It's time to tell the truth about data sharing and data breaches

Consumers are getting savvy about the risks your data collection poses to their privacy. They want the truth, even when you fail. But don't cross the 'creepy line'.

Most businesses don't like admitting mistakes, however small. Mistakes damage the expensive perfection of The Brand. There are never "faults", "errors", or "problems" -- merely "issues". And owning up to a data breach is way scary.

But it shouldn't be.

Most consumers don't lose trust in an organisation when they receive a privacy notification about a data breach, according to the Deloitte Australian Privacy Index 2016, released on Tuesday.

Of the more than 1,000 consumers surveyed, 14 percent had received a breach notification. Fewer than a third of those recipients (29 percent) said they they'd lost any trust for the organisation as a result.

In fact, more recipients (33 percent) said they now had more trust, presumably because the notice confirmed that security monitoring and notification procedures were in place. The biggest slice (38 percent) didn't change their view either way.

"That's actually a really pleasing statistic from the point of view of an organisation," said Tommy Viljoen, partner in Deloitte's Cyber Risk Services unit, at a media briefing in Sydney on Tuesday.

"By doing the right thing by the customer, they can maintain trust, and they will not lose customers to the extent that they originally thought," he said.

"A couple of years ago, we were seeing a lot of resistance from organisations to breach notification, as it was felt that would impact the trust relationship with individuals. What the survey does is actually say, well, that's not the case."

Deloitte's report shows that 94 percent of consumers think trust is more important than usability, and how an organisation handles consumers' personal data is a key element in earning that trust.

Consumers are becoming more discerning in matters of data privacy than they were just a year ago, Viljoen said.

Data offshoring, for example, is a concern for 67 percent of Deloitte's respondents. More than 21 percent want detailed information if organisations send their information to third parties, including to whom and why, and 14 percent want to know how their personal information is being protected.

The consumers demanding this level of detail are still in the minority, but their numbers are growing fast. Consumers see ever more frequent examples of their data being processed and fed back to them as personalised experiences.

The move from websites in web browsers to mobile apps on smartphones, with access to all the data on that mobile device, has made the process even clearer.

Organisations may be following the letter of the law with generic privacy policies, but Viljoen says that's not enough.

"There's a difference between meeting what the regulations say, and building trust with the consumer. Building trust with a consumer often requires a higher benchmark, and we're seeing some organisations moving to that higher benchmark now," he said.

If organisations collect data and use it in unexpected ways too quickly, they risk crossing what Viljoen called the "creepy line", and trust is lost.

"If I were to come up to you in the street and say, 'Where have you just come from? And where are you going to? And which calls have you just made? And what websites have you visited?', you would think I'm pretty creepy. You would not be happy. You'd be calling the police. But because it's done on the mobile phone, you don't even know about it. You just accept it," Viljoen said.

"Organisations are talking much more about that creepy line, and trying to work out where that exists, and how they manage their data privacy to that level. What's the policy that's required? What's the framework? What are the lessons for the people that are doing data analytics to ensure that they don't cross that line?"

This problem was explained in a blog post by the Nielsen Norman Group earlier this month, "Hierarchy of Trust: The 5 Experiential Levels of Commitment".

"Designers are under constant pressure to reduce friction to conversion, drive people to the next step in the funnel, and collect user information as early as possible," user experience specialist Katie Sherwin wrote.

"But demands must meet users' trust needs. It's too easy to forget the user's perspective. A useful exercise is to imagine yourself asking a stranger on the street for increasingly big favours. What steps would you need to go through to overcome initial skepticism and build trust before you demand contact information or money? Skip those steps and the person would walk away -- or, on the web, leave the site and try somewhere else."

Deloitte presents a scale of trustworthiness from the customers' perspective.

nng.png

A scale of privacy trustworthiness.

(Image: Deloitte Australian Privacy Index 2016)

At the bottom are organisations that aren't required to comply with privacy regulations, so they don't. A couple of steps up are the organisations that are compliant, but still hide the real story in their privacy policy, and those that tell their customers what's done with their data but provide no choices.

Earning more trust are organisations that let their customers choose how their information is used and shared, or, when there's no choice, explain why. And most trusted of all, according to Deloitte, are the organisations that do all of this to improve customers' lives, and not the organisations.

"I think the more successful trusted organisations are the ones that are going to be managing that level in the future, compared to those that just manage to privacy regulation level," Viljoen said.

Two of the most important components of trust are honesty and transparency. In this imperfect world, that includes when things, inevitably, go wrong.