Each year at the end of summer, several members of Forrester’s Security & Risk research team look back at publicly reported breach events and data privacy violations of the previous 12 months to spot trends and identify cases to feature where we feel there are lessons learned for S&R pros. In 2016, this was a joint effort alongside my colleague Fatemeh Khatibloo from Forrester’s Customer Insights research team. Leading up to Data Privacy Day, I’d like to share some lessons learned from one of the five key trends we saw in our 2016 analysis.

The intersection of privacy and customer experience reminds us of the importance of collecting and managing consent, whether that involves collecting data to personalize an experience or marketing or another initiative we aim to pursue. We saw notable examples (Verizon Wireless! InMobi!) of how FCC and FTC actions in 2015 and 2016 converged on issues of consumer privacy and consent. In both cases, firms used tracking information to deliver targeted ads.

Lessons learned:

  1. Develop core capabilities for privacy oversight and accountability. Designating an individual in compliance or legal to decide what you can do with customer data based on regulatory requirements is insufficient. Instead, your firm will need to develop a set of capabilities to create, enforce, and assess policies and practices and thus manage consumer data privacy cohesively. This not only helps with efforts to meet compliance requirements, but also helps you build internal standards for privacy and data usage that align with corporate culture and values to balance data use innovation and risk.
  2. Adopt contextual privacy practices to deliver desired customer experiences. One customer's terrific, personalized experience may feel deeply creepy to another. Individual interpretations of privacy matter. The new privacy is all about context. This means that your firm must allow customers to dynamically negotiate the collection and use of their personal data. As your firm designs its desired customer experiences, you must practice a "no surprises" doctrine (be transparent) regarding data collection and use, give consumers meaningful opt-in and consent options, and treat more data types as personally identifiable.
  3. Align functions and procedures to follow through with privacy policies. Your firm's privacy policy is useless — and a liability — if you lack enforcement mechanisms. InMobi tracked consumers' locations regardless of whether they gave consent to use their data and ignored those who opted out and used their data anyway. You must document internally how your firm achieves what your privacy policy promises, and ensure that security and operations pros responsible for implementing controls understand your data use and handling policies.

What will we see in 2017? January has gotten off to a quick start: the Obama administration relaxed NSA data sharing rules, the EU released its proposal for ePrivacy regulationFamily Tree Now and Meitu raised privacy fears among consumers, a new CIA director was sworn in despite concerns from privacy advocates, President Trump signed an executive order stripping privacy rights from non-US citizens (and might invalidate Privacy Shield as a result). The year is still young. With your business priorities and this changing landscape in mind, what are your top privacy concerns going into 2017?