Don’t play catch-up: Why DX can’t succeed without data privacy considerations

Accelerated digital transformation has surfaced potential data privacy pitfalls; strategies needed to futureproof against evolving regulatory landscape.

Companies around the world can attest to this fact: the pandemic has undeniably catalysed digital adoption at staggering rates.

An estimate by McKinsey shows that it has accelerated by as much as seven years, as business leaders rapidly embraced digital transformation to remain competitive in this new economic environment — be it contactless payments, click-and-collect services, or automated marketing campaigns.

However, for every business making the digital shift, potential privacy pitfalls are often overlooked as implementation teams rush to pump large amounts of user data into online systems. The past year has seen an uptick of 400% in cyber-attack complaints in the US alone, due to COVID-related breaches and hacking attempts.

Heightened scrutiny on companies’ data practices from regulators and consumers alike means that this oversight can lead to serious consequences if not properly mitigated. As such, businesses simply cannot afford to treat data management as a secondary issue as they undergo their digital transformation journeys.

The new era of data privacy is here

In the early 2000s, the average computer user probably didn’t know much about the existence of third-party cookies. Fast forward to two decades later and modern consumers are aware of their privacy rights more than ever.

Throughout the past few years, the media has uncovered the ugly side of immense convenience and personalisation, giving rise to a surveillance economy that simply didn’t have the safeguards to protect consumers’ personal data.

One data breach after the next, consumer distrust has grown ever since, with only 34% of consumers saying that they trust the brands they patronize.

On the regulatory front, lawmakers around the world are continuing to tighten data privacy frameworks, starting with the EU’s launch of its landmark General Data Protection Regulation (GDPR) in 2018. California followed suit by implementing the California Consumer Privacy Act (CCPA) in 2020 and upgrading it to the California Privacy Rights Act (CPRA), which will take effect in 2023.

The introduction of stringent data protection requirements as well as consumer outcry against intrusive tracking practices have given businesses a much-needed imperative to rethink their data collection practices and responsibilities as custodians of consumers’ personal information. The ubiquity of data usage in business operations makes it not only the marketing department’s responsibility but the entire organisation’s, including digital transformation project teams and leaders.

While the KPIs set for successful digital transformation usually include employees’ adoption rate of new technologies or financial metrics such as revenue growth and cost savings, success indicators also need to be viewed from the lens of compliance. In the context of data privacy, this means selecting the right technologies and infrastructures that are ready for existing and upcoming data compliance requirements.

Digital transformation in a privacy-centric world

From building an online delivery portal to digitising existing physical records, digital transformation projects often go hand in hand with data migration and collection. While complex and technical by design, these processes also need to take into account critical compliance considerations.

As digital transformation projects involve the procurement of new technologies and infrastructures, checking how bidding vendors manage their data is key. While this may sound self-explanatory as it’s standard procedure for many companies to review all Data Processing Agreements (DPA) when evaluating vendors, there can be serious consequences if this is omitted or not done thoroughly. The financial penalties for businesses that fail to perform due diligence on third parties that process their customer data can be significant.

Under GDPR, the resulting penalties can reach up to €10 million (US$12 million) or 2% of a company’s global revenue, while lawmakers in Asian countries such as Singapore and Thailand have also made this compulsory, although offence-specific fines are not indicated. However, financial penalties set by Singapore’s Personal Data Protection Act (PDPA) can be as high as S$1 million (US$744,000) or 1% of the organisations’ annual turnover, while Thailand’s PDPA sets the limit at THB5 million (US$156,000).

A good starting point would be to look at a vendor’s privacy compliance and data policies. Businesses should also make sure that these parties cannot subcontract to other processors without explicit instructions to prevent the third-party from passing its data management responsibility to a non-compliant subcontractor.

In addition, before making any decision on data-related issues such as migration, storage, or subcontracting, it’s important to carry out risk assessment activities to map out potential data privacy risks and how they can be mitigated.

While it’s already mandatory for businesses in jurisdictions that implement stricter data privacy frameworks such as GDPR or the impending CPRA, all businesses should perform data risk assessment activities to establish a paper trail that protects businesses should they be subject to investigation by regulators.

Although it’s not an obligation under Singapore’s PDPA, the Personal Data Protection Commission of Singapore has developed a guide which lays out key principles and considerations for organisations to perform data protection impact assessments. 

Last but not least, all companies should consider appointing a Data Protection Officer (DPO), who oversees compliance with prevailing data regulations and fosters an environment of responsible data management throughout the entire customer data lifecycle. Some countries such as Singapore have already made this compulsory, under its PDPA.

On top of being the dedicated owner of a company’s privacy compliance responsibilities, DPOs often serve as the key liaison between regulators and an organisation. This helps businesses stay up to date with evolving requirements as lawmakers continue to refine data privacy frameworks.

Investing in privacy-preserving infrastructure

While the complexity of digital transformation projects can make it tempting for leaders to outsource procurement decisions to external implementation consultants, it’s crucial for decision makers to evaluate technologies that are private by default. This allows companies to futureproof their tech stack amidst the changing regulatory landscape.

As more sophisticated data management tools continue to be developed, the adoption of emerging technologies such as distributed ledger technology (DLT) and federated learning is on the rise. For example, integrating DLT-based data management platforms allow businesses to keep immutable and transparent records of the end-to-end lifecycle of all consumer data and related processes, thus satisfying stringent documentation requirements such as those stipulated by the GDPR.

Digital transformation is an exciting venture for every company in the world, and just like any other major business transition, it does not come without its risks. However, when it comes to data privacy, there are clear steps that leaders can take to shore up consumer data protection.

While increasingly tenuous and costly to earn, consumer trust is even harder to win back once brands make a misstep. In today’s information age, sound data security measures will continue to be crucial to safeguarding customer relationships and thus should remain at the heart of every digital transformation project.