How organisations can weaponise data privacy

Major data breaches have driven governments around the world to tighten data protection laws, once again casting the spotlight on data privacy.

In Australia, the Attorney General’s Department recently concluded a review of the Privacy Act in a bid to reform the country’s privacy law, including clarifying what information should be protected and equipping regulators with more options to enforce privacy breaches.

Speaking at the Gartner Security and Risk Management Summit 2023 in Sydney, Richard Addiscott, senior director analyst at Gartner, said that with the impending regulatory changes and the government’s reinvigorated focus on privacy, organisations have received a very clear signal that they need to do more to protect customer data.

“However, we’re also seeing parallel opportunities to strengthen your business by leveraging privacy enhancements from the past years,” he said.

According to Gartner, modern data privacy regulations will blanket consumer data by 2024, but less than 10% of organisations would have successfully weaponised privacy as a competitive advantage.

Lisa Neubauer, advisor in Gartner's security and risk management practice, said organisations with privacy programmes will be able to address regulatory requirements and avoid fines, data breaches and reputational damage.

“Industry reporting tells us organisations are beginning to recognise that a privacy programme can enable a company to use data more broadly, differentiate itself from competitors, and build trust and confidence with customers, business partners, investors, regulators and the public,” she added.

As more companies start to look at the benefits of data privacy, beyond achieving regulatory compliance, Addiscott said there is a need to develop the right metrics to measure and report on the effectiveness of privacy programmes.

Enterprises should also recognise that trust is now critical to their brands, he added, citing the example of Apple, which has been marketing its privacy practices – even though many of the company’s privacy controls are driven by regulatory compliance.

To weaponise privacy, Neubauer said a new approach is needed to incentivise an organisation to be transparent and trustworthy, while ensuring customers have control over the use and sharing of their data. “This enhances not only data value, but enterprise and brand value as well,” she said.

Neubauer called for organisations to proactively seek out their customers’ perspectives on privacy at a time when people are more mindful about sharing their data, “so making sure their experience engaging with your digital assets matches that of your privacy promise becomes manifestly important”.

It is also important that an organisation’s privacy programme aligns with its business targets, which means there needs to be a clear line of sight to the organisation’s key strategic key performance indicators.

“Weaponise privacy as a prospect conversation tool and a competitive advantage,” said Neubauer. “By making privacy a key part of your customer value proposition, privacy has become a conviction-based motivator for buyers. Just as people reach for organic or cruelty-free products, consumers are willing to go out of their way, and in some instances, pay a premium for a product they believe will care best for their data.”

According to the latest notifiable data breaches report from the Office of the Australian Information Commissioner, there was a 26% increase in breaches in the second half of 2022, including large-scale breaches at Optus and Medicare that affected millions of customers.