Internet users comprise an increasingly savvy population with a growing understanding of exchanging personal data for goods or services provided online. While they don’t necessarily understand, or want to understand, the backend systems that handle and protect their data, they do have high expectations when it comes to company accountability, and they want assurances that their data is safeguarded.

Users understand that there is a need for a greater level of security in proving their identity online. Industries from financial and healthcare to education are increasing their levels of authentication to ensure that the user attempting to access the system is legitimate. As it becomes easier to facilitate authentication methods conveniently over mobile phones and online, the market is quickly adopting technologies such as second-factor authentication, biometrics and Knowledge-Based Authentication (KBA). But, accountability to users doesn’t end with launching new authentication methods. Companies may be doing a disservice to the public if they skip the crucial step of explaining the reason behind adding these requests for more personal information.

Failing to offer an explanation creates a knowledge gap for users. If they don’t clearly understand how second factor authentication can enhance security, they may question the rationale behind utilizing more invasive identity-proofing techniques. In short, it breeds unnecessary distrust.

Another widespread public concern when it comes to personal identity data privacy is the question of tracking and monitoring. It is increasingly common to hear individuals questioning: Just what is being done with all of my data that I’ve given to companies? What are these companies doing with my personal information? Are they tracking my actions across systems? Is someone monitoring me and my activities? Am I going to be unfairly, illegally, or unjustly acted against or scrutinized because companies or the government have all of my data? Did I really agree to that when I used my thumbprint to log into my bank app?

Addressing the public’s concerns over what is being done with their data, and why, depends on good privacy practices that include transparent communication. Companies can go a long way in mitigating the public’s fear of data misuse by instituting the practice of clearly and concisely explaining why data is being collected at the time at which it is requested, a technique referred to as “providing adequate notice.” When data is collected from an individual, the organization should provide the reason for doing so in a clear and meaningful way. Further, a data privacy best practice is to communicate which data is necessary to process the user’s request versus those that are optional, leaving the consumer in control of how much of their information is shared if it’s not absolutely required for the transaction.

Achieving this transparency requires methodical privacy office awareness of what personal data and information is captured from users (passively and directly), and how it travels, is stored, and is disposed of by company systems. This is not an overnight process and may require multiple sessions with the information technology and engineering teams in addition to the information security office. By building strong partnerships with key internal stakeholders, the privacy office can provide concise and meaningful information to the public about the practices applied to users’ data. Subsequently, through deliberate mapping exercises and data inventory discovery, the privacy office and key stakeholders can identify areas of risk and ways to mitigate or resolve such risk.

For example, there are many advanced logging techniques used by companies to drive internal performance (and ultimately improve customer service). Through a data action analysis recently performed at one company, the security officer recognized that the logs of session activity were being maintained in the same data table as the personally identifying information attributes of the customers. The logs were necessary to the organization for monitoring in the event of malicious activities, but they were able to split the tables to prevent linking and behavioral surveillance.

Privacy issues that surround online identity are complex and can seem overwhelming. However, the privacy office can implement some basic tactics to alleviate some common identity management concerns. Define your company’s purposes and use limitations around the collection and handling of data. If you are going to store data, be mindful of aggregation and surveillance effects – and think through how to mitigate those risks.

The public knows there should be rigor around securing their personal data from hacks and malicious attacks, but they expect organizations to clearly articulate how they are protecting data. They also expect organizations to be judicious in their use of advanced authentication technologies. There can be a fine line between aggressively protecting customer data and violating privacy in the quest to safeguard user information. Explaining why you are implementing stringent authentication methods and how they protect data can go a long way in earning customer trust.

Forrester-Webinar-284234-editedUPCOMING WEBINAR FEATURING NEW FORRESTER RESEARCH
Tuesday, November 10
10am PT | 12pm CT | 1pm ET

Join UnboundID and Forrester Principal Analyst, Fatemeh Khatibloo, to learn how Customer Identity and Preference Management can help you drive 1:1 customer experiences and grow your business.