[The State Of Breach Protection 2020 (Global Survey And Industry Report)

[Everardo Laboy]

Consumer data are clearly transforming business, and companies are responsible for managing the data they collect. To find out what consumers think about the privacy and collection of data, McKinsey conducted a survey of 1,000 North American consumers. To determine their views on data collection, hacks and breaches, regulations, communications, and particular industries, we asked them pointed questions about their trust in the businesses they patronize.

That lack of trust is understandable given the recent history of high-profile consumer-data breaches. Respondents were aware of such breaches, which informed their survey answers about trust. The scale of consumer data exposed in the most catastrophic breaches is staggering. In two breaches at one large corporation, more than 3.5 billion records were made public. Breaches at several others exposed hundreds of millions of records. The stakes are high for companies handling consumer data: even consumers who were not directly affected by these breaches paid attention to the way companies responded to them.

The State of Breach Protection 2020 (Global Survey and Industry Report)

DOWNLOAD ✪✪✪ https://t.co/FVWu7lRFKC

Proliferating breaches and the demand of consumers for privacy and control of their own data have led governments to adopt new regulations, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in that US state. Many others are following suit.

About half of the consumer respondents said they are more likely to trust a company that asks only for information relevant to its products or that limits the amount of personal information requested. These markers apparently signal to consumers that a company is taking a thoughtful approach to data management.

Half of our consumer respondents are also more likely to trust companies that react quickly to hacks and breaches or actively disclose such incidents to the public. These practices have become increasingly important both for companies and consumers as the impact of breaches grows and more regulations govern the timeline for data-breach disclosures.

Privacy regulations are evolving, with a marked shift toward protecting consumers: the GDPR, for example, implemented in Europe in May 2018, gives consumers more choices and protections about how their data are used. The GDPR gives consumers easier access to data that companies hold about them and makes it easier for them to ask companies to delete their data.

For companies, the GDPR requires meaningful changes in the way they collect, store, share, and delete data. Failure to comply could result in steep fines, potentially costing a company up to 4 percent of its global revenue. One company incurred a fine of $180 million for a data breach that included log-in and payment information for nearly 400,000 people.1The fine was imposed by the Information Commissions Office, the British data regulator, and is currently under regulatory process review. Another was fined $57 million for failure to comply with GDPR. A side effect of this regulation is an increased awareness among consumers of their data-privacy rights and protections. About six in ten consumers in Europe now realize that rules regulate the use of their data within their own countries, an increase from only four in ten in 2015.

The GDPR has been considered a bellwether for data-privacy regulation. Even in Europe, policy makers are seeking to enact additional consumer-privacy measures, including the ePrivacy regulation (an extension of GDPR), which focuses on privacy protection for data transmitted electronically. Its status as a regulation (rather than a directive) means that it could be enforced uniformly across EU member states. The ePrivacy regulation is likely to be enacted in 2020.

The CCPA is the strictest consumer-privacy regulation in the United States, which as yet has no national data-privacy law. The largest fine for mishandling data was, however, issued by the US Federal Trade Commission (FTC).

Companies are investing hefty sums to ensure that they are compliant with these new regulations. In total, Fortune Global 500 companies had spent $7.8 billion by 2018 preparing for GDPR, according to an estimate by the International Association of Privacy Professionals. Companies have hired data-protection officers, a newly defined corporate position mandated by the GDPR for all companies handling large amounts of personal data. Despite these measures, few companies feel fully compliant, and many are still working on scalable solutions.

Another difficult aspect of privacy regulation has to do with the deletion and porting of data: regulations allow consumers to request that their data be deleted or that enterprises provide user data to individual consumers or other services. For many companies, these tasks are technically challenging. Corporate data sets are often fragmented across varied IT infrastructure, making it difficult to recover all information on individual consumers. Some data, furthermore, may be located outside the enterprise, in affiliate or third-party networks. For these reasons, companies can struggle to identify all data from all sources for transfer or deletion.

Several effective actions have emerged for companies that seek to address enhanced consumer-privacy and data-protection requirements. These span the life cycle of enterprise data, and include steps in operations, infrastructure, and customer-facing practices, and are enabled by data mapping.

Leading companies have created data maps or registers to categorize the types of data they collect from customers. The solution is best designed to accommodate increases in the volume and range of such data that will surely come. Existing data-cataloging and data-flow-mapping tools can support the process.

Companies need to know which data they actually require to serve customers. Much of the data that is collected is not used for analytics and will not be needed in the future. Companies will mitigate risk by collecting only the data they will probably need. Another necessary step is to write or revise data-storage and -security policies. The best approaches account for the different categories of data, which can require different storage policies.

Of further importance is the growing appetite for applied analytics. Today, leading companies need robust analytics policies. Given the proliferation of advanced machine-learning tools, many organizations will seek to analyze the high volumes of data they collect, especially by experimenting with unsupervised algorithms. But unless companies have advanced model-validation approaches and thoughtfully purposed consumer data, they should proceed with extreme caution, probably by focusing specifically on supervised-learning algorithms to minimize risk.

To act quickly when breaches do occur, organizations will want to pressure-test their crisis-response processes in advance. People who will be involved in the response must be identified and a strong communications strategy developed. One of the highest predictors of consumer trust is the speed of company reporting and response when breaches occur. Indeed, most new regulations require companies to disclose breaches very quickly; the GDPR, for example, mandates the announcement of a breach within 72 hours of its discovery.

Companies should develop clear, standardized procedures to govern requests for the removal or transfer of data. These should ensure expedited compliance with regulations and cover consumer requests for the identification, removal, and transfer of data. The processes should support data discovery in all pertinent infrastructure environments within a company and across its affiliates. Most companies today use manual processes, which creates an opportunity for streamlining and automating them to save time and resources. This approach also prepares infrastructure environments for future process developments.

Working closely with third parties, affiliates, and vendors, companies can gain an understanding of how and where their data are stored. This knowledge is especially important when third parties are supporting the development of products and features and need access to consumer data. Some companies are considering establishing review boards to support decisions about sharing data with third parties.

Organizations are working to create infrastructure environments that can readily accommodate the increasing volumes of data collected, as well as attending technological innovations. Best practice is to store data in a limited number of systems, depending on data type or classification. A smaller systems footprint reduces the chance of breaches.

It is important for organizations to communicate transparently: customers should know when and why their data are being collected. Many companies are adding consumer privacy to their value propositions and carefully crafting the messages in their privacy policies and cookie notices to align with the overall brand.

Our research revealed that our sample of consumers simply do not trust companies to handle their data and protect their privacy. Companies can therefore differentiate themselves by taking deliberate, positive measures in this domain. In our experience, consumers respond to companies that treat their personal data as carefully as they do themselves.

1. 70% of corporate risk and compliance professionals said they have noticed a shift from check-the-box compliance to a more strategic approach over the past two to three years. (2023 Thomson Reuters Risk & Compliance Survey Report)

2. 83% of risk and compliance professionals said that keeping their organization compliant with all relevant laws, policies, and regulations was a very important or absolutely essential consideration in its decision-making processes. (Navex Global's 2023 Definitive Risk & Compliance Benchmark Report)

3. 80% of corporate risk and compliance professionals agreed that their organization views risk and compliance as valuable business advisory functions, and 74% agreed that risk and compliance requirements enable, support, and enhance business activity. (2023 Thomson Reuters Risk & Compliance Survey Report)

795a8134c1