How to Achieve Effective Customer Privacy and Consent

An evolving threat landscape, hybrid work patterns, and staff shortages are making life difficult for many IT security teams. Add additional factors such as the growing use of mobile devices and cloud resources, and things become even more challenging.

In many organisations, this workload has now grown even further. Security teams are now tasked with putting measures in place to ensure customer privacy and consent is being properly managed.

This means teams need to learn, implement, track, and update a fully-featured consent management platform (CMP). The platform also needs to be configured to ensure the steps being taken are aligned with the regulatory requirements of the region in which the business is operating.

Key drivers behind privacy and consent

Increasing awareness of the value of personal data has made many consumers more aware of how their details are being captured and stored by businesses. They are also more aware of the consequences of that data falling into unauthorised hands.

One example is the rise in phishing attacks launched on the back of stolen personal data. Cybercriminals are using this data to craft more compelling phishing emails or trying to use personal data to bypass security verification steps.

Consumers may also find themselves the subject of annoying marketing campaigns. With so many unauthorised third parties having access to customer data, unwanted marketing outreach is becoming prevalent.

Data privacy regulations

In an effort to enforce better privacy protection for consumers, governments around the world are introducing new regulations with which business and public-sector agencies must adhere.

The regulations require organisations to implement privacy and consent management tools into their websites and mobile apps. If they don’t, significant fines and penalties can result.

In Australia, the Consumer Data Right (CDR) regulatory framework has been introduced. Its aim is to provide consumers with greater control over their personal data and enable them to securely share it with trusted third parties. The CDR was initially introduced in the banking sector and is now being extended to other sectors, such as energy and telecommunications. The primary points it covers are:

  • Access to personal data: Data holders, such as businesses, are required to provide consumers with easy-to-use mechanisms to access and share their data securely. They must comply with strict privacy and security requirements to protect consumer data from unauthorised access and misuse.
  • Data privacy: The CDR also emphasises robust privacy protections to ensure that consumers have control over their personal data. It incorporates principles of data minimisation, consent, and purpose limitation, which means data can only be used for the specific purpose for which it was shared.
  • Consumer consent: CDR requires a business to obtain explicit and informed consent from consumers before sharing their data with accredited data recipients. Consumers must be fully aware of what data they are sharing, with whom, and for what purpose.
  • Individual Rights: Consumers have the right to access specific categories of their data, such as transaction history, account information, and product usage details. Consumers can then share this data with accredited third-party providers they trust.
  • Incident Reporting: Both data holders and accredited data recipients also have obligations to report any data breaches promptly. This includes notifying the affected individuals and the Australian Information Commissioner.

The role CIAM plays in achieving effective privacy and consent
Increasing numbers of organisations are finding that deploying a Customer Identity Access Management (CIAM) platform can help them achieve the levels of privacy and consent that they require.

CIAM solutions offer key capabilities including data consolidation, consent capture and management, data access governance, and end-to-end data security. Also, CIAM best practices help make compliance efficient and cost-effective through the consolidation of data, improved control, and data governance.

Once an appropriate CIAM platform has been selected and deployed, there are three key steps that will need to be taken. They are:

  1. Capture customer consent: The task of capturing customer consent should be completed very early in the customer onboarding process. The goal is to provide customers with privacy and consent options and allow them to select their preferences.
  2. Secure storage of consent: Once customer consent and preferences are captured, a business should have a way to store those preferences. Storing consent preferences alongside attributes is recommended as this provides an organisation with a unified directory where all customer information can be obtained.
  3. The enforcement of consent: The third step involves enforcing consent. Centralised authorisation policies provide fine-grained access control that uses real-time context about customers and resources, and compliance is ensured by streamlining the management of data privacy and consent with automation.

By using an advanced CIAM platform in this way, an organisation can be confident it is delivering the level of privacy, security, and consent that customers are seeking.

This level of security, paired with a more convenient digital experience, will make it far more likely that customers will interact, transact, and forge a long-term positive relationship with your business.

Ashley Diffey, Vice President Sales APAC and Japan at Ping Identity
Ashley Diffey
Ashley Diffey is a passionate leader with over 20 years of experience in B2B sales, key account management and business development in both the finance and ICT/telecommunications industries, specialising in security, data, communications, SaaS and hosted software. As Head of Asia-Pacific and Japan for Ping Identity, Ashley is responsible for accelerating sales and bolstering customer support and services to continue driving the increasing demand for Ping Identity’s solutions in the region. He works with organisations to achieve Zero Trust identity-defined security and more personalised, streamlined user experiences. In addition, he works closely with customers to provide flexible identity solutions that accelerate digital business initiatives, delight customers, and secure the enterprise through multi-factor authentication, single sign-on, access management, intelligent API security, directory, and data governance capabilities. Prior to joining Ping Identity, Ashley worked at leading ICT/Telecommunication companies, including F5 Networks, Commvault and Telstra. During his tenure at F5 Networks, he oversaw the organisation’s southern regional channel and Telstra partnership. He was also Director for Channel Sales Australia and New Zealand at Commvault.