Can we have some privacy please?
Behavioral science and data protection in the age of information
If you are a fan of hacker movies, or films that touch on crime and digital consciousness, you can picture the moment when a compromised thumb drive is plugged in, as the beginning of the protagonists end.
The stark reality of the digital age we live in is that there is a real and growing opportunity to raise awareness on data privacy and educate internet users by, discussing rules and regulations as well as addressing attitudes and issues around the collection and use of consumer data. Overall, the need to protect personal data against theft or misappropriation cannot be denied. Security, therefore, is and should be a priority for any organization responsible for collecting and processing consumer data.
With this in mind, there have been emerging discussions around personal data, privacy and consent. As with the movies, one of the questions raised is, what happens to the information collected when you as the user click agree? These conversations are sparked by two occurrences. The first is the online availability of information, personal or otherwise. The second is the implementation of the EU General Data Protection Regulation as of May 2018, designed around giving EU citizens more control over their personal data.
Kenya, considered the ‘Silicon Savannah’, has embraced digital technology to become a world leader in the adoption of digital payments. A 2019 world bank report credits this rapid growth to a variety of factors including; a rise in internet usage, uptake of e-commerce and the growth of digital services, with mobile penetration at ninety percent by March 2019. This technological wave has led to staggering volumes of personal data being collected, stored and transmitted, all at the click of a button. In order to ensure the full potential of Kenya’s digital economy is harnessed, stronger digital foundations are required to enhance the digital ecosystem, as well as to ensure the story does not end when a connection is made, and data collection starts.
In light of this, Kenya recently signed in the Data Protection Act, (the Act) which came into force on 25th November, 2019, and is modelled on principles set out in the EU regulation. The Act’s objective is to regulate and guide the processing of personal data, protect the privacy of individuals by establishing legal and institutional mechanisms to protect personal data, in addition to, provide data subjects with recourse should their data be processed in a manner that is not in accordance with set guidelines. It outlines policy and obligations for any person or organization that collects data, as well as, stiff penalties and legal liability if the guidelines stipulated are not met. The Act is the character nobody expected but everyone hoped for because of the rallying cry they put up to ensure that ‘click agree’ does not translate to ‘hand it all over’.
The Act speaks to a number of items, three of which are highlighted below.
- The first is data processing. The purpose for which data is collected needs to be accurate and up to date with use limited to the originally intended purpose. All information must be stored in a manner which identifies the data subjects for no longer than is necessary and not be transferred outside of Kenya, save as permitted in the Act. Organizations that handle consumer data have to ensure they uphold the data subjects right to privacy, an area that has been ambiguous and open to exploitation so far.
- Secondly is the governing body, the Act sets out the office of the Data Protection Commissioner as the authority on all issues related to data protection and privacy. The Commissioner is an independent authority appointed by the Office of The President, to uphold the right of individuals to have their personal data protected, and act as a guardian of information and data.
- Lastly is notification of breach. This is of particular interest as it holds the organization that collects and processes data accountable. In short, any individual or organization that collects data must put security measures in place to prevent unauthorized access, disclosure, or loss of said data. In the event of a breach, they are required to report it to the office of the Data Protection Commissioner within 72 hours as well as to the affected data subjects without delay.
The strides made by this act in a country teeming with tech opportunities are boundless. The IntAct initiative considers many of the core issues in data privacy to be primarily behavioral in nature, because at the heart of data privacy is the issue of consent.
IntAct’s core purpose is to act as a driver in understanding data privacy through a behavioral lens.
This includes how to steer effective consent, and position privacy as a business advantage. The design of effective informed consent processes relies on two main things. An understanding of when and how people pay attention to information and how to support the understanding of complicated information in a short span of time. From a broad perspective, building a strong interest in data privacy on the side of consumers requires a grasp of human behavior, and subsequently, how to design choice architectures to nudge people towards better behavior.
To do this, IntAct is carrying out behavioral lab studies and looks to carry out live market tests. Use of a behavioral lab gives a better comprehension of how small details such as presentation or language can drive behavioral change in consent, or willingness to pay for privacy. Live market tests provide an opportunity to take the most effective designs from the lab to an applied setting and validate the findings among a larger population.
The results from these experiments and market tests can be used to inform regulators and organizations on the most effective ways for consumers to understand what they are consenting to, and for businesses to understand best practice on obtaining consent from customers for their data. This can eventually be used to position different organizations as privacy champions giving them a business advantage over their competition
At the end of the day, before the credits roll, IntAct strives to ensure that everyone who plugs in is aware of what they are getting into. Connection does not necessarily have to be the end of privacy, in this case, it may just be the start of great things.
Exciting times ahead, stay tuned and please reach out to us on Twitter if you are interested in learning more.
