McKinsey Q&A: How Protecting Consumer Data Can Pay Dividends

Can retailers and consumer-facing companies optimize for cybersecurity and user privacy while also enabling customization at scale? The answer to that question is “yes,” according to a recent McKinsey article. 

The subject of cybersecurity has steadily become a higher priority for enterprise organizations, thanks to a steady uptick in reputation-damaging cyberattacks in recent years. Traditionally, many organizations struggled to quantify the potential return on investment in privacy and cybersecurity initiatives. But legislation ranging from GDPR to the California Consumer Privacy Act has changed that. “Suddenly, there’s a dollar value attached to non-compliance,” said Marc Sorel, an expert associate partner for McKinsey. 

The proliferation of the connected home and consumer-facing IoT technologies, taken with consumers’ variable privacy threshold, further complicate matters. But in general, the more consumer data organizations collect, the higher the potential cost for missteps — in terms of reputation and possible fines. Organizations that emerge as security and privacy leaders tangibly decrease their business risk while potentially boosting consumer loyalty. 

In the following Q&A, Sorel shares why leading retailers and organizations with consumer brands can see their privacy and cybersecurity initiatives having a positive impact on their bottom line. 

What are some examples of how companies that have prioritized cybersecurity and user-privacy can see financial benefits? 

Sorel: There are real legal as well as financial benefits for the company that can flow to the bottom line and have a material impact on value creation. For instance, organizations with proven cyber hygiene can have constructive discussions with their cyber insurers about reducing their cyber insurance premiums. 

An organization that has, for example, a more secure geospatial mapping application can be a real differentiator with a customer base that is quite concerned about the integrity of the data that you’re collecting and using. Geospatial mapping data is also of great interest to nation-states and most sophisticated attackers. So, in short, I would say cybersecurity and privacy can be sources of differentiation and that there are many ways they can be sources of differentiation, whether it’s reputation, operational, legal or financial.

How much is legislation such as GDPR and CCPA a driver of this idea to see cybersecurity and privacy as a source of competitive different?

Sorel: I think legislation is a major tail wind for the overall trend around viewing cybersecurity and privacy as increasingly not just the headline-grabbing source of concern but a source of differentiation for the business.

Running afoul of GDPR, at its worst, is 4% of global annual corporate revenues for the enterprise violating the law. And similarly, every state in the United States has a breach notification law, which means, if you are breached within a certain period, you have to report that to the breach notification authority in the state, or else risk facing a fine or worse. And then on top of that, there’s the New York State Department of Financial Service Cybersecurity Regulation [23 NYCRR 500], which regulates cybersecurity compliance for any financial institution with business in New York City or New York state. Such laws have both reach within their locale but also beyond their state or their country or their region. They have a real impact on the way that enterprises think about the importance of privacy and security. 

There are a couple of new provisions in China’s cybersecurity law that [are also applicable].

The article “Consumer-data privacy and personalization at scale” suggests that marketing teams be intimately involved in consumer data privacy initiatives. Can you share more about that shift? 

Sorel: I think a lot of consumer, retail and hospitality institutions are all thinking about how to solve the consumer data privacy problem while preserving the benefit and value of digital marketing, search engine optimization and the like. 

In many instances, the core question is: ‘How do I avoid running afoul of the regulatory regimes that are in place while, at the same time, preserving the minimum viable integrity of the data I’m collecting to drive commercial value and insight?’ That is the balance that all of these institutions are trying to, in many cases, strike. 

Part of it is a profit answer in terms of how you treat the data that you’re collecting and what data you’re collecting, and what [type of] notice you give to the consumer. And part of it is a technical answer. You have to figure out how to splice, shield and otherwise mask the data that, in aggregate, reveals aspects of a person’s identity in ways that could be violative of their privacy. That is especially the case if they haven’t consented to sharing that data. And so this particularly affects remarketing as a part of consumer engagement, and how to remarket effectively using data from sites collected from SEO to drive traffic elsewhere — especially in instances where it may not always be known to the user that the data is being collected and used for those purposes.

So how do you change that because you have to under the law, in ways that still allow you to preserve enough integrity with the data to drive commercial input? 

A growing number of organizations are beginning to assign responsibilities such as cybersecurity champions or security and privacy ambassadors. There’s also an emerging role of business-information security and privacy officers. Could you share your thoughts on these trends? 

Sorel: The first thing I would say is that an ambassador is no different from a champion, really, in practice. It’s meant to be somebody in the organization who may not be doing security and privacy as their day job for the company. But this person is passionate enough about the topic — or [privacy or cybersecurity] is critical enough to their work — that they have reason and occasion to know more about the topic and resources and best practices than other employees. And through that, they become an advocate for those practices in their organization. 

In terms of the business-information security and privacy officer role, the idea of having someone who sits at the intersection of the cybersecurity function and the business is not particularly new. It may be in an early stage of adoption, but it’s not particularly new. The business-information security and privacy officer role’s value is to act as a two-way street between the cybersecurity function and the business. This is both to make sure that the business is meeting the requirements of the cybersecurity function for the enterprise, but also as the business evolves, that the business sees feedback about those cybersecurity requirements fed into the updates and revisions and redeployment of new policies and controls, and capabilities, to enable the business going forward. 

And that’s been the value of that role in the enterprise. I think what we’re seeing today is more of the convergence of security and privacy duties in single roles in the enterprise. From a risk perspective, particularly on the tech side, they tend to catch a lot of the same people a lot of the same way. Where, of course, as we mentioned earlier, the regulatory nuances are material between the two and different, but the core element of a risk-based approach for the day-to-day operations of the business are quite similar. And the BISPO role is the next generation of the role that sits at the intersection. You can almost call it the tech risk function, which includes security and privacy and the business itself.

The article “Consumer-data privacy and personalization at scale” recommends building security and privacy into enterprise analytics. Can you summarize why that’s important? 

Sorel: It depends on what type of analytic problems you’re trying to solve. 

The first thing to understand when you’re trying to build out an analytics capability is making sure that you’re building security and privacy into it. Typically, you’re taking a use-case-based approach to the analytics capability of your building. And before you actually begin to use it, or even build it, you’re clear and aligned on what is going to be your set of policies and controls for managing access, for managing the data that runs through it, for managing the output that it generates and the uses to which those outputs are executed. And then, you make sure you’ve established which maturity capabilities from your existing stack need to be extended, and which incremental capabilities you might need, given changes you’re making to your infrastructure architecture. 

The last thing I would say is that it is vital from a process perspective to make sure that you have in place the right governance committee, ideally, from both the business and technical side. The committee should convene regularly and make decisions about how to deal with issues that may arise as you go. Regardless of how well you plan, the nature of most analytics projects is that they’re complex, and [it is impossible to anticipate] all of the security and privacy issues that may arise as you execute.

The notion of tokenizing consumer data received considerable attention last year, given the surge of interest in digital ledger technologies then. What role do you see tokenization playing for consumer data? 

Sorel: Tokenization is just a way of just encrypting data points in such a way that there is not further decryption along the way. It ends up being a pretty impenetrable and secure channel for transmitting data from sender to recipient. Tokenization is used a lot today in financial services, particularly in payments but not really at scale elsewhere, although payments affect retail and the consumer sector — any industry where you’re having a consumer make a payment with a credit card. Also, tokenization can be in the enterprise B2B context where B2B payments occur. 

So tokenization is there for transactions. It has not yet scaled to consumer data. That’s the opportunity we are getting at. It’s very early days. I would say that it has not been adopted at scale. 

I think for other types of masking, [we’re seeing] a similar story. It mostly has to do with the only recent awareness of the imperative to engage in that type of masking [or] the consequence of recently passed regulations and requirements for treating consumer data carefully and in a way that meets the security and privacy expectations of the existing regulatory regime as well as the preferences of the consumer. 

To summarize, any final advice on how organizations can improve their standing with customers by prioritizing privacy and security initiatives?

Sorel: A number of institutions across a few industries are grappling with how to ensure a secure customer experience. We know from clients we’ve served that you can improve the Net Promoter Score of a company by improving the security experience of the customer with the company. And this is especially true in financial services. But anywhere that you have any clickthrough identity validation or another type of security protocol, it is especially true. 

And so what do effective and leading practices in customer experience look like? It’s all about empowering the user to set the standard they want to follow for validation through the medium and the means they prefer. You need to make sure that you do it in a relatively clickable and labor-free way. So that typically means, tactically, [providing clear options for consumers when they] are first engaging with the enterprise. The key is having a lot of different options for how they can set their preferences, but also providing an ongoing perspective on what they might want to choose as a way to empower them to have control over their experience. And typically, when the consumer has that control, they end up having a better experience, which then leads to all the other good things that come with a relatively better customer experience.