viperagp - Fotolia

Go beyond GDPR for a competitive edge

By exceeding the bare minimum requirements set by privacy regulations, businesses can win customers by offering greater assurances, says a business adviser

Companies should use a risk-based approach to privacy to go beyond regulations such as the EU’s General Data Protection Regulation (GDPR) to gain a competitive advantage, according to Phil Lam, co-founder of Lam Advisory.

“If companies consider privacy not just as a way to meet some new regulation, but as a way to differentiate themselves from competitors, that could give them an advantage in winning and retaining customers,” he told Computer Weekly.

Once companies understand that providing privacy assurances can drive customer loyalty, they will be incentivised to do more than meet the minimum requirements of privacy legislation, said Lam.

For example, a bank could move from storing personal data centrally or using a third party to store that data to a more distributed model in which each customer stores his or her own data, he said.

“The bank could digitally sign that data to indicate that the individual has been through a vetting process, but give control of the data to the customer,” said Lam. “This would be an example of going a step beyond what is required by the letter of the law, and could be a differentiator for the bank concerned.”

Another example would be an online retailer that, instead of purchasing customer data from a third party to use for targeted marketing, offered incentives for customers to provide data, he said.

“Online retailers could consider asking consumers to contribute in return for payment or some other reward, thereby including the consumer, giving them control over what they share, and giving them something of value in return.”

With the GDPR compliance deadline only just over six months away, many organisations are trying to establish what is the bare minimum they can do, he said.

“From my perspective as a former government official, this illustrates a challenge we faced when considering new rule making – how to write necessary regulation that encourages organisations to implement not only the minimum but embody the spirit of the law,” said Lam, who previously served in the Obama administration as both a trusted identity strategist and as a pilots programme manager for the US National Strategy for Trusted Identities in Cyberspace (NSTIC).

Read more about consumer identity management

Lam believes that while regulations can help to increase the base level of privacy, it is important for companies to understand the potential business value of pursuing privacy safeguards and mechanisms that are not mandated by law.

“We need to communicate this value to provide an incentive for organisations to do more than they are doing, and to do more than the law demands,” he said. This would not only benefit the customer, but would also help to grow the business’s customer base and brand loyalty.

In planning to comply with the GDPR and other privacy legislation, Lam said he would like to see organisations look at ways of making privacy a potential differentiator, rather than merely a compliance issue.

In other words, organisations should use the process planning to comply with legislation to look for ways of providing or demonstrating value to their customers, he said.

Read more about GDPR

This approach is consistent with the UK Information Commissioner’s Office, which has consistently highlighted the business advantages of getting privacy right.

In March 2017, information commissioner Elizabeth Denham told the House of Lords EU Home Affairs Sub-Committee that UK businesses were starting to see the value in getting strong protection for their consumers and understanding that it is a necessary part of good business practice.

“It is a competitive advantage if you are doing the right thing with customers’ data, and playing fast and loose with customers’ sensitive personal data is not going to cut it,” she said.

In May 2017, deputy information commissioner Rob Luke also highlighted the business benefits of GDPR compliance at a discussion about the legislation hosted by IT industry body TechUK.

The best outcome, he said, would be for organisations to take an approach to data protection that earns the trust of consumers in a more systematic way, and where that trust translates into competitive advantage for those who lead the charge.

Lam will address this topic in more detail at Consumer Identity World Europe 2017 in Paris from 27 to 29 November in a session entitled “Risk-based mitigation strategies and why one size may not fit all for privacy”.

Read more on Privacy and data protection

Data Center
Data Management