Private data: balancing customer privacy against the need for useful data

The interaction between customers and suppliers is simple: suppliers seek to meet customer needs by understanding their preferences and providing them with the most attractive products to meet their needs.

The interaction between customers and suppliers is simple: suppliers seek to meet customer needs by understanding their preferences and providing them with the most attractive products to meet their needs. While this basic concept has remained constant, how organisations interact with customers has changed significantly over the years.

The rise of the internet has enabled massive growth in on-line selling, providing suppliers with new ways to gather greater volumes of customer information.

Organisations want two main types of information Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII). Many argue that new collection methods provide suppliers with customer information without the transparency that existed in the past, For example, traditional data-gathering methods often involved asking the customer questions about their preferences directly, which is not longer always the case.

The level of detail that can be gathered through on-line methods is considerable - far greater than through traditional approaches. It can provide organisations with insights into a customer's behaviour and preferences without their knowledge, and often to a level of detail that they might not wish to disclose.

However, it is also important to understand that the collection of some information must be undertaken to meet non-sinister operational needs. For example, personal information is often gathered as part of an organisation's customer identity protocols, to help protect against fraud.

Collection of this type of client personal information has its place in the business world. It allows organisations to meet customer demands and allow for more effective operational requirements.

In essence, there is a balance which must be struck between an organisation's internal requirements and the customer's individual privacy needs when considering the collection of personal on-line data. But to achieve this balance there are several steps an organisation must follow:

  • Identify, understand and follow the applicable laws, regulations and standards that affect the organisation, being mindful of the differences in the jurisdictions in which the organisation operates.
  • Be open and transparent. An organisation should refer customers to their privacy policies when collecting any personal information. They should also provide customers with suitable visibility of the types of information collected and specify the purpose of gathering this personal data. Organisations should provide appropriate opt-in/opt-out facilities to empower each customer to decide whether or not they wish to participate in the information collection processes.
  • Do not over-collect PII or SPII information. Businesses should collect just enough information to allow for the completion of the tasks for which information is collected - it should also be tiered in terms of importance; primary, secondary and tertiary.
  • Create the correct culture in your business to deal with handling sensitive information. Develop personal information policies and train staff that handle personal information. Educate in terms of how these polices should be implemented in their individual roles.
  • If required to use third parties, choose credible partners who may collect, use, retain or disclose information on your organisations behalf. Ensure they comply with your own organisation's personal information standards and policies.
  • Ensure that any information you plan to use in order to take defensive action against individuals is accurate, relevant and up-to-date.

Last week's announcement from the Office of Fair Trading calling for a clampdown on how online retailers manage sensitive customer data has brought this topic back into the spotlight.

Organisations that do not proactively manage clients' sensitive information are increasingly likely to find themselves under scrutiny from applicable authorities as customer- and regulator-awareness on this issue grows.

Seamus Reilly is Director of IT Risk and Assurance with Ernst & Young

Read more on IT risk management