Privacy and the “creepy line” were hot topics of discussion last week at the International Association of Privacy Professionals (IAPP) ANZ Summit held in Sydney. We’re all familiar with the creepy factor online at this point; we’ve all searched for a pair of shoes or a piece of furniture only to be stalked around the Internet for the next few days with banners for those items showing up on website after website. So, where exactly is the line between creepy and acceptable, and how can modern marketers ensure that their digital customers feel safe? Here are the five key lessons I learned at the Summit:
1. GDPR; expect subtle but significant changes
And yes, Australia, this means you! According to Eduardo Ustaran, a leading EU expert, if you are offering goods and services to any one of the 300+ million Europeans, or simply monitoring their online behaviour (including website cookies) you need to pay attention here. He outlined for us the ‘subtle but significant’ changes in the GDPR – General Data Protection Regulations. The changes are designed to put people back in control of their data and push back on what he described as a ‘fake consent culture.’ But don’t panic, he said, we all just need to get on with our GDPR ‘homework’. Now.
2. Clear contextualisation will drive user consent
Timothy Pilgrim, the Australian Information and Privacy Commissioner, in talking about data innovation, ethics and discrimination, also noted the escalating number of consumer queries now coming through to his OAIC team. In a case study raised by Dame Diane Robertson, Chair of the Data Futures Partnership, we heard about the importance of proactive community engagement and contextualising any initiative which carries privacy risk. Understanding the social benefits which outweigh those risks can mean the difference between failure and success. Dame Diane talked about an approach taken to predict the likelihood of child abuse in New Zealand and how that project, with the best of intentions, had struggled in part because the context of the data collection was not made clear to the end-users.
3. Not all data de-identification methods are created equal
It turns out that the de-identification of your user data does not necessarily get you or your business off the privacy compliance hook. Nor, it seems, can you blame your AI algorithms if everything goes haywire with your data. Anna Johnston, Director of Salinger Privacy, explained the risks behind identity and attribute disclosure and individuation. I was then surprised by how easy it was for a room full of privacy lawyers, data protection officers and corporate business leaders to work out ‘which student flunked Spanish’ in a series of fake data pop quizzes led by Anna. She also simplified the differences between 'K-anonymity' and 'Differential privacy' for us, another reason why businesses should hire experts to get their data de-identification programs right the first time.
4. Building a privacy-aware culture takes more than a few tattoos
Apparently, you need donuts as well, according to Craig Templeton, CISO of the REA Group. Craig’s hilarious presentation on how attitude beats compliance as a lead indicator of cyber resilience focussed on the importance of using a positive ‘nudge’ rather than cyber fear to get results. His Digital Ink program, which included inviting staff to visit the security team to review their social media privacy settings, was inspired and clearly effective at REA. It was a great case study on driving positive human behaviours at work to build a security aware values-led culture.
5. Marketers now need to think like criminals
For a really disturbing view on how vulnerable we all are to remote privacy intrusions via our mobile phones, I highly recommend watching the short film Find My Phone by the brilliantly curious Anthony Van Der Meer. A discussion of the making of the film between Anthony and Brett Winterford, Cyber Outreach at the Commonwealth Bank, was a highlight of the day for me. The film takes you on a privacy ride that pushes the line from cool to creepy and then on to positively dangerous. And you may never look at your phone the same way.
So congratulations to the IAPP ANZ team for a fascinating day and for regularly bringing the privacy industry together in Australia. From my experience, these industry events genuinely prompt more robust discussions, often behind closed doors, that can lead to the kind of safer and more mature technical platform designs that we can all be proud of and that, frankly, every one of our customers deserve.
Senior Customer Success Manager Linden Dawson is based in ForgeRock's Sydney office.