To gain a professional insight into data privacy concerns for businesses, Digital Journal spoke with Eve Maler, ForgeRock’s Interim CTO. Maler founded and leads the User-Managed Access (UMA) standards effort and provides expert advice to forums such as Open Banking. Previously, Eve co-invented the SAML and XML standards.
Digital Journal: How has data privacy evolved in the past few years?
Eve Maler: Data privacy today involves building a pyramid of solutions. Data protection is the foundation in the pyramid; this is where you work on the security of personal data. The second layer is data transparency; here you need to inform people what you collected and want to collect about them and how you use it. Data control is the third layer – giving consumers choice and authority over what is collected about their own lives.
DJ: Are consumers more aware of data privacy issues? What are their expectations of companies?
Maler: Consumers love taking part in the connected world, but to do so, they must share personal data. Millions of people are uninformed and unaware about how their personal information is being used, collected or shared in our digital society. Regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) put a premium on gathering consent from individuals, empowering them to take control over their data.
As consumers move toward a personalized experience while seeking a real measure of privacy, they expect companies to protect their data. Data transparency and data control enhance the relationship businesses have with their consumers. Businesses won’t be trusted if they don’t act in a trustworthy fashion, so organizations must embark on a consumer trust maturity journey. The first step on this journey is embracing data privacy; implementing the appropriate data privacy regulations should be viewed as an opportunity to build that trust with consumers.
DJ: How can firms best identify where digital transformation opportunities and user trust risks intersect?
Maler:Enterprises might find their resources are more stretched when keeping up with regulations if they have legacy security systems in place because personal data may be more easily compromised. Additionally, they may not have an approach to consent that is consistent and standardized, as opposed to organizations with modern identity and access management tools in place that are prepared to operate across different channels and applications, all while empowering end-users to manage their own profiles, passwords, privacy settings and personal data.
DJ: Should companies begin to identify personal data as a joint asset, in relation to customers?
Maler:Yes, companies should consider personal data as a joint asset. It’s easy for the risk leads within a company to say data subjects own their own personal data, but business leaders have incentives to leverage that data for the value it brings to their business model, which changes the equation. All the stakeholders within an organization need to come together and think about data as a joint asset in which all parties, including consumers themselves, have a stake in its use.
DJ: How should companies seek consumer consent?
Maler:A business often will have a choice to offer consent to end-users rather than just taking data. CCPA is an example of how companies can seek consumer consent. It empowers consumers by allowing them to know all data collected on them by the business. Transparency about the personally identifiable information (PII) collected and how it is secured represents the second layer of the data privacy pyramid. CCPA also gives consumers the right to object to the sale of their PII, which represents the third layer of the data privacy pyramid – data control. Giving consumers choice and authority over what is collected about their own lives helps organizations adhere to new and existing regulations, while also building user trust.
DJ: How can companies take advantage of consumer identity and access management for building trust?
Maler:Identity management platforms automate and provide visibility into the entire IAM lifecycle, all while allowing end-users to retain the controls to manage their own profiles, passwords, privacy settings and personal data.
Businesses should deploy comprehensive identity management and robust consent management systems to ensure there are not only mechanisms that act as their first line of defense for protecting consumer data, but also strengthen the bonds of digital trust for all service users.