Editor’s Note: This piece on customer data “custodianship” from Harvard Business Review was originally published earlier this year (2020) and came to our attention as something of a call-to-action for marketers, indeed, for every person and organization now navigating the changing waters of customer data and privacy. Our hope in re-publishing this, is that it can become a mantra for corporate data ethics policies from this point forward.
“Data is the new oil.” In the years since mathematician Clive Humby coined this phrase in 2006, the idea has taken on new meaning. For businesses today, personal data is not just a resource — it is a core profit-driver. But the value placed on “drilling for data” has come with a high price at the human level: a dangerous mindset of data entitlement, whereby companies collect personal information and use it to make money, with little regard to the people who lent it to them in the first place.
Data entitlement puts a business’s reputation and customer trust at risk. It can be immensely expensive, as companies such as British Airways and Marriott learned firsthand when they were fined hundreds of millions of dollars following major data breaches, under the General Data Protection Regulation (GDPR), the data privacy regulation implemented by the European Union in May 2018. The personal information being leaked is not just a collection of files stored on a server somewhere; it amounts to the intimate details of peoples’ lives.
While data may still be the new oil, businesses can no longer view it as an asset to be extracted and exploited. The reality is that no company owns customer data — rather, customers entrust them with it. Instead of thinking like “data owners,” companies must act as “data custodians” who protect personal information and use it only with a customer’s best interests in mind.
Becoming a data custodian does not require expensive infrastructure changes or writing a single new line of code. Often, irresponsible data use is cultural — fixing it involves weaving data custodianship into employees’ day-to-day processes. Four cost-effective tactics can help any business get started:
1. Create a Data Accountability Report
A monthly or quarterly “data accountability report” is a simple and effective way to promote transparency and peer-accountability around personal data use. The report can be straightforward, listing how many customer records each employee or team has accessed in the past month or quarter. Making someone’s actions visible is a proven method for changing human behavior — just look at how step counters have encouraged people to be more active.
To be clear, accountability is not about shame or blame; instead, it is about empowering employees with knowledge. Simply seeing how many times they have accessed personal data compared to colleagues can make them think and act differently. Distribute reports without rankings, commentary, or judgment.
2. Celebrate Less Data Use and Analyze Responsibly
Flip the data owner mindset on its head by celebrating the teams that access the least amount of personal data to perform their jobs. For example, if an engineering or customer service team has not accessed personal data in weeks, yet still managed to get its work done effectively, acknowledge their accomplishment and make it a rallying point for the organization. Invite them to showcase their strategy to the company over a team lunch. What are they doing differently to avoid the need for data access? Are there tools and techniques that other teams should learn about? These discussions can help to find new best practices and reinforce that privacy is a priority.
To be sure, being a good data custodian sometimes means sharing valuable insights from your data with customers so they can make more informed decisions. There are a few guidelines to ensure you’re analyzing data responsibly: aggregate, anonymize, and don’t surprise. Examine broad sets of anonymized data, which can surface valuable insights while respecting customer privacy. And consider how customers will react to the insights — they trust you with their data, so handle it with care.
3. Pair Employees for the Most Sensitive Data Access
Sometimes, solving a customer problem can require accessing very sensitive information, such as Social Security numbers. In these situations, which should be rare, it can be helpful for employees to pair up and access a customer’s record together. Pairing up reduces the likelihood of intentional data misuse as well as human error. If a colleague enters the wrong tax ID into a system by mistake, for example, a partner will be there to catch it. This solution is free from a technology standpoint and only requires extra employee time. Again, the message is not that you don’t trust your employees, but that you value peer accountability and support.
4. Establish a Privacy Committee
An organization-wide privacy committee can bring internal stakeholders together to make decisions about a company’s data culture and policies. It can also create space to dig into privacy issues — especially those without clear, industry-standard guidance. Imagine you are an executive at a food delivery business. You need to decide the company’s policies for sharing consumer information with restaurants on the platform. For instance, a deli may want customer addresses for marketing purposes, but probably doesn’t need this information to fulfill orders. A privacy committee can talk through situations like these and set standards for the company and the industry.
Privacy committees generally consist of leaders from Marketing, Legal, Security, Engineering, Design, and Customer Care. Beyond job function, ensure that the committee is multi-faceted. Privacy means different things to different people based on their backgrounds, and a homogeneous group has more blind spots than a diverse one. Leaders with the same life experience and worldview are more likely to overlook privacy concerns — for example, seemingly benign features of an app that could be used to racially profile, stalk, or harass specific groups of customers.
Remember the Human Behind the Data
Drilling for data can seem like a limitless source of profit, but trust is the real resource that businesses should be mining. When a consumer shares their personal information, they should trust companies to use it with their best interests in mind. The organizations that succeed in the coming years will be those that build long-term, trusted relationships with customers by humanizing data and taking responsibility as its custodians.
Fredrick “Flee” Lee is chief information security officer at Gusto, the people platform for 100,000 small businesses nationwide. He previously led security at Square after holding senior security roles at Bank of America, Twilio, and NetSuite.