The Marketing Association warns New Zealand firms must be more proactive about protecting customer data or risk an increasingly stringent regulatory regime.
The reminder comes as businesses in Europe prepare for the introduction of the tough General Data Protection Regulation (GDPR) on May 25. It also comes in the wake of Facebook boss Mark Zuckerberg being hauled in front of a US Congress committee, where he admitted his company needs a broader and more active role in protecting the privacy of its users.
Marketing Association chief executive Tony Mitchell says New Zealand companies are largely good at protecting their customers’ data. But the Cambridge Analytica fiasco shows serious issues can arise and companies must be vigilant.
“Facebook is a case in point. They have already done a lot to protect consumers’ privacy, but now they have admitted they need to do more,” he says. “Our reminder to New Zealand companies is that they might think they are doing well, but as new data uses come in and technology changes, new areas for misuse could creep in.”
Mitchell said New Zealand businesses also struggle to explain data privacy policies to customers, who are rightly concerned about their data being misused or sold.
“Most New Zealand companies have people in specific roles to protect their data. They understand the Privacy Act and are cautious about what they are doing with customer data. But I don’t think the public know that. They are not aware of procedures, rules and regulations that these organisations put in place.”
That matters because it impacts on how consumers view companies holding their data.
The latest research from the Office of the Privacy Commissioner shows 62 percent of New Zealanders think data should not be shared, believing privacy risks outweigh the benefits. They believe phone, email, earnings, health, location and website visit data are of particular concern.
However, people’s willingness to share information jumps to around 60 percent from 38 percent if they know the organisation has safeguards in place. These include data being anonymised, the company allowing them to opt out if they want, and strict controls being in place on who can use the data.
Mitchell estimates New Zealand companies could be spending upwards of $1 billion a year on the commercialisation of data. That includes businesses and not-for-profits collecting, analysing, storing and using data, and to a lesser extent buying and selling it.
He thinks between $500 million and $1 billion of that estimate involves large organisations such as banks, telecommunications firms, retailers, insurance companies, and the health sector using their own customer data, sometimes combined with ‘big data’ brought in from overseas, for business decision-making and communicating with customers.
“They aren’t selling it,” Mitchell said.
Another $150 million to $200 million is being spent by companies running or involved in loyalty programmes, Mitchell estimates. This includes fees the loyalty companies receive from their partners, who buy the data to provide services to the schemes’ customers.
The final tranche in the data commercialisation pie is data analytics companies, that help other organisations use data. That market could be worth $50 million-$100 million, he said.
If participants in that $1 billion industry aren’t careful and transparent about the way they use personal information, the government may introduce tighter and more expensive regulation, he said.
New Zealand’s current regime is a mixture of legislation such as the Privacy Act and self-regulation. The Marketing Association’s Data Warranty Register lists companies that meet best practice around data privacy. But so far there’s no third-party auditing required.
More importantly, being on the Data Warranty Register is voluntary and most companies don’t bother. Of the Marketing Association’s 550 members, just 36 are on the register, or 6.5 percent. And there are some big names missing in terms of companies with access to wide swathes of data, such as Air New Zealand, The Warehouse, Fonterra Cooperative Group, or any of the petrol stations – BP, Mobil, Z Energy.
Mitchell said if the government starts worrying about New Zealand companies being complacent around privacy, or if there is a backlash from consumers over breaches (as with the Cambridge Analytica scandal), it will likely look at tougher legislation and increased auditing to make sure they are meeting the standards, adding to firms’ regulatory burden.
New Zealand’s updated Privacy Bill, due to come into force on July 1, 2019, is already a step forward for data protection. But it is weaker than the new European General Data Protection Regulation (GDPR) regime in a number of key areas, including:
– GDPR introduces the right to be forgotten, where an individual can ask an organisation to delete everything they know about them. From a company’s point of view, this can be time-consuming to do and prove, particularly if the business has been sold and/or there are old computer systems lurking around;
– GDPR brings with it tough penalties for breaches, including up to 4 percent of worldwide turnover. Thes levels of fines could potentially break a New Zealand exporter;
– GDPR allows data portability, where a customer is deemed to own their data and can move it from one company to another. This is particularly relevant to loyalty programmes, where a customer might want to keep their behavioural and transactional data (that they are interested in specials on coffee, for example, or flights to Japan) when they move from one company to another.
“My feedback for New Zealand organisations is they need to remain vigilant and maintain the trust of consumers,” Mitchell says.