A new KPMG survey revealed that U.S. consumers are becoming increasingly concerned with, and distrustful of, how companies use, manage and protect their personal data. According to the survey, 56% of Americans reported wanting more control over their personal data and insisted that both corporations and government must play an active role in protecting personal data.
The findings in the “New Imperative for Corporate Data Responsibility” report are based on the results from a survey of 1,000 respondents in the U.S. The sample was balanced to reflect the national representation of age, race, gender, and region. The online survey was fielded between May 19, 2020, and May 21, 2020.
As per the report, 97% of American consumers indicated that data privacy is important to them, with 87% characterizing it as a human right. However, consumers are deeply suspicious of what companies are doing with their data: 68% don’t trust companies to ethically sell personal data and 54% don’t trust companies to use personal data in an ethical way.
With consumers indicating that they see data privacy as a human right, and new legislation expected in the years ahead, it is critical that companies begin to mature privacy programs and policies. Consumer demands for the ethical use of data and increased control over their own data must be a core consideration in developing data privacy policies and practices.
– Orson Lucas, Principal, Cyber Security Services, KPMG
Even though respondents indicated that data privacy is important to them, most Americans still engage in online behaviors they consider risky.
- About 75% of Americans say they consider it risky to use the same password for multiple accounts, use public Wi-Fi, or save a card to a website or online Yet, more than 40% engage in those behaviors.
- While 65% of Americans reported avoiding opening email attachments from unknown senders, only 31% install mobile device security software and 20% use their own virtual private network (VPN) when possible.
Part of the challenge for corporations will be getting employees and customers to do their part in protecting their own data. Developing defensible notices with understandable language and data protection controls that guide employees and consumers have to be embedded in the data security agenda.
– Steve Stein, Principal, Cyber Security Services, KPMG, and Co-author of the new report.
While most survey respondents indicated that consumers themselves have a responsibility to protect consumer data, even more, want the government and companies to play a role. KPMG found that:
- 9 in 10 Americans insist companies (91%) and the government (90%), have a responsibility to protect consumer data.
- Almost all (91%) agree the following data privacy rights of the California Consumer Privacy Act should be extended to all U.S. Citizens: the right to delete personal data, and the right to know how their data is being used.
- More than nine in 10 Americans say companies should put data privacy guidelines and policies in place, be held responsible for corporate data breaches, take corporate data responsibility seriously, and take the lead in establishing corporate data responsibility.
Prior to January 1, 2020, U.S. companies already had some regulation impacting the collection and use of consumer data including Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Health Insurance Portability and Accountability Act, state data breach laws, and others (including General Data Protection Regulation for Europe). With the advent of the California Consumer Privacy Act, the expectations have been raised and consumers (at least in California) have increased the right to reject the sale of their data and additional rights to access and delete. We would expect other states to follow and may see a Federal statute in the coming years that codifies these rights for all Americans. Murkier perhaps is whether Americans, when given such rights, will act on these rights.
– Steve Stein
To be able to provide consumers with increased control over their data, KPMG recommends businesses to consider leveraging data discovery and protection tools, and explore novel uses of emerging technologies such as blockchain and artificial intelligence (AI). These technologies can help organizations better track the source of their data, assure its accuracy, make it easily discoverable, protect it and build greater external visibility into the data being collected.
In fact, according to a survey of 600 global technology executives conducted in late March/early April, KPMG found that improving cybersecurity and data privacy is one of the top four objectives for which their organizations are investing in emerging technologies such as process automation, smart analytics, cloud computing, artificial intelligence, and blockchain.
Additionally, KPMG also recommends:
- Mature data privacy programs and policies. It is critical that companies begin to mature privacy programs and policies before new legislation come into effect. Specifically, companies should consider adopting a principles-based approach to retain the flexibility needed to comply with the evolving regulatory environment and technology landscape.
- Provide customers with greater control over their data. With expanding requirements to give consumers greater control over their personal data — businesses should consider leveraging data discovery and protection tools, and exploring novel uses of blockchain, and artificial intelligence.
- Conduct privacy assessments to manage data privacy challenges in light of COVID-19. As new return-to-work solutions are introduced amid COVID-19, companies should conduct privacy impact assessments. Specifically, where new technologies and processes are implemented, it is prudent to assess and document the potential implications and decisions around data privacy.
- Make sure consumers are aware of your data privacy strategy. To build trust and goodwill with consumers, companies that develop strong data privacy controls will want to make sure consumers know about them.