We never thought we would have 70 people in the room to talk about regulatory measures but given that data is being called the most valuable asset on earth, it makes sense why. Here is the breakdown of what was discussed at the regulatory panel last month:

How does an organisation incorporate legal and ethical considerations when building a user case for customer data?

Unsurprisingly, it’s never really a case of black and white – this space is very grey. Organisations have very different perceptions of their ethical and legal obligations and will interpret these differently, so the first step is to look into the mirror and decide what type of organisation you are. Are you the type of business that pushes things right to the edge and/or occasionally crosses it for competitive advantage? Or are you the type of organisation that derives competitive advantage from other areas, and data is more of a means to support this?

You shouldn’t be building a user case to justify why you need to use customer data for a particular purpose – the conversation should be focused on simply arriving at the right answer, rather than a justification. Whatever decision you arrive at, you should record it along with any precedents you have used and your reasons for getting there, because good decisions don’t always lead to good outcomes.

Does your organisation manage data differently depending on its use?

The GDPR gives very specific definitions of different types of data depending on the severity of a breach, but we don’t really have that delineation in NZ. Here, there seems to be more of a blanket approach, in that everything gets lumped together under the term ‘personal data’.

Another pitfall is that organisations are often asking the questions, ‘what is the potential impact to the organisation?’ and ‘what is the risk to our business?’ What we really need to do is flip the switch and be asking, ‘what is the risk to my customers?’ or ‘what is the risk to our people/ our employees’? If you think about the impact of a breach, leaking an email address or a name is much less severe than credit card or health information. People are trusting you with their data, and different kinds of data have different value and should be treated as such.

This raises an interesting point – how many organisations are actually asking their customers how they feel about the various uses of their data? There is a fine line between an organisation being invasive and using data to provide a quality service, so this type of customer feedback will become increasingly important.


With changes in global privacy law and ethics, what are the pitfalls to watch out for?

This has become more complex recently due to the fact that you now must comply with regulation in not only your own country but also in other countries (e.g. GDPR). We need to approach data differently to how we have approached other topics – it builds quickly, it can be reused constantly, and it can be leaked very easily. If we don’t have good strategies in place at an organisational level, we open ourselves up to the prospect of losing our data, and therefore our reputation, and therefore our business. This really comes down to customer trust. Dame Diana has worked closely with several different boards and has found that there often isn’t a lot of quality representation from data experts who fully understand how to get value from their organisation's data and what the risks are.

One other thing to note is that this shouldn’t be about ‘ticking the box’ just to be compliant with NZ legislation – businesses should see this as an opportunity to differentiate their business, and many already have done so. The complexity we face is that the impact of a data breach is individual to a person, and each person’s beliefs are different and change over time. We should be empowering customers by asking them, ‘what would you like us to do with your data?’ By doing this, we can understand what data is most valuable and therefore worth protecting.

Partnerships and third parties – what should an organisation consider when consuming or sharing data? What limitations/responsibilities should there be on the sharing of data, particularly when it is out of your hands?

It’s a minefield. The culture and actions of an organisation can change on a dime, and even though we have contracts to fall back on, contractual penalties are often not pursued in New Zealand. You can do your due diligence, of course, but the most ideal scenario is to keep a close working relationship with the third parties who are actually using the data – unfortunately, due to size and scale, often this isn’t feasible. The risk is exponentially higher once you lose that face-to-face interaction, especially once it goes overseas. Just saying that we have a contract in place is no longer good enough. A contract is the last resort, not necessarily an assurance. Instead, there needs to be top-down understanding and alignment around how the organisation should use and commercialise data.

Data provenance is becoming more and more important. It’s akin to the fashion world a few years ago when nobody cared where the materials were coming from, whether they were sustainable, who made the clothes or how much they got paid. Now everyone wants assurance that their clothes weren’t made through unsustainable practices or by underpaid children. This is almost the same approach that should be taken to data – we should have a clear understanding of where the data we are using is coming from, both as the collector and owner of the data and as the third-party/vendor receiving the data.

One method used by some organisations could be to hold third parties to a higher level of accountability in a statement of work. By stating something along the lines of, ‘after the completion of this statement of work, you must delete the data used for this workstream and send a confirmation email once this has been deleted’, you are putting accountability back on the third party and ensuring they understand that you take the security of your data very seriously.

How does your organisation balance the extraction of value from data, while also innovation with customer expectation and financial risk/ reputation?

Controls can be put in place – for example, anonymising datasets in such a way that risk is minimised. In terms of an organisational structure, each organisational discipline should have a data specialist. That then frees up the data governance function to unlock value within an organisation by asking the right types of questions and ensuring that any data decision being made will actually add value.

What is the appetite of Auckland organisations to engage with a third party that would provide a one-stop shop for privacy settings to users?

Anything that can be done to make privacy easier is a good thing, and organisations should be willing to have these types of conversations. It’s very rare to come across an organisation that truly doesn’t care about the privacy of its customers. Every company cares, so ideally people should be interested in potential ways to make privacy easier. It’s also good to keep in mind that everyone is doing their best, but their best isn’t necessarily perfect the first time around. Mistakes do happen, but we are all always learning and striving to improve.

We thank the panellists for sharing their views on this sometimes grey area of data/marketing that is still in its legislative infancy in New Zealand. There were very consistent themes across the experiences of the panel, and we thank them for sharing their views and insight into the navigation of compliant and respectful use of customer data. It’s important for organisations to understand that the GDPR and other NZ regulation can’t be viewed as a box-ticking exercise - there is a real opportunity here to ensure that we have our customers’ interests at heart and that we’re giving their personal data the right level of respect and security. 

Article written by Louis Martin, member of the MA's Data Special Interest Group