Data - no longer the modern day goldmine?
While several million Australians, governments and regulators attempt to unscramble the mess created by data theft from leading telco, Optus, every company will either choose or ultimately be force to revisit the customer data it holds and for how long.
Over the latter part of my career, I have been a strong advocate for data science as the foundation for broader and deeper customer insights. But I have a feeling that the resources available for data mining are about to be significantly reduced.
Let’s put this into context. Data capture has been going since early last century. The best sales people gathered all kinds of information on customers - birthdays, names of partners and their kids, what sports they played and watched and so on.
The purpose was to create opportunities to build relationships - send a birthday card, invite a client to a sports event, or simply enrich conversations about family and the things they care about.
The difference is that half a century ago, these details were jotted down in a notebook, or recorded in a contacts list. The only chance of this information leaking out was during a robbery. Today, this is captured on customers relationship management (CRM) platforms and the robbers gain access via APIs and hacks rather than through the window.
What’s more, the distribution power of the internet and particularly the so-called dark web, enable this weapons-grade data to go nuclear in terms of its potency and reach into victim’s lives - even their identity.
So there is nothing new in the concept of gathering what governments and regulators might be prompted to consider ‘excessive’ data capture and retention in the wake of the Optus data theft. It has been the raw material for relationship builders over generations.
Data scientists and other defenders of the faith will argue that much of the data captured and purchased for use in the development of algorithms, segmentation and automated marketing is ‘de-identified’. However, at some point, the data collected from individuals is not. What the best data scientists do is build out a profile, a persona, of each individual by augmenting their personal data with external information at a cohort level.
For example, if you’re a 35 year old female, external information from multiple sources gathered from people in your age group, your geographic location, income level and so on is added to the data collected by the shops, financial institutions, telcos to which you have already volunteered information.
While the de-identified external data is not specific to you, in the hands of a good data scientist, it can provider marketers and service providers with an enhanced picture of you that can fine tune their messaging strategies, including placement of information in places and media that you’re most likely to prefer. The more data, the more precise an organisations targeting of messages and channels.
People with criminal intent employ the same model and process, not to better target us, but to become us. In this context, it is the accumulation of data that presents the most danger. A single breach or hack may not provide an entire data set on any individual, but several hacks coupled with a series of ‘scrapes’ from the social media pages through which we share our lives can provide all the tools necessary to steal the core of our being - our identity.
It is this scary scenario that gets to the crux of the opening premise of this blog. Organisations keen to gain competitive advantage have adopted the practice of accumulating data about us. Relevant or irrelevant to their strategic plans, data is regarded as gold. Collect everything and you may find a use for it in the future. Data is key to controlling our lives and motivations - what we buy and even how we vote - and no one wants to regret discarding something that may compute to advantage later on.
Organisations holding data on us are the new gold vaults and breaking into them has become the modern-day equivalent of bank robbery. The more they hold, the more complete the picture our data presents of us.
The Optus hack and others raise questions about the security of those vaults. Are requests for data to support setting up online accounts too invasive and unreasonable?
There are all kinds of reasons for the amount of data requested. Thorough qualification of new account applicants using multiple identity checks reduces the risk of fraud, even theft of our identity. But the transfer of our data to organisations presents assymetric risk, where we are virtually forced to surrender our data, a chunk of our identity, without any real capacity to undertake due diligence on its recipient’s capacity to secure it.
This is why the period over which it is necessary to retain our data is important. It is one of the few risk mitigations available to us and will only be achieved if government and regulators intervene to set standards for the maximum amount of mandatory data that organisations can capture and the length of time for which they can keep it.
It could mean emptying some of the contents from corporate vaults in the months and years ahead, leaving companies and data science teams scrambling for other means of keeping things personal in their communications with us.