Consumer-data privacy and personalisation at scale: Strategies to get it right

Consumer-data privacy and personalisation at scale: Strategies to get it right
Marc Sorel is a partner at McKinsey & Company.

Personalisation at scale is where retailers and consumer brands are competing to win. But in focusing on “playing offense” to capture value, executives are often overlooking their “defence”: preserving, protecting, enabling, and accelerating the hard-won gains of their digital efforts by ensuring that personalisation at scale keeps personal data secure and private.

Getting the security and privacy of personalisation wrong can slow time to market for new applications, constrain remarketing and consumer-data collection, result in significant fines, or—worse—cause material harm to brand reputation through negative consumer experience. However, getting it right reduces time to market, puts security and privacy at the heart of the company’s value proposition, boosts customer-satisfaction scores, and materially reduces the likelihood of regulatory fines.

Top five strategies for moving quickly at scale

As the transformation of data management is piloted and scaled, prioritising a few key actions to improve security and privacy will ensure outcomes that enable rather than disable the business.

Build a risk register for digital properties

Taking a risk-back approach can help the executive team defend its decisions on where and how to allocate spend on security and privacy. Understanding how properties such as information systems and assets map to each other, to the threat landscape, and to the business value chain also clarifies where eliminating risks can enhance enterprise value.

Clarify data strategy, governance, and policies, and build in the roles and requirements to make them work

The details of programmes for data security and privacy may vary by company, industry, or the local regulatory climate. But some best practices are emerging as enterprises focus on data privacy and security. One leading privacy policy is the tokenisation and sanitisation of data before using them in remarketing. Further, leading institutions will align on the “minimum viable data and controls” required to preserve a long-term view of consumers and empathetically engage them at scale. To embed awareness of security and privacy across an enterprise, some companies find it useful to create roles for business-information security and privacy officers (BISPOs) or “security and privacy ambassadors.”

In the event of a breach of data security or privacy, it is helpful to have in place incident-response plans that are “living documents” formed through the test-and-learn iterative process of simulation. These can help executive teams make better decisions faster about managing their digital properties—and their relationships with regulators.

Build security and privacy into enterprise analytics and application development

Consider the example of an enterprise seeking to transform itself into a platform company. It wanted to use consumer and customer data to cocreate application programming interfaces (APIs) to transform how consumers engaged with the brand. 

By building relevant requirements into its software-development policies, the enterprise made the software-developer team responsible for meeting them right from the start, in the design phase.

The security-and-privacy team would only involve itself “by exception,” if a development team declined to meet a specified requirement. This approach ensured that standards on security and privacy were met in more than 90 percent of applications developed, which reduced downstream rework, accelerated time to market, and put data protection at the centre of the enterprise’s value proposition to consumers.

Create and deliver role-based training on security and privacy

Given that more than 80 percent of enterprise cybersecurity incidents begin with a human clicking on malware, regular training tailored to key roles is essential to reduce the risks of personalisation. Marketing teams, for example, might need to learn best practices for remarketing, such as parsing data to eliminate personal identifiability while preserving business value. There are about 15 core employee behaviours that can be addressed and transformed through a focused campaign of annual training supported by unpredictable reminders, such as occasional emails and text messages or anti-phishing test campaigns.

Personalise security and privacy for the consumer

Leading financial institutions have already unlocked the value of increasing net promoter scores (NPS) by taking the hassle out of consumer validation processes. By reducing hold times, simplifying and tailoring multifactor authentication to meet consumer preferences, and placing data-protection controls for consumer-facing applications in the hands of the consumer, they are improving customer experience without compromising underlying security and privacy.

As the enterprise risk of collecting, holding, and using consumer data to personalise offerings grows, so do the business-impairing consequences for those who fail to get it right. The opportunity around personalisation at scale for consumer brands and retailers has never been more critical to capture. At the same time, the need to create a net positive consumer experience while avoiding the downsides of reputational, operational, legal, and financial risks is a hard balance to strike. 

*The author would like to thank Julien Boudet, Kathryn Rathje, and Jess Huang for their contributions to this article

Interested in hearing leading global brands discuss subjects like this in person?

Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.  

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *