Hyper-Personalization & the Data Imperative: With the Power of Familiarity Comes the Obligation of Responsibility Hyper-Personalization and Data Imperative Power of Familiarity Comes Obligation Power

Hyper-Personalization & the Data Imperative: With the Power of Familiarity Comes the Obligation of Responsibility

ARTICLE: Security

By Christopher Rogers, Senior Vice President, Deputy CIO & Global Security Officer Sykes Enterprises, Incorporated

SHARE THIS ARTICLE

At one point or another, we’ve all been served up a personalized online experience, whether it was a recommendation for a related product or service, a targeted digital ad for exactly what we needed or maybe a coupon related to our preferred shopping categories. Personalization started trending in the mid-2000s with email messages, and it didn’t even take 20 years to become something shoppers expect as the standard of communication. As smart as the algorithms are getting, however, many personalized experiences are still based on limited personal information combined with considerable demographic, behavioral and other traits exhibited by people like us. This form of personalization is often surprisingly incisive but is still hit-or-miss and the reason we may find ourselves wondering why our music streaming app thinks we like that song.

Read Time: 19 minutes

Plus, when 60% of consumers express some level of frustration at being served an ad for a product they aren’t interested in, it means that close enough isn’t good enough. Enter the next step in the one-to-one evolution: hyper-personalization. It promises that the more we tell a business about ourselves, the better it can make our experience. For us as consumers, it means putting trust in a business to keep that data private and secure. And for us as also the keepers of that data, how do we responsibly contribute to an improved customer experience?

To be truly hyper-personalized, the data really must be about individual customers — their information, their behaviors, their intentions — and it’s not a new concept. When Norm walked into Cheers, everyone greeted him by name, and Sam was ready with his favorite beer. When John Anderton walked through a mall in Minority Report, a digital ad called him by name and knew that he needed a break from life. And in real, offscreen life, a longtime butcher-shop customer might find their weekly meat order already wrapped by a counter clerk who, also, calls them by name. The challenge for e-commerce is how to move from the one-to-one, or one-to-few, personalization of Cheers and the local butcher, to the one to millions in today’s digital world. That’s hyper-personalization: using individual and behavioral information, purchase history and other, broader data points to create a one-of-a-kind experience that brings value to both the customer and the business. This individual information can be augmented by available contextual information (weather forecasts, for example) to further personalize an experience, but the secret sauce here are those identifiers that see you as you. Those of us in the IT industry refer to this as behavioral data — the ability to collect primary data elements provided by a customer and combine it with derived data based on their actions and interactions with services and use it to create an intimate picture of who the person is, including their preferences. By and large, customers willingly opt into these experiences with the expectation that their future interactions will be timelier and more meaningful: faster, cheaper, efficient, rewarding in terms of convenience, and relevant with regard to recommendations. But between where a consumer gives consent to share their data and it’s stored in a box, there’s a gray area. And it’s that space in which the receiver determines whether that data is secure, private and being used for good — or not.

Hyper-Personalization Is the New Norm

As much as consumers expect a better experience in exchange for their data, they also expect their information to be treated with care. A 2019 IBM study on consumer attitudes toward privacy found that 70% of consumers have high expectations of data safety for essential services such as healthcare, banks and insurance companies. Sixty percent of consumers have high expectations for ecommerce businesses such as online shopping, apps, and other platforms that require home address, phone number or credit card information. In the same study, however, 83% of those same consumers said they believe their personal data is regularly shared with other companies. That’s not much of a vote of confidence. One way businesses can overcome this perception is to clearly state what they intend to do with collected data — and then do only that.

Data Ethics Plays an Important Role

A data-ethical company is one that collects user data for the purpose of reinvesting in that user’s experience.

A data-ethical company is one that collects user data for the purpose of reinvesting in that user’s experience. Its intention is to create value while ensuring the user maintains their agency, without manipulation, for the mutual benefit of both parties. In other words, the consumer is still in control of their hyper-personalized experience. They aren’t being coerced into decisions that only benefit the vendor, and their data is always stored securely and privately.

Especially for businesses that outsource a portion of their services, data-security concerns are still foundational: assurance that any data-processing infrastructure is secure and appropriately maintained, for example, and that employees are well-trained. Many also want assurance that good data-handling practices are in place through regulatory and standards-based audits and third-party certifications. If these concerns feel basic to some degree, consider this: The most common way that bad actors breach security controls is still phishing; you can’t get more foundational than that. But it’s no longer an email from a wealthy foreign prince with bad grammar and large sums of money to transfer. Today, it’s targeted spear-phishing that appears to come from vendors and people you already work with and trust. Over the past year, 94% of organizations experienced phishing attacks, 88% received email spoofed from business partners or vendors, and 53% experienced a business-disrupting, email-borne ransomware attack. Phishing (and other cyber) attacks today aren’t small-time crooks or disorganized gangs as in the past, but rather big business and organized crime on an unprecedented scale. As a result, the stakes are exponentially higher. Globally, ransomware has increased 26% in the past year, with damage predicted to cost the world $11.6 billion in 2019 and $20 billion by 2021. In the first nine months of 2019, there were well over 5,000 data breaches reported (an increase of more than 33% from last year), which exposed almost 8 billion consumer records (an increase of 112% in total records over the same period in 2018). These numbers are so large that they are hard to grasp, and the volume may seem scary, but the worst part is that 6 billion records were then released by the bad actors onto the public internet for anyone to see. In the meantime, it takes companies an average of 197 days to identify a data breach and 69 days to contain it. The global impact of a data breach on an organization averages $3.86 million. In the U.S., the impact is closer to $8 million. Cyberattacks are getting more frequent — partly because the data being captured today provides a more intimate portrait of a person and is thus more valuable to criminals, partly because of the increasing volume of data, and partly because of the evolving sophistication of bad actors. (Of note, it’s also the case that we’re seeing more reports of these cyberattacks because of both the improved ability to find them and the growing interest in reporting them.) It’s going to take more than advanced detection software to stay ahead of cyber criminals. It will also require a mindset shift.

It's Time to Change the Mindset Around Data Security

The old security parameters, such as firewalls, controlled perimeters, and endpoint virus defenses are no longer adequate. In fact, the only perimeter for most companies now is the internet itself. As Gartner points out, the rapid expansion of devices, access points and the cloud makes an old data-center or internal-network focus both obsolete and counter-productive. And that means that instead of focusing security protocols on hardening the environment around the pipes and boxes that transport and store the data, a strong cybersecurity program needs to follow the data wherever it may reside. With the prevalence of rapid-scale cloud computing and storage, the data may not even reside in the same country as the consumer. It’s a subtle but important shift: Where is the data? What type of data is it? How are we securing it? To further complicate the challenge, many companies today suffer from data obesity. It’s a condition generated from the fact that many businesses don’t know exactly what to do with all the data they’re collecting, but because they believe that it may have future value, they just keep everything. This expanding pool of information that’s stored in multiple places, that’s older, larger, distributed and otherwise shared, means the attack surface is expanding too. And as hyper-personalization continues to trend, that data becomes more and more valuable both to companies and criminals. Security must follow the data, increasing the layers of their defense to include metadata (used here in a general sense to mean various labeling, classification and categorization about the data), and move from a primarily reactive mode — monitoring for impact and responding to events — to a proactive one that leverages such metadata to arm their threat-hunting activities and defenses. Moreover, a commonly overlooked defensive component in any organization is — surprisingly to some — the employees. As the curators, handlers and guardians of the data, securing and empowering employees is vital.

Dated Security Parameters & Data Obesity Are Partly to Blame

IBM’s privacy research found that more than half of those surveyed said the ability to fully take back or retrieve their personal data was extremely important in reassuring that their personal data would be kept safe. In addition, 75% agreed that they’d be more willing to share their personal information if there was a way to fully take it back at any time.

Privacy Includes the Right to Be Forgotten

Today’s shopper landscape includes a full 90% of consumers who say they’d be willing to share behavioral data for a cheaper and easier shopping experience, and 94% who believe that businesses should be doing more to protect consumers against cybersecurity threats. This permission with a side of distrust puts the responsibility squarely on the shoulders of the businesses that collect consumer data to use it responsibly, transparently and truthfully, and to lock it down. One way companies can eliminate some of that doubt is to be clear about the data that’s being collected, why it’s being collected and what will be derived from it. Additionally, companies can set (and meet) ethical standards that consumer data will be used to hyper-personalize their online environment in a way that brings value, without manipulating the user’s agency or limiting their value without their knowledge. Consumers rightly expect that a business with whom they willingly enter this hyper-personalized relationship is compliant with all applicable local, federal and international laws regarding the data, is keeping their data secure, only using that data for the purposes that were stated, and is educating its employees as the first line of defense against cyberattack. In a sense, it’s seeing a person’s data as the digital representation of their personhood — a digital twin — and valuing it as much as their physical-world self.

Companies Hold the Responsibility

Setting a high bar for data protection and privacy in a hyper-personalized landscape really boils down to three words: Respect the data. And it starts with a strong foundation — here are five actionable steps to get you there.

Move From Discussion to Action

Step 1:

First, outline a clear plan for what your ideal hyper-personalized experience includes. What are the ways in which it will make your customer’s lives easier? What type of value will you offer them?

Then, understand the amount and type of data you’ll need to make it happen — the who, what, when, where, why and how. Spell it out, in detail, and don’t leave any questions unanswered.

Step 2:

Next, be aware of and understand every law that affects the data, from local to global. If compliance is required, earn it. One advantage of working with such a wide variety of clients at SYKES, all of which require us to handle the gamut of data types and classifications, means that we have to be well versed in demonstrating compliance to data privacy regulations and international security standards, whether that is healthcare data (HIPAA), payment card information (PCI), or industry-recognized best practices such as the NIST Cybersecurity Framework, ISO, SSAE and HITRUST.

Step 3:

With all these pieces in place, build your hyper-personalized experience with privacy, security and ethics always at the forefront. Architect a governance program that checks every box and that can be easily updated as laws, technologies, and consumer expectations evolve. Focus on fortifying the data itself, the processes that drive it, and all the people who will use it, rather than relying primarily on outdated models of data-center-centric hardening. This includes ensuring least-privilege access and regular employee training.

Step 4:

Finally, after the experience is live and has gotten some traction, listen to customer feedback. If they love the quicker checkout, for example, give them more of the same. If your recommendation engine isn’t quite hitting the mark, tweak it.

Step 5:

Create your own version of Cheers, where everyone wants to come back for another friendly greeting.

Christopher Rogers is SYKES’ Senior Vice President, Deputy CIO and Global Security Officer. In his role, he aligns, delivers and secures information technology services worldwide. He advises leadership partners on tech matters that enable quality customer care, and he leads the company’s digital and physical security efforts. Christopher has been with SYKES since 2000 and holds a Bachelor of Science from the University of Texas at Austin, two master’s degrees from Princeton Theological Seminary, and executive education certificates from the University of Chicago and the University of California, Berkeley.

Christopher Rogers

Connect with me on LinkedIn

Video: Reassuring Customers About Data Usage

Data security and privacy are intertwined, but they’re not interchangeable. While privacy is impossible without security, security can come at the expense of privacy. An ideal strong data security protocol should intend to protect data privacy, including individuals’ rights to access their data, opt in or out, be safe from surreptitious tracking, and perhaps most complicated, the right to be forgotten.

Video: Privacy vs. Security

Imagine, for example, a system that captures and generates all different forms of primary and derived data and uses it alongside various machine learning algorithms and evolving artificial intelligence. If an individual user asks to be forgotten, how many touchpoints along that data chain contain that user’s personally identifiable information? For companies that didn’t already have deletion capabilities built into their privacy frameworks, it meant a lot of rearchitecting to be compliant with the law. And for those that are still building, it’s a strong argument for implementing both security and privacy by design.

Privacy & Other

Accessibility

Subscribe to SYKES Quarterly

The right to be forgotten is part of the EU’s General Data Protection Regulation (GDPR), the same law that has led to all of the “We use cookies” messages you’re now seeing at the bottom of websites. It’s a win for consumers and data privacy. But for IT departments, it’s not just a matter of hitting delete.

Privacy & Other

Accessibility

Subscribe to SYKES Quarterly

Read Time: 19 minutes

SHARE THIS ARTICLE

While automation and AI can be an important digital sidekick for agents, it can’t replace the face-to-face interaction, the opportunities for negotiation, and especially the moments of empathy that occur between “help me” and the helper.

Connect with me on LinkedIn

Sykes Enterprises, Incorporated is a leading provider of multichannel demand generation and customer engagement services for Global 2000 companies and their end customers. SYKES’ differentiated full lifecycle solutions and services — digital marketing, sales expertise, customer service, technical support and more through multichannel delivery platforms — effectively engage customers at every touchpoint of the customer journey. Our complete service offering helps clients acquire, retain and increase the lifetime value of their customer relationships through cost-effective solutions that enhance the customer service experience, promote stronger brand loyalty, and foster high levels of performance and profitability.

Subscribe to SYKES Quarterly