catalogue? Data
dictionary? Master data management?
How Interviews with system owners … if you can find them
Documentation … if there is any
System / Data Inspection Search for recognizable data – e.g.
postcodes, dates of birth, card numbers
16. 16
In the traditional “traffic
light” schema, AMBER
is usually a fudge.
For senior management,
white is (or should be)
more worrying than red.
Aside – the Italian Flag schema
GREEN
OK, more or less under
control, no major issues
RED
One or more known
problems
WHITE
We don’t have a xxxing
clue
17. 17
Touchpoints Data Types Business Context
Point-of-Sale Transaction
Email
Website Visit
App
Social Media
User-generated content
Paper
Phone
Visit
Name and address, postcode, email
address, phone number
Personal characteristics
Age, Ethnicity, Religion, Social Class,
Employment History, Education Level,
Marital Status, Sexual History, Health
History, Credit History, Travel History, …
Password Recovery Data
Mother’s maiden name
Name of pet
First school
Possessions
Car Registration Number, MAC address
Physical appearance and characteristics
(including images for face recognition)
Account Numbers
Bank, Credit Card, etc.
Internet
Social media handles and history
Cookies
IP Address
Direct Marketing (Targeting &
Personalization)
Credit / Fraud Screening
Pre-Sale
Sale
After-Sale
Customer Service
Data Discovery – Customer
Which applications
manage and monitor
these touchpoints?
How can we discover
this information in
informal systems as well
as formal applications?
Which business
capabilities are likely
to be using personal
information?
Which applications
(including reports and
analytics) support
these capabilities?
18. 18
Touchpoints Data Types Business Context
System log
Workflow
Customer service
Intranet
Public internet
?
Name and address, postcode, email
address, phone number
Equipment issued to employee
Computer, phone, car, etc.
Personal details
Marital status, health history,
Bank account, pension fund,
Any business transaction that requires
authorization or approval
Purchase Order, Goods Received,
Payments, …
Any business activity with a potential for
employee malfeasance
Stock Movement, Customer
Refund, …
Work planning and monitoring,
productivity
Individual/team performance analysis,
career management, training history,
promotion prospects, …
Which applications
manage and monitor
these touchpoints?
Data Discovery – Employee
How can we discover
this information in
informal systems as well
as formal applications?
Which business
capabilities are likely
to be using personal
information?
Which applications
(including reports and
analytics) support
these capabilities?
Typically
• A few obvious systems and processes with
large amounts of employee data
• Many systems and processes with small
amounts of employee data
20. 20
Step 7 – Consent Engineering
Characteristics
Non-reversible procedure
Early sample trial
recommended
Ambiguous identity
Omnichannel
Current Status
CONSENT
GDPR Compliant Status
CONSENT
Current Status
NON-CONSENT
GDPR Compliant Status
NON-CONSENT
Procedure
RECONSENT
Metric
CONSENT PERCENT
E.g. opt-out bundled consent based
on unclear privacy policy
E.g. opt-in granular consent based
on clear privacy policy
21. 21
Step 13 – Business as Usual?
Programmatic Advertising DSP
Contextual Advertising
Machine-learning Organizational
Intelligence
Humanizing Digital
Transparency
• To what extent is your
business-as-usual even
possible?
• How must you change the
way you do business?
• How must you change the
way you were planning to
do business in the future?
22. Richard Veryard is a consultant with Retail Reply,
specializing in enterprise information architecture for the
retail and consumer sector. He has written and presented
widely on such topics as business architecture, service-
oriented architecture, information management, and
organizational intelligence.
@richardveryard
Retail Reply are specialist retail consultants who help our
clients respond to digital transformation through customer
centric solutions.
http://www.reply.com/retail-reply/en/
retail@reply.com
+44 20 7730 6000
@retail_reply
23. 23
References and Further Reading
https://ico.org.uk/media/for-organisations/documents/1624219/
preparing-for-the-gdpr-12-steps.pdf
Editor's Notes
Trust in local butcher versus trust in Tesco
“If you get this right, people could share more data with you.”
Paul Malyon, Experian
The second milestone is May 2018.
The first milestone is having a clear plan of work and allocated resources to get to the second milestone. If you haven’t reached the first milestone by early autumn at the absolute latest, then there is no way you are going to hit the second milestone.
There are various things you have to do before you can get to the first milestone, including high-level reviews of systems and processes, reviews of privacy policies and data protection practices, reviews of storage arrangements and third party service agreements, and so on. There will also be some key management decisions, and you’ll probably want to get specialist legal advice on some issues.
Above all, you need to get a reasonable idea of the scale of the effort that will be required to get to the second milestone.
We are currently doing some discovery and risk analysis for one large retailer, with a view to reaching the first milestone by early July. We are also supporting another large retailer, which is on a similar journey. There may also be some quick pilot projects – for example, to test assumptions around customer consent and trust. The critical success factor is avoiding discovery for its own sake, but doing just enough discovery to mitigate most of the risks and uncertainties, in order to get to a plan that everyone can feel confident about.
Data Discovery
Identify all business processes, systems, applications, data stores and other places where personal data are collected, stored, transmitted and used.
Risk Assessment
Identify business and technology threats. Evaluate high-impact threats.
Assess the adequacy of existing security and governance mechanisms to protect against these threats.
Policy Assessment and Alignment
Review existing policies against GDPR requirements
Review policy adherence and enforcement
Identify and implement policy and governance changes
Customer-Centric View
Survey customer view of data protection.
Identify any trust issues from the customer perspective.
Understand the factors that will lead to customers granting or withholding consent.
Technology Review
Identify any new / recent technologies that raise privacy concerns.
Identify and evaluate relevant privacy enhancement technologies.
Select, adopt and configure privacy enhancement technologies as appropriate.
Privacy by Design
Establish architectural principles and structures to promote privacy
Establish privacy impact assessments for new solutions and technologies
Consent Engineering
Build and implement standard modules for consumer consent
Establish business processes and practices for consent and withdrawal/erasure.
Privacy Engineering
Establish robust systems and processes for data encryption, tokenization, detokenization and pseudonymization
Establish secure mechanisms to prevent. detect and repair any breaches
Governance
Determine responsibilities for data protection, including Data Protection Officers.
Align existing governance structure and processes with the requirements of GDPR, and/or establish additional structure and processes.