Having worked as a marketing lawyer and as a chief data officer, Sangster recognises that the question of how to protect customer data isn’t just a technical problem but touches every part of a business – from the way you take online payments to how you administer your email marketing. In 2017, Sangster chatted to Smarter Business.
Smarter Business: What would you say is the biggest myth regarding customer data privacy?
JS: I think the biggest myth, particularly in Australia, is that we have very restrictive privacy laws. Actually, in the world of privacy, Australia kind of sits in that middle ground.
If you look at Europe, they've got very restrictive laws, enormous fines that go with it if you get it wrong, and a huge amount of consumer protection around the use of data. [In] Asia, they've got very [few] laws around what you can do with data and so the data practices are much more broad.
In Australia, we've got principles-based law. It allows you to do certain things with data that benefit both the business and the customer in quite a sensible way. But we've got this perception that the law is very restrictive and it makes businesses in Australia very wary about using data. So we often find that companies are holding back more than they need to in their data practices.
SB: Should companies approach customer data as a valuable asset or opportunity instead of as a liability or compliance headache?
JS: Absolutely. At the moment it very much sits in the legal or compliance department within an organisation. Generally, they look at it as, "How do we need to restrict the use of the data?"
But if a company […] thought about ways that they can actually help a customer to trust their brand, that customer will be much more comfortable with the business using their data, will probably allow them [access to] more data and, with that, allow that company to be more customer centric and provide a better experience.
SB: Is there a common bad practice or mistake that businesses currently make with customer data privacy?
I truly believe that brands that are transparent and clear about how they're going to use the data are the brands that consumers will trust. Once you trust a brand, you're much more likely to be happy with them using your data.
SB: Does this create a tension between the temptation to grab as much data as possible, obfuscated behind impenetrable privacy policies, versus being more open and allowing customers to be more involved in the process?
JS: Yes. We did a large piece of research on this about two years ago. We went out to 1,500 consumers to talk to them about how they felt about their data being used by organisations – particularly for marketing purposes. The very strong response that came back was, number one, “Don't collect too much data up front because it makes me feel nervous”.
So only collect the data that you actually need, for the purpose you're going to use it. Over time, as the consumer starts to trust that business more, then ask for more data from me and build up that relationship.
The second one was, “Please be clear with me about what you're going to do with that data”. If I know, I feel much more comfortable with giving you my information and with you using it in that way.
If they're going to use data in new and different ways, then continually inform me about what's happening with my data.
SB: It seems like virtually every week a business is hacked or there’s a data privacy breach. Are Australian businesses doing enough to protect the privacy of customer data?
JS: Hacking is a reality in our world. Every day, millions of businesses are being hacked. As consumers, we can only do so much to protect our data. But as businesses, there is a responsibility on us to make sure that we keep that data as safe as we possibly can. And that is actually a legal requirement as well.
But, unfortunately, there are always going to be instances where data is hacked or that it's accessed for the wrong reasons. If that does happen, there is an obligation on the business to let the consumer know that that's the case.
SB: What about when businesses share access and control of that data, such as when using third-party tools like Hubspot, Salesforce or Xero?
JS: When we did our piece of research, the one standout thing that consumers were really concerned about was that their data was going to be shared and that they haven't got visibility or transparency about the fact that it's going to be passed onto a third party.
So again, we have to be much more transparent about if we're going to share the data with a third party: Be clear about it, be clear about who it's going to be shared with and for what purpose. And give the consumer a choice as to whether or not that happens. That in itself will hopefully increase consumer trust.
SB: Small businesses, micro businesses and freelancers in particular rely on third-party tools and cloud services to get things done. How would you advise a small business to manage the risk and protect customer data?
JS: The way that the law is set out, it's basically saying that if the data is kept within Australia, if you pass it to a third party in Australia, the [responsibility] is passed to that third party to keep the data safe, to only use it for the appropriate purposes, etc. But the minute that the data goes outside of Australia, into a different jurisdiction, all of the responsibility for the safety of that data sits with the party that collected it. In many instances, that may be a small business.
Particularly with some of those platforms, that data is actually being held on a server off shore. So you are taking on the responsibility that the third-party platform provider is going to do the right thing with the data.
Now that sounds a little scary. But what we've got to bear in mind with those platforms is that their whole business is making sure that the data remains safe, secure and that it's not accessed for unwarranted purposes, because if they can't guarantee that, they've got no business.
Read the terms and conditions as to what's going to happen with that data, so there's no shock at a later stage if something's happened with your data that you weren't expecting. It's really just about informing yourself and working with companies that you trust.
SB: Sometimes, consumers may have different attitudes towards what should be allowed, or what constitutes an ethical use of their data. Even if certain data practices are legally or technically okay, can they still be bad for a business because of how they’re perceived?
JS: Absolutely, and it happens. This is not just about legislation.
You mentioned the ethical use of data, and that's where we need to get to. The legislation provides a baseline. It is the foundation: the black and white; right and wrong; what I can do and what I can't do. But sitting above that as a company you have to understand your brand – how you want to be perceived by your customers.
Then you put in place your safeguards. “Our customers will be okay with us using the data in this way but I don't think we should go [beyond] this because that's not going to have the right effect on them.” So there's a massive piece in there around ethics and that is why I believe this doesn't just sit in a compliance department.
It’s why marketing should be so involved with this. Marketing should be the barometer of what a customer feels, how they're perceiving your brand, how they're interacting with you. If we put together compliance and marketing we will probably [achieve] the right outcome for the consumer.
SB: What would be your final one-line piece of advice?
JS: Trusted brands are going to be the ones that win, as we move in to a data driven future. Now's the time to be looking at how you can become one of those.
*Originally published May 16th, 2017. Updated on 8th November 2018.