Wednesday, November 19, 2014

The best way to lose e-trust

All enterprises with Customers should take note, the emerging way to lose the e-trust of partners or clients, is to openly or surreptiously remove from them the control of their own data. The issue comes not only from using their data without their express wish, in a way that does or does not benefit them, but more importantly from removing their ability to control how it is collected and used. The usual Internet Giants have become masters of these malpractise, the best examples of which feel very spooky to those on the receiving end. However the media and thus the public are waking up to the issue. For a while there have been a few pathfinders who have been deliberately taking back control. (Usually by eschewing the free services on offer that gave organisations the ability to control their data, or by creating watermarked data.) Once such pathfinder, Janet Vertesi, Professor of Sociology, at Princeton University, recently realised that Google knew about her planned engagement to be married prior to any of her family or friends, and worse were acting upon that knowledge to make money for Google. Importantly, it is not just the Internet giants that can fall foul of our natural desire to retain control over our own information. 

Signs of this malpractise can be found in how your organisation; 
    - gains access to data and identifying the data's owners
    - enables the owner to control of current and future use of their data
    - uses the data in respect of those express wishes

The result of not appropriately managing the control owners have over their data can have a profound impact on your clients and partners e-trust in you and their future behaviours. These malpractices have been erroneously labelled the Privacy Problem, by regulators and politicians. Worse some EU politicians have gone down the path of legislating the "Right to be forgotten" In truth the problem is far simpler, it is a control problem, one that sociologists label as our natural desire and capacity for "agency".

How does your organisation stack up in the race to attain and maintain e-Trust in an increasingly Outside-In world?

Some Diagnostic Questions
Does your Company sell or acquire lists containing external data to or from outside organisations?
Warning most such lists will contain toxic data, are you clear on how you can filter out such toxic  data?
Eg A customer whose data was on such a list despite their express intent for it not to be used or re-used.
Personal example, I passed my contact details to a Jamie Oliver website having unchecked/checked all the do not share boxes. I gave an email address that uniquely identified the Jamie Oliver website. In less than a month the email address was being spammed. I no longer trust Jamie Oliver or his companies and no longer visit his restaurants.

Do you give your data owners direct control over their own data, and how you may use it?
Warning this is not a trivial activity. Do not answer this question lightly. Sadly the Digital Fabric is not yet in place to give a clear affirmative to this question. But that's another topic!

Do you gather the express wishes of data owners?
When you acquire others data do you only use it having established and stored the express wishes of the owner, as to how it may be used, now and in the future? 
Do you give the owner a simple means of changing these wishes? That is, can the owners view and change your entitlement to use their data? And I don't just mean their email address!

Do you give data owners the ability to classify their data?
By establishing from the data owner the regard in which they hold their data, you can decide more effectively how you wish to protect it and even if you want to store it.

Are you transparent with all your sharing controls/settings?
Warning: Hiding such controls deep in a system, or obfuscating them in anyway, can reduce e-Trust. 
Apple's latest iOS has a setting found at the end of this chain:
Settings/Privacy/Location Services(scroll to the bottom)/System Services/Frequent Locations
Not only is it placed deep within the iOS control panel, but when the facility was first enabled the user was not directly asked whether it should operate, and it is by default set to "Collect and store times and locations visited".

Do you comply with the express wishes you have collected?
eg LG Smart TV had a setting that ostensibly disabled the collection of personal information. The collection took place whether or not the box was checked.

Are you using the Identity of your Customers, or do you require them to use your identity for them?
Having a very effective Identity, Entitlement and Access Management system is key. NB This is not the traditional Access Control List or Active Directory approach. An Outside-In IdEA system needs to be architected as such. Would you trust a person who choses to give you a new name and refuses to use your own?

When contacting a Customer do you demand from them information that assures their identity or do you first give them information that assures yours?
Do you have a means of identifying and authenticating yourself to your partners & customers and then vice-versa?
Personal Example: I was phoned by an Insurance company, they demanded that I give them personal details to authenticate myself, and gave me no way of authenticating them. The banks also currently operate this practise, especially after they have discovered a fraudulent transaction. Potential Solution : Your Google Authenticator should currently be showing this pin for us...

Who in your Organisation owns ensuring that your customers are, and remain in control of their own data?
The answer to this question can give you a clue to your organisation digital agency maturity.

5* Office of Co-Creation
4* Office of Information Asset Management, Chief Data Officer
3* CISO or Compliance Manager
2* Privacy Officer **
1* Someone in IT
0* The Marketing Department 

**(Position of this role depends upon the mindset of the encumbent, too often they see their role as protecting their organisation from litigation, instigating practices such as the wholesale deletion of evidence of malpractice which they laughingly name the Retention Policy. Those Privacy officers who see their role as protecting the Privacy of the their Customers and even better giving their Customers control over their data could achieve 3* or 4*. Sadly too many fall into the lower position)

Your organisations e-Trust is founded upon your capacity to deliver agency to your customers. 

On the journey to Outside-In, your ability to deliver digital agency will be a key organisational capability, it needs developing, but be warned it is not a muscle that most enterprises are used to using, for it involves giving control to Customers, not wresting it from them.

However, by far the more important question is; How you can build on your capacity to give digital agency to your customers, by adding value to you and your customers? The answers to that question lie in the Clockwise Security topic, a discussion of how security can be used to create value, not just avoid risk, and in this direction lies Co-Creation.

No comments:

Post a Comment

Thanks in advance for sharing your thoughts...