Harnessing customer data well is central to any modern business, as is earning consumers’ trust that their information will stay private. With data breaches growing more common, regulations are tightening across the globe to bolster security, creating a new web of norms firms must understand.
As generative artificial intelligence (AI) explodes, companies face balancing individual privacy, coveted data insights, and the law—all while pursuing competitive advantage. Eva Ascarza, the Jakurski Family Associate Professor at Harvard Business School and co-founder of the Customer Intelligence Lab at the Digital Data Design Institute at Harvard, teamed up with HBS doctoral candidate Ta-Wei Huang to discuss their advice for businesses and their recent research about this rapidly changing landscape.
This interview has been edited for clarity and length.
Rachel Layne: Why do businesses need to be on top of data security?
Eva Ascarza: First and foremost, compliance isn’t just important; it’s mandatory. Companies need to keep up with all the necessary regulations, especially as they can change.
Take GDPR [General Data Protection Regulation], for instance. It now grants customers the “right to be forgotten.” So, if someone asks a company to delete their records because they don’t want to be part of any data analysis or algorithms, the company needs to act fast and get it done.
Sticking to the usual way of doing things isn’t a good idea. Regulations are only going to get tighter over time. Being proactive about how you handle data and run your models to protect privacy isn’t just smart—it’s essential. It’s really the best way to go about it.
“There’s a growing awareness among customers and users about how their data is used, and people definitely have their preferences.”
The second reason is all about consumer and societal reactions. Just because something is legal doesn’t necessarily mean it’s viewed as acceptable. There’s a growing awareness among customers and users about how their data is used, and people definitely have their preferences. Companies really need to consider this, because it matters a great deal to everyone involved in their business—from stakeholders to everyday consumers. It’s not just about following the law; it’s about respecting people’s views and expectations.
Ta-Wei Huang: In the early time, concerns about privacy mainly regard data security, such as whether credit card information or social security numbers were at risk of being leaked. However, following the Cambridge Analytica scandal, society has become more aware that the misuse of personal but public information can pose significant risks, not only to social media companies but also to democratic systems as a whole.
Now, with ChatGPT and other gen AI tools, the questions regarding data privacy have become more complex: “Where is the data coming from? Is it sensitive to someone?” If regulators or customers ask this question, companies need to be prepared with a solid response.
Layne: The EU and US landscapes are so different. What should businesses think about when they’re working on privacy matters in these different regions?
Ascarza: Indeed, these two regions have a very different approach. In Europe, the European Commission and other regulators lead the push for better data privacy. They see privacy as a fundamental human right. The EU’s General Data Protection Regulation, or GDPR as most of us know it, is a big part of this. It’s a top-down approach that comes with its mix of pros and cons.
In the United States, it’s more of a bottom-up situation. Major businesses advocate for what they want, often under scrutiny from their peers. You also have citizen groups piping up, cautioning, “Hey, let’s be careful about that.” Eventually, the government steps in, saying, “We’ll chat with big tech to make sure everything’s OK.” But it’s not like there’s one single entity calling the shots for everyone on what’s good or not.
Huang: While the approaches are different, investing in privacy is always a smart move for companies. In Europe, you might get a direct call from the government saying, “You can’t do that; you need to change,” or they might even shut you down if you’re not up to speed. So, being ready to quickly adjust to new rules is key.
In the US, it’s more about the private sector setting the pace. If your company can get ahead and help define the privacy rules, that puts you at a huge advantage. Essentially, you’re setting the standard, and everyone else will have to catch up.
Investing in privacy early on is key, not just for protecting your company, but also as a strategy to gain a competitive advantage.
Layne: One thing you do suggest companies do is get a chief privacy officer or designate someone internally. How does that differ from a CTO or a CIO?
Huang: Based on several interviews we did, two key qualifications are commonly expected for this role. First, this person needs to be an expert in legal and compliance issues, primarily to ensure that no laws are violated that could result in large fines. Also, this person needs to have an answer to key questions for privacy protection, such as: What is the compliance framework for accessing and using data in various tasks? Essentially, the person is responsible for developing and regularly updating a framework to monitor the privacy compliance of data applications, ensuring adherence to the latest laws.
Second, the person should be capable of working with technical talents of privacy protection. There are many professionals, such as privacy engineers, who specialize in privacy technologies. The executive in this role doesn’t need to be an expert in coding, but they should be aware of the tools available to help them comply with privacy regulation.
Ascarza: There is a big focus on documentation. Companies have to be really thorough about recording everything: how they handle data, store it, retrieve it, and use it, not to mention detailing how their models work and the decisions these models help make. It’s all about keeping a clear trail of what’s happening behind the scenes.
“Instead of building their tech stack from scratch, small companies can stay competitive by relying on third-party providers for a lot of the heavy lifting—like managing and modeling data.”
Layne: Where do you start if you’re a medium-sized company that doesn’t have a lot of resources like the Apples or the Googles of the world?
Ascarza: From our perspective, it’s pretty clear: companies need to find the resources for privacy. Saying, “I don’t have the resources to care about privacy,” isn’t really a valid excuse. Even small businesses need to make sure their data is secure and not left open to hacks. It’s just part of doing business responsibly these days.
Instead of building their tech stack from scratch, small companies can stay competitive by relying on third-party providers for a lot of the heavy lifting—like managing and modeling data. If you’re not sure you have the in-house capacity, outsourcing is a smart move. There are just a handful of companies out there that really specialize in this, and they can be a huge help.
Layne: Why is transparency so important for consumers?
Ascarza: It’s a bit of a balancing act, really. Consumers download an app because they’re looking for a quick solution, not because they want to wade through a bunch of legal text. At the same time, you’ve got companies constantly running ads claiming, “We take your data very seriously,” and making all these promises about never selling your information. However, slogans usually aren’t enough for customers—they want to see actual actions. Being transparent about how you use their data is crucial.
Huang: One important thing for a company to keep in mind is to be customer- centric, being mindful of different cultural perspectives. For instance, when the FBI tried to get access to iPhones, Apple refused. While consumers in the US might view this as a step on privacy protection, perceptions can vary globally. I’ve seen cases in other countries where companies that refuse to share data with governments are perceived by the public as irresponsible.
So, I believe there isn’t a universal answer to the right approach. However, being aware of customer sentiment and cultural context is really important.
You Might Also Like:
Feedback or ideas to share? Email the Working Knowledge team at hbswk@hbs.edu.
Image: Illustration created using images from AdobeStock/ purgatory.art and generated by Midjourney, an artificial intelligence tool
