Data Security & Privacy Learn how to correctly analyse this topic.

Sarah Simon

16 min Read Time | April 7th 2022

Key takeaways

1

Concentrate on the impact and consequences of violations of customer privacy, and if significant, on data security (i.e., document the outcomes and impacts, not just the event).

2

Focus: The topic addresses the voluntary collection, retention, and use of sensitive, confidential, and/or proprietary customer or user data. It includes social issues from selling data to other companies for targeted advertisements and other means.

3

Secondary: Do not report privacy or data breaches that have not touched thousands of persons - unless the depth of the impact has been significant (i.e., victims have suffered serious financial losses, lost their jobs, or seen their reputation and social life seriously harmed, etc.) and its persistence (i.e., if the company has a poor track record).

Executive Summary

Core point: Discuss the importance of customer privacy and what impact this has on society when privacy is breached. Assess the impact of the intentional sharing of personal data of companies’ customers. The sharing does not necessarily need to violate laws or the terms and conditions (T&C's) to discuss it in the analysis, but of course, it should be addressed if it does.

Discuss how many customers' data was voluntarily shared to establish the scale (a range will suffice), what type of information was shared, how sensitive was it to disclose the issue and the value of the impact, and describe and quantify the social harm caused.

Secondary point: If very significant, discuss data breaches and similar cybersecurity issues: history of breaches, a significant number of users' data leaked, compromise of financial information, negligence, and oversight on the company's part.

Only report massive data breaches or privacy breaches. No breach means no impact. Therefore, you should avoid writing an analysis just on the strength or weakness of the data protection measures or policy of a company.

Do not discuss one-off events, nor should you discuss breaches where there is no direct impact from leaking customers' data.

Dan nelson ah Hegu Oe9k unsplash 1

What is it?

Companies find significant value in collecting, sharing, and using data about customers. Personal data can be misused if not kept confidential, such as harassment, defrauding, unwanted advertising, and limiting people's ability to express themselves. Data privacy governs how data is handled; data security protects data from being stolen by external parties.

"Data privacy or information privacy is a branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations. More specifically, practical data privacy concerns often revolve around: Whether or how data is shared with third parties."

As companies and individuals increasingly adopt digital technologies, companies have to manage two conflicting priorities.

On the one hand, companies use customer data to innovate and provide customers with new products and services, generate revenues, personalise targeted advertising and marketing, and use this data to understand better and meet their consumers' needs.

On the other hand, many people have privacy concerns "associated with companies having access to a wide range of customer data, such as personal, demographic, content, and behavioral data. [...] The delivery of cloud-based software and IT services also raises concerns about potential access to user data by governments that may use it to limit the freedoms of citizens."

The recent increase in privacy concerns is not only related to limiting peoples' freedom, but the selling and sharing of data without their complete understanding can create concerns over confidentiality and violation of their private interests. There are also significant risks with the rise in data breaches, leading to possible monetary loss and identity theft.

"A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment."

Sources

https://www.sasb.org/wp-content/uploads/2019/08/SASB_Software-IT_Brief.pdf
https://en.wikipedia.org/wiki/Data_breach#:~:text=A%20data%20breach%20is%20the
https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
https://www.wired.com/amp-stories/cambridge-analytica-explainer/
https://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-rising-concern-around-consumer-data-and-privacy/?sh=68b74b70487e
https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/the-consumer-data-opportunity-and-the-privacy-imperative
SDG poster UN emblem PRINT 2020

SDG Choice

Most used SDGs include:

✅ SDG 9

✅ SDG 16

But other SDGs might be relevant depending on the impact

This article, about cybersecurity, can help you identify the correct SDG for your analysis.

Impact assessment

While researching and writing this topic, keep in mind the Logical Model to differentiate between input, activities, output, outcome, and impact.

Introduction

The analysis should focus on the voluntary sharing of customer information, what kind of data is being collected and shared, and how this impacts the customers.

  • The introduction should show how data privacy has become a human right (UN - OHCHR), and it must highlight the importance of data privacy, as well as the impact that data sharing has on society.

  • If relevant, provide more information about how privacy breaches/abuse contribute negatively to society and their impact. This will help the reader make an educated assumption about the impact the company has.

  • It should assess the amount of personal data sharing that happens, along with the consequences of it.

  • The focus should be on how this impacts customers - not how it may impact business or profit, although financial/business growth incentives can be included as a motive for sharing sensitive information.

  • Try to tailor the introduction to the specific industry in which the company is.

Read more on how to build a strong introduction in this article.

Core Analysis

  • The core analysis needs to address how much data is collected from customers (and sometimes employees), whether it is sold to third parties, or if third parties have access to it.

  • The number of customers should be stated, and whether this is a systematic process they do with all customers, or whether specific ventures with portions of their customer base’s data are compromising privacy (or both).

  • It is important to address what kind of information is being collected and distributed - whether it is financial data, data on activities, etc.

  • You should also explain what kind of third parties are getting access to the information, what they might do with it, and how this might affect the customers involved.

Focus: voluntary selling and sharing of users' data

The core of the analysis needs to address the type of data collected, how much data is collected from customers (and sometimes employees), with whom it shares the data, and why.

Also, it should show strong links with the social consequences of collecting, storing, and/or sharing personal data. You can look for fines given by the GDPR, which will show that these companies haven’t protected users’ data privacy rights.

Note that an infringement or breach of contract/Terms & Conditions is not always necessary to analyse the impact of the company’s actions, products, services, or policies. You can still measure the impact of Facebook and the likes, who sometimes abuse their users' privacy by using the information they held on them without their full understanding of its use.

In your analysis, try to go beyond reporting the voluntary selling of data and measure the social impact it has had on individuals. You can use studies as proxies. Learn more in the article Step 5: Assess scale and value.

Remember: only half of the consumers are aware of settings that control data collection!

What do companies do with our personal data once collected? And, what is the impact?


1. The data is grouped and analyzed to personalize advertisements for customers → Possible impacts: spam, frustration, feelings of intrusion and of being watched from targeted advertisements, data tracking which can also incentivise users to spend more money

2. The data are listed and analyzed for R&D purposes → Possible impact: using data for “social experiments” for R&D purposes (i.e., Facebook using data to experiment with users’ emotions), and going beyond academic research, can cause more widespread harm, such as global manipulation (i.e., Cambridge Analytica scandal).

3. The data is sold to a data brokerage → Possible impact: from buying and selling data, third parties can misuse sensitive information.


There’s a difference between misuse and loss. How do companies keep data misuse under the radar?
- Loss: someone with bad intention “steals” personal data without permission.
- Misuse: someone’s data is legitimately collected (by a company) but used beyond its original purpose.

Companies keep data misuse under the radar by means of:

1) commingling: data reused for another purpose than initially intended,

2) personal benefit: data abuse without bad intentions (e.g. an employee saving data on the PC),

3) ambiguity: the company is unclear about what it does with personal data so that interpretation is vague.

and others...


Overall, there’s an increase in concern about how companies handle customer data. People worry about confidentiality and violation of their private interests.

In your analysis, try to go beyond reporting the voluntary selling of data and measure the impact it has had on individuals (social - a sense of intrusion; political - manipulation and polarisation; economic - push to consumption).

  • What kind of information is being collected and distributed? Why does the company do this? Look at the policies on privacy.

  • How many customers are affected? Is this a systematic process, or does it happen to only a specific part of the customer base (or both)?

  • Is the company sharing the data? What kind of third parties are accessing the information? What are they doing with it? How might this affect the customers involved?

You can measure the impact by answering the following questions: How much money was made from targeted advertisements? Was the company fined for the misuse of customer data?


Useful tip: check out companies the GDPR has fined, as well as other fines and scandals on the matter, to find out those who have significantly abused of their customers’ data.

Caution: For the social impact, think of companies selling customers’ data to other companies for targeted advertisements and other commercial purposes. Don’t consider companies using customer data to optimize their own processes and service.

Secondary: Significant data breaches

If significant, discuss data breaches and similar cybersecurity issues as a secondary point.

Beyond negatively impacting the company, data breaches and cybersecurity attacks have short and long-term consequences on employees/clients/consumers’ lives. They can result in identity theft, fraudulent credit card activity, and emotional challenges such as stress on a more interpersonal level.

An analysis of one specific breach (data breach or privacy breach) takes the risk of being anecdotal. We do not want to report every single breach that a company has faced. This kind of event is only useful if it serves to illustrate a broader issue, e.g., a history of repeated dishonest behaviour, neglect, and lack of regulation from the company to many of its clients/employees/users.

Unless the breach and underlying wrongdoing are so significant that it would in itself justify a dedicated analysis, you should broaden the impact analysis to the larger issue, not just the specific breach. Read more here on finding the right granularity level.

The exception to this rule is if the company is in the financial sector (Commercial Banks, Consumer Finance), and there is direct impact data available about monetary loss and/or identity theft.

The ideal situation (after discussing the voluntary selling/sharing/use of data):

  • The analysis shows that there is a history of breaches (showing negligence and oversight from the company).

  • A significant number of users' data was breached (i.e. 10,000+ people getting their data leaked).

  • The analysis includes direct data showing customers’ monetary losses or other impacts such as identity theft.

The acceptable situation:

  • If there is no direct data available, you can use proxies to show a monetary loss or identity theft.

  • We can accept a case where less than 10,000 people were affected, but only if direct data exists (i.e. X persons got Y amount of money stolen).


For both topics, make sure to describe the scale of the impact by taking into account:

The impact is not just the number of people affected, but how they were impacted. It is not because the data of, for instance, one million people have been exposed that the impact is necessarily significant. An analysis can discuss a case concerning a few hundred/thousand people if there is a tangible outcome. The impact is considered significant when this number of people (few thousand) have been victims of monetary losses, identity theft, etc., and this has been quantified.

1/ The breadth of the impact

  • Is the impact local, national, or global?

  • How many people are affected? Thousands? Millions? Billions?

2/ The depth of the impact

  • Is the life of people concerned deeply affected, or does the issue just marginally impact them?

  • Are the changes brought by the issue profoundly changing society?

3/ The persistence of the impact

  • How long would the impact described last for? Months? Years? Decades?

  • How reversible is the impact described in the impact analysis? Can it be easily stopped/extended?

You can also use studies on the impact of data privacy as proxies. Learn more in the article Step 5: Assess scale and value.


Key points to remember:

It is important to remain critical and nuanced. In your analysis, make sure you are not repeating the company’s CSR report.

The analysis should be as comprehensive as possible and include all data sharing cases and data breaches. Show the company’s track record (persistence).

Topic Webinar

Related
Articles

Based on the article you've just read, here are some more we think you'd be interested in.

4 Min read

30+ How-to Guides to treat Relevant Topics

30+ how-to guides to help you correctly analyse your impact topics.

5 Min read

Golden Rule #1: Find the right level of granularity

How to find the right scope to cover a particular topic.

8 Min read

Step 5: Assess scale and value

Learn how to assess the analysis you are writing or reading.

World Green Background Sustainability small

Let’s take action together

With the right investment companies having a positive impact on the planet are able to flourish. Our community forms part of that mission by measuring their impact.

Join Us