When we talk about consumer data, we are explicitly talking about personal data that most companies collect on consumers. This data is desirable for companies because it enables personalized services to be hypercompetitive while providing consumers with conveniences. However, ever-increasing and cheap cloud applications have allowed the vast spread of consumer data resulting in frequent data breaches, which has left consumers feeling like they have lost control over their data resulting in an air of mistrust.
Governments have responded to consumer concerns about data privacy by enacting regulations such as the General Data Protection Regulation (GDPR) in Europe. In the US, the absence of a federal privacy initiative has forced many states to take it upon themselves to protect their consumers. California has taken the lead by passing the California Consumer Privacy Act (CCPA). Numerous other US states are either in the process of or have enacted their versions of data privacy bills. Also, multiple other countries have established regulations within their jurisdictions with little to no interoperability and reciprocity between them. According to Gartner, today 10% of the world population is covered by data regulations, but that number will grow to 65% by 2023 as more countries enact their data regulations. The regulatory landscape is getting more complicated by the day, especially for companies that operate across jurisdictional boundaries. Companies not only have to contend with regulations on their home turf but have to navigate an ever-growing web of complex laws across the globe based on the location of their customers. A global conglomerate will have to contend with as many as 112 countries’ specific regulations by 2023. The nuances between these laws are making data compliance across such a vast spectrum of data protection laws a significant operational challenge for most companies.
The industry’s response so far has revolved around offering privacy management solutions that focus on workflow management, allowing companies to monitor, report, and act on consumer data. It may have been a good first step to address compliance requirements; however, it has become apparent that this approach leaves companies burdened with the additional overhead of managing processes around consumer rights management. Moreover, these solutions present significant upfront and ongoing operational costs due to people, processes, and technology requirements to achieve and maintain compliance – and that cost continues to rise due to the increasing number of regulations.
The irony of it is that large companies that can afford these costs are making these investments to achieve compliance but remain exposed to data breaches and resulting penalties – forcing them to allocate funds for breach settlements. Small and mid-market segments that cannot afford these steep costs are ignoring the problem and hoping for the best, inadvertently affecting consumers and exposing themselves to steep penalties in case of a breach and reduced consumer trust.
The purpose of these regulations is to provide consumers much-needed data rights and prevent exploitation of their data. More importantly, the motivation behind these regulations is to empower consumers by giving them control, visibility, and protection for their data. But current solutions force consumers to continue to rely on companies to exercise these rights, which not only adds to the overhead for companies but does little to renew consumer trust.
The real damage to consumers is done after the breach when their data gets exposed and exploited, and by then, a company’s compliance status provides little recourse or comfort to consumers. Instead, it increases a company’s exposure to penalties and brand erosion.
We have to think differently about the problem of protecting consumer personal data and achieving regulatory compliance to come up with a better solution. We need an approach where companies can achieve compliance without adding overhead, so it does not become cost-prohibitive for smaller segments of the market. Also, the solution must protect against data exploitation through a strict enforcement model so that companies can reduce their risk and liability by controlling and managing the data sprawl while improving data quality.
More importantly, the approach has to empower consumers to exercise their data rights by providing them visibility, control, and protections. Enabling consumers in this manner will allow companies to regain and retain increasingly elusive consumer trust.
Companies now find themselves in a situation where, on the one hand, data is enabling hyper-focused digital services but, on the other hand, becoming a liability. Now, more than ever, companies must address the actual problem of data exploitation, and not just be satisfied with achieving minimum compliance with privacy regulations. After all, it’s the data exploitation that has eroded consumer trust and brought about data regulations.