PreviousHow to Implement Good Governance in your Organization
Our recently concluded webinar on the topic 'Balancing Privacy & Digitization' by Daniel Munroe, Solutions Manager has brought to you the following article.
With the latest news of privacy violations on popular social media platforms and the new regulations coming from the European Union (EU) – The General Data Protection Regulations (GDPR), how companies use data and the laws protecting consumers is in the forefront of many person’s minds. As a result here at Symptai, topics such as Privacy and Digitalization are very important and interesting to us.
Major privacy breaches happen almost every year. 2018 brought us Cambridge Analytica with approximately 85 million user’s information exposed and used during the 2016 US election. 2017 had Equifax with approximately 143 million user’s information exposed. And 2013 had the largest thus far with 3 billion user’s information exposed when Yahoo was hacked. If you’ve ever opened a Yahoo account prior to 2013, your data may be in the hands of hackers (if you used real information when subscribing).
What kinds of data do companies have on users? Typically, data falls into two categories – demographic data (data about you) and behavioural (data about what you do or how you use a service). Demographic data is your name, address, age/date of birth, likes/dislikes, relatives/associates, medical information, etc. Behavioural data is your location or travel history, frequent websites/apps, entertainment you like (music, movies and events), etc.
There are valid reasons for sharing information with services, apps and websites you use. I personally like using Google Maps daily for traffic and route information, especially when travelling. However, some persons may dislike such a company having information about their daily movements. Sites like YouTube track the types of videos you watch, save, skip and ignore so that they can recommend videos more to your liking. And there are sites that collect information on you, and some do it even if you’re not using their site, like Facebook. Facebook uses browser cookies to track the websites you visit even after logging off or closing the window.
Digitalization is the process of moving to a digital business (in the most basic definition of the word). It also refers to the use of digital technologies to change business models and provide new revenue and value producing opportunities.
Can companies really make money from my data? Yes, and they do. Data is an asset and like any other asset, it can generate revenue in some manner. To you, it is just information on customers, but in the right hands it an asset, and as an asset, it can be used to generate more assets. Most importantly, data can be used to inform decisions that a company makes. The typical cycle for data is to acquire data; curate data to organize it; enhance data to make it as accurate and relevant as possible; analyse data to learn from it, and finally monetize data by making use of it.
There are also valid reasons for digitalization as well. In Jamaica, there are laws that require regulated companies to “know your customer” (KYC). Companies must prove that they have sufficient information on a customer to reasonably say that they can confirm they are doing business with the correct/actual person and not an impersonator or some other unscrupulous individual. To do this, companies collect “basic” data on customers such as; tax registration number (TRN), name, date of birth, contact number and address. Though this “basic” information may be for regulatory purposes, companies may also use it for their decision making. An example of this is – a company realizes persons in a particular area of a major city usually do not use service “x” and the area may be deemed a low-income area, having address information on customers, the company’s system may automatically flag or deny a particular customer’s request for service “x” simply based on historical data.
Privacy from an Information Technology point of view assumes that companies have data on customers and as such relates to what data can be shared with a third party. However, in the common sense of the term, privacy is being free of unwanted or undue intrusion or disturbance in one’s personal life.
There are numerous threats to privacy. As mentioned earlier, web tracking and data collection are high on the list. There is also lack of security on websites and apps that you use daily. Let’s say your phone or laptop is secure, due to the “connected everything” trend in consumer electronics (Alexa, apple home, washing machines, TVs, etc.) these devices in your home may not be as secure. Even public/free Wi-Fi access on the road isn’t safe, as they may not even belong to the store you’re visiting or a hacker may also be on that public/free Wi-Fi with you.
Yes, there are but not in every country or jurisdiction. I am pleased to say that the Jamaican constitution has privacy clauses that are applicable to digital information and that Jamaica is also party to the International Covenant on Civil and Political Rights which also has protections for the privacy of individual’s information. Other Caribbean countries such as Bermuda and Cayman Islands also have laws in place to protect the privacy of their citizens.
Recently, new waves have been made in the privacy front with the General Data Protection Regulation (GDPR) from the EU which protects not just citizens, but also residents and even tourists/visitors to any EU country while in the EU. Note that the law also extends beyond the EU’s borders for its citizens and any company with a customer from the EU must ensure protections are in place.
In this fast-paced, easy to communicate environment, I believe that there can be some amount of privacy but not absolute privacy. Individuals must be aware of technology around them and in their day to day lives as well as the policies of the companies they do business with and take appropriate steps to protect their privacy. Companies must protect their customers and ensure they are secure from both external and internal threats, even if it seems innocuous and as common as using USB drives to share information around the office (what if the drive is stolen, misplaced or even has viruses that affect systems or steal information).
Awareness is key. Both individuals and companies must be aware of the laws in place to protect and guide you. Understand what you’re agreeing/signing to and the obligations to your customer that are entrusting information to you. Understand the technology you’re using and ensure that your technology is up to date.
Typically, companies begin by processing data then graduate to processing large amounts of data and eventually to sensitive data. With access to such data, eventually companies may begin using it to predict the behaviour of their customers – for example, you used your credit card to buy diapers every week for the past 3 weeks, your bank may assume you just had a baby and may begin suggesting accounts and loans geared towards infants and children. Eventually, companies may begin to use artificial intelligence (AI) to predict and/or make decisions automatically to make processing faster and more cost-effective.
Companies, just like individuals, will use technology to make business (life) easier for themselves but companies must keep privacy and security in mind while advancing their technology. They should do this by employing appropriate systems – processes, devices, policies, etc.; adhering to laws of the land to protect not just themselves but also their customers; educating their staff and customers on their services and practices; and ensuring that the analytics they use are developed responsibly and with sound, secure measures in place to safeguard their data.