Data collection: why Australian firms are dialling back

Australian attitudes towards excess data collection and personal privacy have indelibly shifted. At the same time, interest has soared in the use of digital identities as a means of giving individuals more control over their data and businesses a way to reduce their data footprint.

Organisations are changing the way they collect personally identifiable information (PII) data and establish the customer identity based on four key considerations.

1. Attack surface reduction

The obvious reason for this shift is the scale, profile and nature of PII breached in recent attacks. These incidents instantly educated Australians on the amount of personal data being held and the varying degrees of security and control of that data being employed. As a result, repetitive oversharing of PII data to access places or services became top of mind for the average consumer.

For businesses, minimising appeal as an attack target — and the potential to be on the wrong end of a $50 million privacy breach fine — is an obvious reason to dial back on own data collection and embrace alternative methods of establishing customer identity.

Identity data will never not be valuable because identity touches everything and is the perimeter of security — if I can be you then I can access everything that you are allowed to access.

One way to resolve this is to reconsider whether long-term retention of personal data and documents is necessary. This was highlighted in last year’s Optus breach, where it was discovered the company was holding data dating back two decades for customers that no longer used the provider’s services. Many public and private sector organisations are now looking into better ways of establishing a person’s identity than having to keep a multitude of documents and data fields on file.

2. To meet customer expectations

Meeting the evolving privacy expectations of customers is equally important. Australian consumers want to be protected from security threats and fraud but are still hesitant about providing multiple identity verifications to access a service. This was the case even before the latest wave of breaches.

Consumers expect companies to protect them and their data and — as we know from our own research — they increasingly favour organisations that prioritise security, particularly for authentication. Fifty three per cent of breach and online fraud victims “are more cautious about revealing information” to organisations again, owing to their experiences. Four out of five customers will “stop engaging with a brand online following a data breach”.

Based on what we know about consumer attitudes towards security and privacy, it makes sense to meet or exceed expectations, to foster trust and create comfort.

3. New models make data reduction possible

Data reduction is only feasible if alternative methods for strong authentication are available. Businesses are dialling back on their data collection now, largely because they can.

The advent of digital identity exchange models, like ConnectID, provide a commercially viable path for businesses to transform the way they establish and verify customer identity, without impacting assurance or raising risk levels. Australia currently has many “islands” of identity — banks, telcos and governments that have verified people’s identities to a high extent. Under ConnectID, these identities become reusable. The model acts as connective tissue between the customer, a trusted identity provider and a new third-party seeking to establish the customer’s identity.

Under this model, customers have the flexibility to choose which existing trusted identity is used. This gives them greater control over how their identity is established and limits the amount of information that can been kept on file by organisations they may potentially transact with in the future. Using ConnectID, businesses can still fulfil authorisation requirements while enjoying a massively reduced risk profile.

4. Digital simplification

There’s also a digital dividend for businesses that commit to data reduction: it materially simplifies digital processes or workflows, such as a customer onboarding or login process.

Extracting personal data from uploaded ID documentation to autofill forms and separate verification requirements can add several steps or clicks to a digital process. If this can be simplified without compromising efficacy, it drives a faster interaction and better customer experience, which in turn improves onboarding flow and funnel conversion — all without sacrificing security or trust.

Businesses also benefit by adding transparency data to customer-facing portals and apps. Customer confidence increases when there is transparency about what data is held, for what purpose and under what conditions it may be shared. If that information is visible in an easily accessible dashboard — and the customer is give control over some or all of the settings — businesses may see further upside in customer loyalty and satisfaction.

Collectively, these four considerations should be enough for product and digital teams in customer-facing industries — utilities, telcos, insurers, e-commerce operators and beyond — to encourage internal discussion around data reduction, to develop a strategy and roadmap, and to start putting words into action.

Image credit: iStock.com/Olivier Le Moal