With Australian business and government becoming more data-driven, some important conversations are finally being had, including how data is sourced, utilised, secured and stored for a better experience.
While these are challenging and at times vexed topics, the emergence and popularisation of decentralised or self-sovereign identity promises to alleviate some key concerns around data control and customer consent collection and management.
Under privacy laws in Australia, explicit consent is currently required for only “a limited range of collections, uses and disclosures of personal information”. An expansion is now being canvassed to cover “any collection, use or disclosure of personal information”, though that’s “generally opposed” by industry on grounds that it could be burdensome for all sides. Marketers, in particular, worry an expansion could result in people being asked to consent so often that they take the “nuclear option” and opt-out of all forms of branded communication entirely.
What’s needed is balance: meeting the privacy needs of people whose data it is, and the operational needs of organisations that collect, store and use it.
Data is often a critical input to customer experience and service delivery. Customers today expect a certain amount of personalisation in their interactions, and organisations want to retain an ability to use customer data for those purposes. It would not make sense to introduce friction into this process.
At the same time, changing consumer attitudes to privacy and data sharing need to be taken into account. A recent survey found 43 percent of Australians are unwilling to have their data shared with any third-party. Such attitudes are often shaped by experience, such as perceived or actual data misuse by a brand, or having their PII accessed or stolen in a data breach incident. That is a key reason why consumers now tie their willingness to share data in future to the presence of increased protections and safeguards.
As consumers become more savvy, and privacy laws and regulations catch up, it is incumbent on organisations and brands to navigate to a customer-centric and privacy-preserving path for data use.
Applying Identity and Access Management (IAM) protections and controls to both sides of the data equation – the person, whose data it is, and the business collecting and storing it – and embracing decentralised identity are likely to be critical steps to ensuring the right balance is struck.
Verifying identity to help with a better experience
Currently, every organisation collects personal data and individually controls customer preferences and consent for how that data gets used.
These consents may need to be revisited over time, such as if a person’s relationship with a brand or business changes – and organisations should have the mechanisms in place to keep up and honour that. An IAM system can be utilised by the organisation to track and manage that consent flow lifecycle and to keep a record of authorised uses of data for a particular period of time.
However, not all organisations meet this standard today. As we’ve seen in some high-profile Australian data breaches, data is often stored for far longer than the use case it was collected for. There are often mismatches between how consumers think their data should be treated, and how it actually gets used.
Decentralised identity – also called self-sovereign identity – flips this paradigm around and puts consumers in charge of their data and more directly in control of how consent is managed. Rather than having to separately establish individual identities with each organisation they transact with, the customer has just one verified identity, held in a digital wallet on their smartphone or other device, that they can use for every interaction.
Under this model, when an organisation asks the customer to verify their identity, only a small amount of information, only what is necessary at that given time, is exchanged. For example, if all the organisation needs is an age verification, decentralised identity would confirm the person is over 18 and that that’s been verified. There would be no need to overshare anything else – such as a full scan of a passport or driver’s licence with address, birth date, etc. – for the intended purpose. The customer can also manage and revoke consents centrally from within their digital wallet, instead of having to manage them in self-serve portals attached to every organisation they interact with (assuming that granularity of control is even offered – it may not be).
This will shift identity and data handling practices from organisations having all the power, to a world where consumers and organisations both have a key role.
To operate in this world, organisations will need to ensure they have the right IAM controls, covering both the customer as well as employees looking to use and leverage customer data. Having IAM on both sides of the data is the bare minimum organisations can do to make sure that as they unlock the value of that data and personalise interactions, that customers and their data stay protected, and privacy and consent are respected.
With a tightening of Australian privacy laws inevitable – a question of when, not if – it makes sense for organisations to prepare for this new reality now. By adopting best-practice data handling, privacy protections and IAM controls today, organisations will be best placed to meet current customer expectations and evolving laws in the future.
Ashley Diffey, Vice President Sales APAC and Japan at Ping Identity