Mathematician and entrepreneur Clive Humby once said: “Data is the new oil.” It’s an immense resource just waiting to be extracted and exploited. According to Deloitte, nearly half of all business leaders say data helps them make better decisions. Around 15% say that it better enables key strategic initiatives and improves relationships with both customers. Over the past decade, we’ve seen just how powerful data can be, particularly in markets with lax or lenient privacy regulations.
Companies like WeChat, GoJek, PayTM, and AliPay have thrived partly due to how expertly they harnessed big data to deliver ultra-modern digital services. But the days of unfettered access to data may be drawing to a close. Recently, we’ve seen an increase in new privacy legislation delivered by governments and regulators. Today, two-thirds of countries have data protection and privacy legislation in place—the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), SOC Type 2, the list goes on. The reality is, these regulations create new barriers and hurdles for companies.
“Developing technology, especially hardware and software, that protects privacy (and is, in general, secure) takes longer than just building cool stuff,” Charles Edge, Chief Technology Officer at venture capital firm Bootstrappers.mn, tells The CX Review. “We have to think deeper, write better code, have better testing and automation in place to get that code to market quicker, and always be watching bad actors in the world to see where they’re going next to try to stay one step ahead.”
According to a recent paper in Information Systems Frontiers, strict regulation can constrain innovation, provoking “abandonment, entrepreneurial discouragement, and data minimization.” So too can it obstruct specific business models and technologies, particularly those lacking a direct relationship with the end-users, and/or the inability to offer users a direct benefit from the processing of their data.
But companies cannot shrink back from the challenge. Innovation is the lifeblood of companies. To paraphrase scientist William Brody, innovation drives productivity and productivity drives growth. The question, then, is how should organizations tackle innovation in the face of progressively robust regulation?
A diverse and inconsistent world
Given the intense media coverage of flagship privacy regulations like the CCPA and GDPR, it’s easy to assume the entire world is focused on data privacy. Considering that just 16% of all countries have no legislation on the subject, the facts seem to back up this worldview. But the reality is more nuanced.
“We see different regulations that reflect [increased data privacy] concerns in places like Europe, California,” explains Edge. “On the other side of the privacy equation are places like China, where the government mandates various requirements for operating within their borders that provide state institutions with the ability to access private data.”
Even within markets, there is immense variation. The United States, for example, balances federal and state legislation.
“The patchwork of federal and state-level data protection regulation makes it harder and more expensive to operate,” Ryan Johnson, Chief Privacy Officer at Savvas Learning Company, tells The CX Review. “It’s hard to build a product that must comply with regulations in California but not in Idaho. The market thrives off of uniformity and right now we simply don’t have that.”
But inconsistent regulation is only half the equation. Consumer beliefs, expectations, and demands turn a disjointed market into a fragmented mess. For some, data privacy is a basic human right that must be protected. They see existing data practices as invasive and argue for stricter regulation.
“To me, the decrease in the amount of control we have over our personal privacy is extremely concerning,” says Daivat Dholakia, an operations executive from Austin, Texas. “I’ve always felt that maintaining privacy is a sign of respect for the individual.”
Others, however, are more balanced. They acknowledge that personal data is often essential to the operation of tools and services.
“I do care about data privacy… to an extent,” says Sal Gonzalez, a business owner from Pasadena, California. “Certain apps ask to track your location in real-time. When it comes to services like these, I don’t mind. Knowing where I’m located in order to give me a precise and much greater user experience is not a problem.”
And a few recognize that personal data, if used correctly, can help organizations turn generic services into hyper-personalized experiences.
“Although privacy is important to me, I have to admit that the information collected from my personal data does make my online life easier,” says Ann Martin, a business director from Manila, Philippines. “My entire online experience is customized for me––making it far more enjoyable and applicable to my life.”
Faced with such a complex, inconsistent, and shifting landscape, companies face an uphill battle. But it’s not insurmountable—far from it.
Responding to privacy regulation
Data can enhance customer experience in a myriad of ways. Behavioral data can help surface points of friction in your user journeys. Engagement data can help you evaluate the impact of new service offerings. Transactional data provides an unbiased performance yardstick for new initiatives. Often, personal data is integral to service delivery. Navigation apps need location data, health trackers require biometrics, and so on. Simply put, the tension between privacy and innovation is one well worth tackling.
In their Information Systems Frontiers paper, academics Nicholas Martin, Christian Matt, Crispin Niebel, Knut Blind offered four responses for organizations facing data privacy regulation:
- Product Abandonment: “They can abandon the problematic product or idea to focus on others that face fewer regulatory restrictions.”
- Compliance Innovation: “They can innovate changes, to make the idea/product compliant, while preserving its basic architecture and value-proposition, e.g. by making default settings more privacy-friendly, or using anonymized data instead of personally-identifiable information.”
- Strategic Non-compliance: “They can deliberately contravene the regulation, at the risk of running afoul of the authorities and facing punitive consequences (fines, closure, etc.).”
- Regulation-exploiting Innovation: “Innovating solutions to help companies achieve compliance without damaging their regular production and value-creation activities, that can be sold to those affected by the regulation in question.”
The optimal choice for any company depends on various internal and external factors, including technological capabilities, financial resources, ease of compliance, market demand for compliant products, and the level of regulatory enforcement. Although the decision to innovate, abandon, ignore, or adapt is highly contextual, the academics also provided a basic two-by-two decision framework using level of enforcement and the level of expected market demand for regulation-compliant products.
By selecting your circumstantial market demand and regulatory enforcement, you can identify one of the four quadrants. Each has a range of options, although there is usually one preferred over the rest.
While some of the decisions stymie innovation and inventiveness, others do not. Both compliance innovation and regulation-exploiting innovation encourage organizations to create new products, services, and experiences. So although privacy can be a deterrent to innovation, whether or not it will depend on the circumstances, resources, and actions of the company in question.
Privacy cuts both ways
“Privacy serves as a constraint to innovation, just as humans serve as a constraint to visiting other planets,” security consultant Jeffrey Stollman tells The CX Review. “We have the technology to send machines to other planets. We could put a human in a space capsule and send it off to Mars. But we are currently constrained by the technical hurdles to ensure that the human we send will arrive alive and be able to return alive.”
While privacy appears to stymie innovation, Stollman suggests that’s the wrong way of looking at the challenge. There are many things you could build if you ignore privacy, just as we could build a space capsule if we ignore the human inside. Instead, he suggests we ask, “What is the goal of each project? Is it to build for the sake of building or to design a product or experience that’s beneficial for the end-user?”
Privacy inarguably obstructs the former. The latter, not so much. As the privacy-innovation framework illustrates, regulation can foster new innovations to overcome the constraint and align with the user’s best interests.
“New technology creates new markets that create new opportunities to overcome constraints in other industries,” Stollman continues. “The development of steel overcame the constraint of how tall a building we could construct. The airplane industry could not do what they do without the innovation of using aluminum.”
Privacy regulation is no different. All it requires is organizations to seize the challenge, advocate for their customers, and innovate.