My privacy is your business
Being transparent is vital when it comes to privacy in a data-driven age. Opening up for a dialogue with users presents a great opportunity to find new ways of telling the story about how and why data is used, says Ingvild Næss, Group Privacy Officer in Schibsted. In the end it will always be a question of trust.
As a user I want tailor-made services online. Like recommendations from Amazon and Netflix. Now I expect the same when consuming news and searching for jobs, apartments or cars. The same goes for ads. The more relevance, the better for me as a user – and for the advertisers. In order to personalize and give me tailor-made offers, companies need to know me. This means that companies need data about what I like, want and prefer. This calls for a discussion about privacy.
Throughout Europe we already have strict rules regarding the handling of personal data. With the new EU General Data Protection Regulation (GDPR), which will be a reality from May 2018, the requirements will be even more comprehensive. Also, the GDPR requirements will apply to all companies – including non-European companies, such as Facebook and Google – when handling data about European citizens.
A CHALLENGING TASK
The question is really not if, but how companies will manage to provide both personalized content and targeted ads, and at the same time make sure that I can feel comfortable that my right to privacy is respected.
Big data challenges the traditional approach to privacy. One of the basic privacy principles, which is also a part of the new GDPR regime, is data minimization. This is to ensure that only data which are strictly necessary for a defined purpose are collected and used.
Data minimization is difficult to apply in a setting where good results depend on rich enough data basis. One can actually argue that data minimization is not in my best interest as a user, and that there is a clear need to redefine the traditional privacy approach. What is in my best interest is not to limit my vendors´ source to knowledge about me; rather that the data picture my vendors have is as correct and complete as possible. Only then will my vendors be able to derive greater value in return. Privacy is more important than ever. The more data companies have, the more essential it is that I as a user am in control of my own data. The first step to ensure user empowerment is information and understanding. There is little doubt that today´s way of solving this with endlessly long privacy policies does not work. Instead, companies must communicate with me in a manner I understand, can digest and am engaged by.
AN AREA OF OPPORTUNITY
Privacy should even be looked upon as an area of opportunity to have a stimulating dialogue with users, which will be both in the users´ and in the companies’ interest. For instance, looking into how to tell each individual user the story about how the data is used and why, rather than having just a generic text about use of data.
Conducting extensive user research in order to learn and understand which possibilities there are to manage data that is valuable and make sense to users, is crucial. Just like user feedback is extremely important for the development of products and services, and offers a continuous dialogue with users to refine and improve the product offerings.
FROM ONE VENDOR TO ANOTHER
Designed to put users in the driver’s seat, the GDPR further establishes a right to data portability. This right will give me the possibility to manage my data as a single set of information across different platforms; I can choose to move from one vendor to another and bring my data with me. This can be a game changer.
An important trend that we see in parallel with user empowerment, relates to the adoption of privacy enhancing methods and technologies, like differential privacy. This is a privacy model that aims to limit the impact that each individual user´s contribution has on the outcome of an analysis. Basically, it is about using statistical analysis to abstract useful notions about what people do and prefer. The essential part from a privacy perspective is that the model prevents companies from extracting anything about me as a specific user. Thereby, I am also protected against use that may represent a privacy violation – including misuse by hackers, intelligence agencies and other parties to whom I do not want to give access to my data.
There are also a lot of other technologies available and being developed which are about protecting data, such as end-to-end encryption, access management and various forms of anonymization.
We are entering a new era of privacy. We cannot, and should not, fight the collection and use of personal data. Instead, we should find good privacy solutions to give users the best products and services; to empower users while protecting their data. As a user I will be much more willing to give a company valuable data about myself if I am engaged and feel trust.