How enterprises can prevent another Cambridge Analytica scandal (spoiler alert: you need to know what your partners are doing with your customers’ data)
In today’s sharing economy, the most successful companies make millions in revenue from business partners based on the amount of data they can convince their customers to share on platforms in exchange for products and services.
On one hand, it’s an incredible testament to technological progress that the most valuable businesses have created intangible platforms connecting millions of users across the world and providing free or low-cost services in return for users sharing their data, which drives real-time personalisation and product development.
However, in the global landscape which is constantly shifting with new players and technology emerging, enterprises must protect themselves and their users from the risk of third-party partners misleading customers and mishandling sensitive personal data, which can lead to both legal and regulatory exposure and long-term brand damage. We only have to look at the Facebook and Cambridge Analytica scandal to see how data misconduct by a third-party partner can damage a brand and negatively impact user behaviour and share prices.
Businesses now face a multifaceted challenge that didn’t exist 20 years ago when Google was born in Silicon Valley. They need to maximise the amount of data shared willingly by customers to increase revenue and inform new product development, minimise any confusion or ambiguity about who is receiving that data and what they are doing with it in order to maintain consumer trust, ensure they obtain granular, unambiguous and recorded consent for GDPR compliance, and provide the best customer experience to grow and retain users.
How OAuth works and why it’s limiting for consent management
Some businesses are looking at building point solutions for consent management on the OAuth standard. Before we address this, let’s set the scene and explain what OAuth is.
OAuth, or “Open Authorisation”, is an open standard for authorisation that apps can use to provide secure, delegated access. Okta has a great blog post entitled “What the heck is OAuth” explaining this to the uninitiated in simple terms.
The best way to describe OAuth in the context of consent management is to use the analogy of a chain of hotels. In a hotel group, there can be full-service 5 star hotels (Waldorf) and budget 3 stars with a modified brand (Hilton Garden Inn). The hotels have different room sizes, access doors, leisure facilities, meal billing, billable leisure activities and concierge services.
When a hotel group buys a room key management system, they set up the key encoding machine in each location so that it is unique to that hotel property. It has default capabilities and each hotel is in physical control of its scoping, scope maintenance, incident management, record keeping and audit. If any guests receive a hotel key card, they access their room and some additional resources.
How do guests acquire a hotel key card? They have to do an authentication process at the front desk to get it. After authenticating and obtaining the key card, they are authorised to access resources across the hotel. The hotel has scoped its consent to provide access to resources. The authorisation process at the front desk has captured the guest’s consent to subsequent fees and charges, but this is managed by other systems.
The key cards have no rich personal information stored on them since they are reused. All information gets wiped every time it is reused.
This business model is OAuth. An app (hotel staff) requests authorisation from a user (guest). The user (guest) authorises the app (hotel staff) and delivers proof (passport, credit card). The app (hotel staff) presents proof of authorisation to server to get a token (key card). The token is restricted to access only what the user authorised for the specific app.
All additional changes and actions that the user wants must be managed by different systems involving paper, additional billing systems and user signatures. In other words, it requires numerous systems that are not interconnected, and the card is no better than physical key-based access. It is simply a basic, digital version of an analog process and doesn’t take advantage of the opportunity to have a truly digital and connected solution.
In banking, OAuth has been used as an access solution, but it involves a custom build from an internal team and does not easily connect with other systems or track rich data, particularly when is comes to managing user preferences, actions and consent.
OAuth isn’t centralised, data-rich or indisputable as a system for consents. It isn’t robust enough to help enterprises systemise, manage and record granular consent for data sharing at scale.
This is very important because the financial and brand consequences of a systemic breach of customer data rights in data sharing could be enormous and far more consequential than hotel guests losing their key cards or failing to report what they’ve taken from their mini-bars.
Why OAuth point solutions aren’t scalable or future-proof
It might be appealing to ask your IT team to build a bespoke point solution for consent management using the OAuth standard. However, in the long run, this will be costlier because it won’t scale across your organisation and isn’t future-proof. It’s reactive, not proactive.
A case in point is the significant investment that was made in custom-built, in-house OAuth solutions to comply with PSD2 regulation. This enabled banks to comply with a particular standard but was a point investment. The technology infrastructure did not bring any technology benefits to allow for compliance with another regulation: the GDPR.
Let me cut to the chase. A point solution for consent bolted on as an afterthought to an OAuth solution won’t enable you to implement a structured company-wide consent policy for data sharing or have the centralised oversight of all data sharing agreements that is required to ensure policy and regulatory compliance across your organisation.
You need to be able to systemise, manage and control data sharing conduct and compliance securely across your organisation with advanced technology before you can give your teams the freedom and agility they need to innovate. The answer is consent by design.
While a point solution might seem like the most cost-effective solution to satisfy compliance for now, it won’t stand the test of time and could end up being very expensive and slow as you develop multiple point solutions for different business lines.
As you onboard new partners and adopt new technology to derive insights from your customers’ data, you will need to have a centralised consent system that supports the secure management of consent for data sharing across business lines with thousands of ecosystem partners and millions of customers.
Businesses need a consent solution that will make it easier to screen, track and audit the data usage behaviour of their data sharing partners and ensure they are protecting their users’ precious data that has been entrusted to them.
The cost to your reputation is too high to risk. You can’t afford to wait until one of your partners mishandles your customers’ data. You need a proactive approach to data sharing that can scale across your organisation and adapt as your business, partnerships and customers grow.
How to be trusted guardians of customer data
In the digital age, all businesses are guardians of customer data. You need to protect the data you hold and ensure that your third-party partners are processing it exactly as your customers have provided informed and unambiguous consent for.
You also need to automate the execution of specific data sharing agreements with third-party partners and ensure you seek and track customers’ consent for data sharing and transactions, especially if that data is being shared and processed in a way that’s not covered by your blanket consents.
This will benefit both your customers and your business. With a robust consent management solution, you can reduce your compliance risk, increase operational efficiency, revenue and growth, increase the transaction volume per customer and innovate with centralised data sharing compliance.
Your customers can continue to trust you to manage and share their data with third-party partners with their informed consent.
At Priviti, we’ve created a scalable solution that helps companies implement a structured consent policy for data sharing with centralised and precise rules, parameters and controls for internal and external data sharing and that records consent audit trails for regulatory compliance, dispute resolution and analytics.
Priviti is neutral and all transaction data is encrypted, so it never sees or stores sensitive customer data. We’re on a mission to help companies share data with trust and empower them to collaborate with partners and customers safely.
Join our consent management community and help shape the debate
We’d welcome your feedback on this topic and hope to inspire lively debate and awareness about managing consent for data sharing since it’s an important issue that affects all of us.
We’ve launched a consent management group on LinkedIn to create a community where we can discuss these issues and share challenges and best practice to help shape the dialogue on data sharing and what we can do to empower businesses and consumers to collaborate more effectively.
Please join our LinkedIn group, comment on our posts, tweet @getPriviti and get in touch at info@priviti.com. We’d be happy to speak to you and look forward to continuing the debate.
