Apple's transparent data policy is a lesson in how to exploit GDPR
Being open about the data you process isn't just a box ticking exercise, it's a means to build customer trust
The ways in which businesses manage data has transformed dramatically in the past year. With new, tougher data protection laws now governing any business that deals with data belonging to European citzens, the number of reported data incidents has spiked by 43%.
If one thing is clear, it's that data breaches affect everyone. Businesses that fail to take precautionary security measures and fall victim to hackers face both financial loss and reputational damage. Meanwhile, customers risk important personal information getting into the wrong hands and sold for profit.
Companies must do everything they can to keep personal information safe and ensure customers feel protected. This is something that consumers expect, with 93% of respondents in a PWC survey agreeing that organisations must take a proactive approach to data protection and a further 60% saying responsibility rests with them.
Data transparency is paramount here. Consumers should have the right to find out what data is being stored about them and in which manner. When it comes to conveying this information, GDPR stipulates that communication must be concise, transparent, intelligible and easily accessible. So is this being achieved?
With examples like British Airways, Equifax, and more recently Quora, we've seen a surge in the number of high profile data breaches with shockingly high numbers of affected customers. As a result, consumers are becoming increasingly aware of data security and, concerned about privacy, are becoming far more discerning when it comes to the platforms they trust with their information.
"It's not enough to amend terms and conditions, as Facebook and Google did in response to GDPR," explains Martin Gontovnikas, VP of developer relations at Identity-as-a-Service platform Auth0. "Users are still scrolling through hundreds of lines of text and giving consent, without really knowing what they're consenting to."
"Once you have data transparency, you can have honest conversations with customers about trade-offs. Your customers can make educated decisions, but they need to be given the choice about what they're willing to give up in exchange for a product or service instead of it being chosen for them."
Building brand trust
GDPR dictates a need for better transparency from businesses processing user data. However, instead of simply viewing the changes as a box-ticking exercise, some businesses are getting ahead of public opinion and using it to build trust.
"GDPR has made way for public awareness of data privacy and consumer rights, so technology companies must adapt if they are to retain their users' trust and maintain a good reputation," explains Mark Taylor, partner at international legal practice Osborne Clarke LLP.
Apple is a prime example of a major tech giant taking steps to improve data transparency for its users. It recently launched a portal where customers can sift through all the data the company has on them, and CEO Tim Cook has been very vocal about data protection. He recently called it a "fundamental human right" and commended the implementation of GDPR, calling on tech companies to not only embrace the spirit of the EU laws, but to support the introduction of similar legislation across the US.
Apple has dedicated a bunch of pages to educating customers about how it uses their data
Taylor believes that Apple's new data privacy website has bolstered its position as a pro-privacy technology company, which has done wonders for Apple's public image, but also suggests that it may not be an option for smaller companies.
"This type of initiative may only be cost-effective for larger organisations such as Apple, for whom the trade-off between self-service and dealing with lots of individual requests for data pays off," he adds. "For smaller companies and start-ups, on the other hand, this simply may not be an option."
Taylor suggests other companies follow Apple's example in making such tools available worldwide, not just to EU nationals, if only to show they are willing to be more open with the data they process.
"Many companies have so far sought to take different approaches in different regions, but Apple has extended its tools for EU residents to the US. This can be sold as a positive, brand-enhancing step, but the tech giant must ensure that it positions its new privacy features correctly so that the reality lives up to the expectations it has created for itself."
Transparency as an ongoing commitment
Karl Greenfield, head of cyber security at Welsh IT consultancy Capital Network Solutions, says UK businesses should be looking to accredited programmes such as Cyber Essentials Plus or IASME Governance certifications to help them to establish public trust in their services.
"Most UK organisations remain unable to reach into their back pockets and produce one of these certificates for the ICO post-breach. Sadly, in many cases operational or commercial priorities mean that some organisations will only take cyber security seriously when they become lucky survivors of a significant breach."
"What the sector in Wales, in particular, is doing really well, is ensuring that the public, private and academic sectors are collaborating at all levels to ensure that lesser-prepared businesses are receiving the support and advice that they need," he explains. "Others should follow by Wales' example."
As the connected ecosystem continues to expand, the need for robust cyber security and data protection mechanisms will become stronger. It's clear that people are more aware of the risk posed by online crime, and with this in mind, businesses need to keep taking steps to protect their data. However, many businesses simply aren't doing this.
"Under GDPR, companies must be able to provide customers with all of their data if requested but this more often than not requires the customer to be extremely proactive and request data via email," explains James Saye, an analyst at Roke Manor Research.
"For companies to be truly transparent, the data must be easily accessible, received in a timely manner and in a format that is digestible. It's no good to email customer service, wait a month for a reply and then get the data in a format that's unusable or maybe even proprietary to that company's systems."
He recommends that organisations implement open data standards and principles, including open by default, timely and comprehensive, accessible and usable, and comparable and interoperable.
"Companies also need to consider what customers may want or need to do with their data," explains Saye. "This will help inform how they collect, process and store the data. They have been trusted by the customer to hold and use their data and they should treat it with the utmost respect."