We live in an era where data equals power.
Data collection and analytics are transforming industries, from healthcare to telecommunications to marketing to infrastructure. For companies both big and small, using and analyzing data has enormous potential to improve efficiency and drive innovation. At the same time, people are becoming more and more concerned about privacy, the security of their data and how it’s being used.
Sylvia Kingsmill is a Partner at KPMG in Canada, and the firmʼs National Digital Privacy and Information Management leader. Pamela Snively is Chief Data and Trust Officer at Telus Communications Inc. With their shared interest and expertise in this space, the two leaders came together to discuss how companies can harness the power of data to fuel innovation, yet still protect the privacy of their customers.
How have discussions around privacy changed from five or 10 years ago?
Sylvia Kingsmill: The privacy conversation has taken a different tone - it’s no longer just about compliance in terms of what must be done to meet baseline legal requirements. The conversation is moving towards a privacy-engineering approach in terms of how privacy can be operationalized through technology. Protecting privacy is not just about having a legal policy in place that no one can really understand and signing a Confidentiality Agreement. It’s about “privacy by design” thinking, as advocated by former Ontario Privacy Commissioner Ann Cavoukian, to stay ahead of the risk. Organizations are experimenting with new digital solutions, such as AI, machine learning, facial recognition, biometrics, and smart surveillance technologies. This requires having multidisciplinary conversations about privacy with cross-functional teams, including cybersecurity, business, compliance, risk and marketing perspective. And let’s not forget the data scientists who are willing to work more closely with the privacy teams to understand how to drive insights from data responsibly and ethically – this is a completely new trend! Companies who want to transform digitally are competing on trust when it comes to their customer’s data, differentiating themselves with a privacy-first mindset to deliver a better, more dynamic and seamless customer experience.
Pamela Snively: I think we’ve always been concerned in the public sector about privacy rights. But in the private sector, privacy just wasnʼt a topic a decade ago the way it is today. I think the recent scandals involving Facebook and Cambridge Analytica have made consumers acutely aware that data could be used in ways we hadnʼt imagined, in ways that could impact our autonomy as individuals and our democracy. And I think the dialogue around privacy has radically changed as a result. Weʼre now talking a lot more about data use and not just about data security.
What are the biggest risk factors that companies face when it comes to data?
We do a lot of privacy assessments and some of the common risks we see across most organizations is the over-collection and retention of data, the lack of a data governance framework to enable organizations to better leverage their data assets, and even far worse, assuming that anonymized data is more secure or won’t attract regulatory scrutiny. These risks can be managed with a more holistic data protection approach, which includes a strong accountability model in addition to implementing robust security safeguards, testing and monitoring, and strong access controls to minimize who gets access to what and why, even for anonymized datasets to protect against the risk of re-identification. This will help an organization better defend their privacy and security risk posture in the event of a cyber security breach that may result in a privacy regulatory investigation.
Snively: If you donʼt need to collect it, donʼt collect it. And if you do need it for a purpose, make sure youʼre deleting it as soon as possible after itʼs served that purpose. At Telus, for instance, we donʼt collect the contents of text messages. Technologically, we would be capable of doing that easily. But we donʼt have a business need to do it and it would be highly invasive. There needs to be more education and discussion about appropriate data usage in the public space.
Do companies have a responsibility to be more transparent on what they do with data?
Kingsmill: Public perception is more important than ever before and I think there needs to be more education and awareness about the privacy risks at the end user level – it’s their data after all. One market trend I’ve seen is the uptake in companies undergoing voluntary privacy risk assessments and certifications at both the conceptual and design stages of their products. The law does not evolve quickly enough to keep pace with emerging tech and as a result, we are seeing industry groups collaborating at both the national and international levels to develop privacy-by-design and ethics standards. Regulators around the world are also releasing lifecycle-based regulatory and ethical frameworks for product developers to adapt their new technologies to real-world learning.
Telecommunications companies are under particular scrutiny when it comes to data privacy issues. How do you build trust with the customer?
Snively: I think that starts internally. At Telus, we made sure that we created a culture among our own employees for them to understand how critical it is for customers to trust in us. You need to think of privacy from the perspective of, “Is this going to negatively impact my customer? Will my customer be disappointed in us if they were to hear about this? Would they be shocked by this use of their data?” That creates a far more comprehensive and robust approach to how we use data than trying to tick off all of the boxes on a piece of paper.
Advertising feature produced by Globe Content Studio. The Globe’s editorial department was not involved.