Protecting Privacy in the Age of Big Data and Analytics

Compliance Risk

Concerns continue to be raised about big data’s impact on privacy. There are fears that fundamental protections, once taken for granted, are now challenged by the sheer velocity, veracity and volume of data and how it can be manipulated in the objective of creating value.

The ability of organisations to connect data to generate information, identify patterns and personalise interactions to create intelligence has reached a high level of sophistication. Consider the process known as “nudging,” in which identifiable data is used to profile individuals to analyse, predict and influence their behaviour. In a nudging exercise, someone with a bias against scarcity will be automatically served an advertisement which states “while supplies last,” while a person with a bias for following others will get an ad labelled “best-selling.” While nudging is gaining popularity, it may be perceived as invasive.

Recent advances make it possible to analyse massive amounts of structured and unstructured data at very high speeds. Data analytics is benefiting and accelerating the pace of innovation as it disrupts traditional business models, while creating new business models. For example, there is a trend toward using analytics to interpret data generated from video cameras that track customer movement through a retail store. The aim is to match the data from the video to point-of-sale data to produce analytics that can help retail managers rework store layouts, make more informed decisions about product assortment and placement, and intercept at-risk customers with the appropriate level of engagement.

Two other retail analytics trends involve path-to-purchase and omnichannel initiatives. Path-to-purchase refers to the retail consumer cycle, from brand awareness and product trials to initial and repeat purchases, and reconnecting with lapsed consumers. Omnichannel describes a system that connects stores, ecommerce, mobile apps and social media to provide a flexible and seamless shopping experience. Incorporating data analytics into path-to-purchase and omnichannel strategies allows retail organisations to use research data to construct so-called people-to-people personas around which marketers can design engagement tactics to present customers with an enhanced shopping experience.

Data analytics is a competency that enables organisations to seek out connections, identify patterns, predict behaviour and personalise interactions to an extent that could scarcely be imagined just a decade ago, to resolve business issues or create opportunities. Some argue the very notion of privacy must change, that the imperative to innovate and unlock value from data must trump traditional concepts.

Compliance-based approaches to privacy protection tend to focus on addressing privacy breaches after the fact. Other approaches, however, have organisations building privacy protections into their technology, business strategies and operational processes to prevent breaches before they happen.

Privacy by Design (PbD), for example, is a framework that reconciles the need for robust data protection with the desire for data-driven innovation. Developed in the late 1990s by Dr. Ann Cavoukian, Executive Director of the new Ryerson University Institute for Privacy and Big Data and former Information and Privacy Commissioner of Ontario, PbD, embeds privacy directly into the design specifications of technology, business practices and networked infrastructure, providing a “middle way” by which organisations can balance the need to innovate and maintain a competitive advantage with the need to preserve privacy. “Just as technology enabled the rise of data analytics, it can also be used to solve the resultant privacy issues,” says Dr. Cavoukian.

Building on the PbD framework, several technology-based options for advancing privacy while pursuing data analytics are available to organisations. For instance, by using data minimisation personally identifiable information is not collected unless a specific and compelling purpose is defined. In addition, a de-identification process can be used, in which datasets are stripped of all information that could identify an individual, either directly or through linkages to other datasets. Another option is for organisations to enforce user access controls, which are a set of processes that grant or deny specific requests to obtain information that are generally combined with other security policies. Such procedures can help reduce privacy risk - the risk that personal information is collected, used or shared in an unauthorised manner. Further, the procedures are often most helpful in the early stages of a company's use of data analytics.

“Organisations will continue to use data analytics to advance their strategic goals, but the ones with effective business strategies will embrace privacy as a driver of creativity and innovation and embed it into their systems to ensure quality results.” Through careful planning and application of privacy techniques and principles, organisations can use data to move business ahead and protect the personal information contained within them.

(This article was first published in the CFO Journal by the Wall Street Journal here.)

Did you find this useful?