The privacy fallacy: Why we need to stop thinking of data protection as an inhibitor of enterprise analytics

By Jason du Preez - January 23, 2018

It’s easy to see how data protection can be a source of frustration. The ‘big data’ vision that puts innovation within easy reach for data science, R&D and customer experience promises:

  • All of the data: multiple, disparate data sources – structured and unstructured – brought together.
  • Data for everyone: data that’s available to a broader user base – “citizen analysts” as well as data scientists.
  • Full business transparency: sophisticated analysis of rich data at scale, offering infinite insight into the whole of your business.
  • A competitive edge: unprecedented, data/insight-driven decision-making and innovation for product, research and marketing, all of which spark new business value and opportunities for growth.

But privacy concerns often stand in the way of users getting fast access to the data they need. Here are three data provisioning scenarios that we often encounter:

  • No clear data protection policies - meaning that access is controlled on an ad-hoc, case-by-case basis, which can take a long time and lack consistency.
  • Severe restrictions to access by default, with only a small number of ‘trusted’ users having privileged access. This inhibits innovation and exposes the data to insider threats.
  • Data that is “over-protected" - stripped of analytical value, aggregated or masked in a way that destroys data utility.

 That’s not exactly the transformational big data world that we’ve been promised.

The privacy fallacy

When you compare the big data ‘promise' to the analytics reality described above, it’s easy to blame the execution gap on privacy, and think of it as an inhibitor to progress. But that would be a significant mistake for any organisation, for several reasons:

Privacy is a fundamental right that we can’t ignore. Big data can be attacked in new ways (such as linkage, or tracker attacks), and organisations have a responsibility to protect the sensitive information of the customer and employee data that they’re processing. This is bigger than any one data user’s frustration, and we need to take it seriously. No-one can predict what consequence a leaked data point may have on an individual’s life, now or in the future. In an increasingly digital world, a responsible approach to privacy earns us the right to do business.

It gives analytics and machine intelligence a bad rep. Consumers are taking a more active interest in privacy practices, and are becoming increasingly worried about data abuse, including profiling and surveillance. If anything, data-processing organisations need to send a clear signal that they’re actively protecting their customers’ data. Increasing consumer distrust will damage businesses – not to mention all of the organisations who are looking to use data for good, but rely on people contributing their personal data (such as NGOs and health researchers).

Protecting private data isn’t a problem. Context is everything. For most of the data processing lifecycle, analysts don’t require personal data, nor do they need to over-centralise sensitive data stores. Organisations can gain highly valuable insight with privacy-preserving mechanisms in place. If we keep thinking of successful analytics in terms of “privacy vs innovation”, we’re creating a false dichotomy.

Data provisioning today is often slow, tedious, and unsatisfactory. While the tools to analyse data have evolved, the tools to protect it have not. Organisations that leverage technology-driven privacy controls and modern privacy practices can significantly reduce the friction in these processes, and improve data availability and utility while preserving and building consumer trust. 

Towards mature enterprise privacy

So what should the privacy practices of a responsible, modern, analytics-driven organisation look like? Here are a few thoughts:

  • Recognise that data privacy is an enabler for well-governed data operations, and innovation (and regulatory compliance of course).
  • Think of personal information beyond direct identifiers and implement methods that can handle the new challenges that come with protecting richer datasets.
  • Critically assess whether personal information is required in each context or use case.
  • Avoid ad-hoc approaches to data protection. Only consistent, transparent and manageable processes are defendable and will safely open up data flows within the organisation in order to fulfil our obligation to consumers and employees.
  • Embrace privacy as an enabler of customer relationships and a foundation to analytics on sensitive data.

Data privacy is broader than technological controls alone. But combined with the right expertise and process changes, a comprehensive approach to privacy can give organisations the competitive edge.

I believe that taking a systematic and holistic approach enables us to quantify and balance privacy and data utility in order to both accelerate innovation and exceed customer expectations. It’s the only way forward.