Balancing Digital Transformation with Privacy

Balancing Digital Transformation with Privacy

Sophie Chase-Borthwick, Director of Data Ethics & Privacy at Calligo, explains how to incorporate data privacy into digital transformation projects

By Sophie Chase-Borthwick

Most business owners will have heard of the term ‘digital transformation’, but many are still unsure about what it actually means. In reality, digital transformation is a catchall term for businesses investing in technology to achieve a range of business goals, whether it’s to improve efficiency or create innovative products and services. While the term will mean different things to different people, cloud technology and artificial intelligence (AI) often play a key role in digital transformation projects.

Investment in digital transformation is on the rise. A recent report by Deloitte found that the average digital transformation budget for medium-sized businesses increased by 25% in the last year, while a survey by the Telegraph found that more than a third of UK businesses were planning to invest in related technology in the next 12 months. Whether it’s implementing technology to improve customer experience, such as creating an online chatbot for your website, or using analytics to optimize logistics processes, businesses of all shapes and sizes stand to gain from evolving in this way.

Small businesses and digital transformation 

However, research also suggests that small businesses are still reluctant or unable to invest in digital transformation. Of the companies in the Telegraph’s research who said they were not investing in digital transformation, 55% blamed a lack of budget and 47% blamed a lack of skills, with those numbers increasing among SMEs. 

One reason for this reluctance might be a fear of taking on too much and jeopardising the company’s wider financial future and cybersecurity measures. Data privacy is certainly an important consideration for digital transformation. Recently introduced GDPR legislation now means that businesses are required to map their data flows, assess the risks in their data processing activities and identify where controls must be implemented. Innovating through new technology carries the risk of sensitive data getting into the wrong hands, damaging a business’ reputation and potentially receiving a fine for non-compliance.

If digital transformation aims for the freeing of as much data and showcasing as much context as possible around the business, and data privacy looks to ensure confidentiality, how can the two co-exist? As a business which specializes in data optimisation and privacy, here are some tips we’ve learned from helping other businesses with digital transformation and privacy:

1. Don’t be overambitious

A common reason digital transformation projects fail and put sensitive data at risk is because the business is too ambitious. While big plans can inspire a team and give confidence to potential investors, a more focused approach will be more likely to deliver results. For example, a major European retailer we worked with wanted to design a more productive working environment by analysing their employees’ use of physical and digital resources. If a resource was being over- or underused the company would be able to rectify the issue and get the most out of their staff.

However, the problem was that the company intended to tie this data on resource use with employee HR records. They looked at usage reports, access card data and hardware in the context of employee attendance, training and performance ratings. The idea was that this would provide an objective analysis of which individuals exhibited below par productivity and who would be entitled to pay rises, removing the risk of bias that may have been present in performance reviews.

It goes without saying that this use of data was a very delicate operation. The technical infrastructure was secure and the workflows and machine learning in place were admirable, but the protection of individual privacy rights - especially as part of an automated process, which is particularly sensitive under GDPR - had not even been a consideration during the project’s design phase.

Any small business looking to innovate in a similar way should make sure staff are made aware of the changes and can therefore give their consent. Not only will this avoid potentially irreparable damage to company morale, it will also ensure that GDPR is complied with. Otherwise an entire project might have to be rethought, as it was for the online retailer, creating both financial and reputational costs.

2. Incorporate privacy from the beginning

Another crucial step any small company should take is to incorporate data privacy from the beginning of the project. Business leaders can be so blinded by the potential benefits of digital transformation that they neglect making sensitive personal data a priority. A project can mean well, but if privacy isn’t made a central pillar of the design from the beginning, there can be dramatic consequences down the line. 

We once worked with an international medical organisation which produces devices for the healthcare industry. The developer team used IoT technology to monitor the use of every device they created, with the aim of using the data for product development and maintenance.

Due to the medical nature of these devices and the breadth of data collected, this was enormously sensitive. “Usage data” is a relatively benign term, but in this instance, it would unavoidably entail the collection of patients’ data. And as healthcare data is classified as a special category within GDPR, there are additional prohibitions over its use. Despite this, neither the patients themselves nor the healthcare professionals, or even the wider business beyond the developer team, were aware of the unilateral and unauthorized collection and use of this sensitive data.

The key takeaway from this example is that every business should establish a set of project oversight practices that ensures that new projects would be run past a privacy or legal expert at the earliest possible point to ensure there were no red flags. You should also have documentation to record the assessment and to govern the data’s ongoing collection, storage and use.

The medical organisation failed to do so, and it was only once the legal team had begun their GDPR preparations and company-wide audit of data use that they discovered this activity and suffered product development delays, disenfranchised users, unhappy investors and extra costs as a result.

Looking ahead

Digital transformation projects can truly innovate small businesses, helping to make their processes more efficient and hopefully better serve their clients and employees. However, there can be costly consequences if they are launched without prior consideration of potential data privacy implications.

Small businesses should consider appointing Privacy Architects to assess their objectives alongside a technical project, while also identifying the privacy legislation that it is subject to and the necessary steps to ensure compliance. Without knowledge of privacy law, technology projects can create new risks for a business. The wider effects of which go far beyond penalties and fines, but instead to the heart of whether customers can trust you.   

About the Author

Sophie Chase-Borthwick is Director of Data Ethics & Privacy at Calligo. Sophie leads Calligo's Privacy Practice globally, supporting clients in their ongoing data privacy observance whatever their jurisdiction. Sophie has spent the last 19 years in IT and Security, moving from being a process architect in service management through audit management with the last six years spent as a security specialist, until she found her place in data privacy.