The following script was presented at the Data + Privacy Asia Pacific Conference 2017 in Sydney on 12 July 2017. Through a story about Don Juan in the digital age, the script highlights what should be done to secure customer confidence and loyalty when organisations share information with one another. That is: Revolutionise customer confidence through transparent information handling practices Shield customer data to advantage the customer (e.g. privacy by default) Collaborate with third parties and the customer to share the risks. As organisations are increasingly seeing the benefits of an open data economy, it is important that they embed customer-centric privacy practices into the fabric of their cultures. Script So, who is Don Juan? Don Juan is a legendary fictional libertine, created in 1630 by Spanish dramatist Tirso de Molina. Don Juan prides himself for being famous for his mastery in seduction, while being able to maintain an air of mystery. The tale of Don Juan has captivated global culture for the past four centuries. Today, our story of Don Juan, in the digital age, will provide the context for our key messages that reflect a need for organisations to not only protect their own reputations, but also that of their customers. How can you, as organisations, do this? Through understanding and respecting your customers’ expectations around privacy, whilst striving to achieve your commercial objectives. The next 10 to 15 minutes is definitely not about applauding Don Juan’s practices; it’s about understanding the consequences to Don Juan if his expectations of how his data will be used to protect his own reputation are not met. Don Juan will need confidence in our digital age that his data are being protected like one of his treasures, he understands with whom his information is being shared, and that he is told when something goes wrong so that he can start protecting his reputation of mystery. Our story starts with Don Juan. However – it is not 1630, but 2017, and he does not live in Spain, but here in Sydney, Australia. Like the fictional character, Don Juan’s sole ambition in life is to seduce many women, needing a level of anonymity to conduct his affairs. He likes to buy these women flowers, chocolates, and a variety of other gifts. He purchases flowers exclusively at Flower Po, an online Flower Shop. Don Juan trusts Flower Po because of its transparency over its information handling practices when it: collects his contact details; and saves his purchasing habits. This trust is important. Why? For Don Juan, it is because he does not want the women he sends flowers to know his home address or that he’s bought flowers for other women. For Flower Po, trust with their customer Don Juan has translated into loyalty. Over the years, Flower Po has collected a lot of valuable information about its customers, including Don Juan. It has been vital for the business to ensure his information is managed and protected in accordance with his expectations, particularly as he is a regular and loyal customer. Flower Po has realised that the information it holds could be used to drive further loyalty from Don Juan, as well as present a new stream of revenue for the organisation. Flower Po is now seeking to create a loyalty program with partners such as The Online Chocolate Shop. Don Juan considers signing up. Not only could he now send flowers, he could also earn points and send free chocolates with the points that he earns. But wait – he thinks – what will The Online Chocolate Shop know about him? He knows his information is in safe hands with FlowerPo, but he doesn’t know whether the Online Chocolate Shop would protect his information to the same degree. Don Juan does trust Flower Po though. Flower Po clearly indicates at the point of transaction the type of information that will be shared with The Online Chocolate shop: Delivery address order number and product are required, as the order will still be received from Flower Po. With this clarity, Don Juan decides to accept the offer, agreeing to disclose this information to The Online Chocolate Shop. He is confident that as his name is not going across, his privacy and reputation should be safe, as would Flower Po’s. As you can see, the offer was a success because: Flower Po is only sharing the information with its loyalty program partners as is required, and Dynamic consent was obtained at the point of transaction, to engage the customer in a decision about how their personal information should be used. Months go past and Don Juan’s game has lifted – he is able to send bigger gifts for the amount he pays and, even better, he now earns loyalty points from his spending. All of a sudden, a new digital platform player enters the Australian market. Zappler is a new online business revolutionising flower delivery in Australia. It’s not a flower shop, but a platform to enable any flower shop to deliver flowers. Not only do individuals have more choice, the cost is cheaper as Zappler recommends flowers available closer to the receiving address. Don Juan has a dilemma – this is fantastic, but how will he know which flower shops his details are going to? There is a risk that his data could fall into the wrong hands, which could lead to an unravelling of his reputation of mystery Don Juan decides to test Zappler out. As he is unsure and would like to protect his reputation, he registers himself using a pseudonym but a real address. Zappler makes it easier for individuals to become customers – if information is provided from other online flower shops, Zappler will recreate the orders and delivery addresses in the account without having to type them in again. Don Juan, of course, has far too many saved addresses to remember. He provides his Flower Po username and password to Zappler to access and send over his Flower Po orders and delivery addresses. What are the consequences? First, Don Juan’s identity can be revealed by Zappler, now that there is an address to re-identify him with Secondly, Don Juan does not realise he can be re-identified Thirdly, Flower Po did not consider that sharing Don Juan’s recurring orders was revealing his identity. One organisation has created a risk for another. At this rate, if Zappler has a data breach, the reputations of FlowerPo, Zappler and, most importantly, Don Juan as the customer, are at risk. So what can our story of Don Juan teach us about protecting reputations? First, our goal should be to Revolutionise customer confidence – we want customers like Don Juan to understand how their information will be used and shared. This transparency and choice will be the incentive that Don Juan needs to accept future information handling requests. Secondly, we want to ensure that we advantage the customer by Shielding their data. For example, by making their privacy a default. Don Juan has a specific need for privacy. We don’t always understand why data are important to our customers but this makes it more important to assess the potential risks of sharing and using specific data assets. And finally, we should Collaborate – work with our customers and third parties to share decision making throughout the lifecycle of data management. Collaboration is an opportunity to share control and the risks with Don Juan. Whilst this creates an additional responsibility for organisations, it allows them to relinquish partial control of information held and hence the risk. These three approaches will be beneficial not only to the customer but for the businesses too. As the Lead of Deloitte’s National Privacy and Data Protection practice, I see the challenges outlined in this story playing out across many industries in Australia. In particular, the challenges that we are helping our clients most with, on top of traditional privacy advisory and implementing frameworks and training and awareness plans, see our work now being focused on developing open data strategies and implementing consent management, de-identification and more recently API management solutions. These are not just challenges here in Australia but in other parts of the world too. Regulation has already been introduced that is encouraging organisations to challenge existing data protection practices, such as the EU GDPR and Payment services Directive in Europe. So we are not alone. In some respects Australia is slowly catching up, with the release of the Productivity Commission’s report into data availability and use, and the budget announcement around the introduction of an open banking scheme. In many ways, in this new data fuelled industrial revolution that’s underway, we are all in the same boat. We are all operating like startups – figuring out how to operate in this world where so many stakeholders have varying expectations such as Regulators, partners, vendors and, most importantly, customers such as Don Juan, many of whom having unique expectations. What this means in practice is that this is now anyone’s game – and a large opportunity for organisations to build trust and a reputation in the market for consumer-centric data management by, as mentioned before: Revolutionising customer confidence Shielding customer data …and Collaborating to share risk. Thank you for reading our script and if you have any questions, feel free to reach out to Marta Ganko in Sydney or Ilana Singer in our Melbourne Privacy and Data Protection practice.