Every second of the day, a wealth of data stream from a global maze of social networks, smartphones, point-of-sale devices, medical records, financial transactions, automobiles, energy meters, and other digital sources. Such big data, fueled largely by personal data about all of us, represent an asset class every bit as valuable as gold or oil.
In fact, freely flowing data—infinitely generated, distributed, mined, combined, tracked, and connected—play a particularly critical role in many of the products and services that make up the Internet economy. According to The Boston Consulting Group’s research, by 2016 the Internet economy will reach $4.2 trillion in value in the developed markets of the G-20, or 5.3 percent of their GDP. In these countries, the Internet economy is growing at 8 percent annually, far outpacing just about every traditional sector in many otherwise-struggling economies—and growth rates are more than twice as fast in developing markets.
Consumers are the real beneficiaries of the Internet economy. The value they place on the many Internet services that have been built atop the sharing of personal data—such as search engines, e-mail, news sites, and social-network services—reflects that benefit. Consumers value the Internet at many times more than its cost, BCG has found.
But the size of the future value and growth depends on the trust that consumers place in the use of data about them. Take the case of online retail, one small part of the personal-data ecosystem. BCG forecasts that the sector could grow by anywhere from $1.5 trillion to $2.5 trillion by 2016. That difference of $1 trillion serves as a signal for the potentially tens of trillions of dollars of economic impact at stake when other sectors, such as health care and financial services, are considered.
Despite this tremendous opportunity, risks lie just beneath the surface. Given the consistent headlines reporting security breaches, data misuse, and disruptions, consumers are growing increasingly concerned about how their data are gathered and used. However, these concerns depend on the context—who is collecting the data, how the data are being used, and (to a lesser extent) the type of data. For instance, the perception of a threat to privacy varies across industries by a factor of five to ten times as one moves from the automotive, telecommunications, and retail industries at the low end to online search and social networking at the high end.
Adding to the uncertainties are costly regulatory developments—in jurisdictions as diverse as the European Union, the U.S., and developing markets—with the potential to affect citizens and organizations far from their places of origin, as we will explore. Given the strong interest and awareness of the subject among consumers and regulators, a considerable portion of the potential opportunity could be at risk.
In an earlier report (Rethinking Personal Data: Strengthening Trust) written in partnership with the World Economic Forum, we called for a range of stakeholders to build a framework for a common understanding in dealing with the many risks and opportunities involved in this valuable new asset class. Here, in this article, we offer four clear-eyed, practical steps that business leaders across a wide range of industries can take to bring our earlier framework to fruition. Combined, these strategies can ensure that the trusted flow of personal data, which benefits consumers and businesses alike, gets strengthened rather than stifled.
Companies that effectively turn consumer information into insights mine these big-data sets to create three categories of opportunity:
To realize these kinds of opportunity, organizations must understand the consumer information they already have, then identify and access any additional data they need and decide who is responsible for them. Many new data opportunities come from the serendipitous commingling of traditional data with newer, less structured forms of big data. For example, companies can combine data about how customers discuss existing products on social-media sites with traditional product-testing data.
Customer data can be a strategic asset for a company, but they can also be a major liability if misused. To be good stewards of personal data, companies must clearly understand how they manage those data.
Companies need to collect data in a way that both adheres to evolving regulations and builds customers’ trust, keeping in mind the wide range of sources of data: customers who volunteer their data directly, companies that observe data as a result of an interaction between an individual and an organization, or an organization that infers data from an analysis of customer records and behavior. As companies amass data, they also have an obligation to secure them, to prevent data from being compromised or misused. The potential impacts of missteps in this area can be huge, in terms of not just the sometimes billions of dollars in damage done through the breaches themselves but also the potential legal and regulatory costs.
In addition, companies must have clear policies, protocols, and processes for how they will obtain proper permissions in a decentralized and dynamic environment in which individuals play an active role. Organizations must also ensure that they are actually following their own policies, an element that is frequently lacking.
One way to rethink how businesses manage personal data is to offer customers simple and meaningful opportunities to grant permission for the use of their data. A joint survey conducted by BCG and Liberty Global of more than 3,000 consumers revealed that few individuals exercise control of their personal data, however. Just 10 percent of respondents had ever undertaken at least six of eight common privacy-protecting activities, such as changing privacy settings or opting into or out of data use. Even though that remains common behavior today, we found that consumers who were able to effectively manage their privacy were up to 52 percent more willing to share information in the future than those who were not managing their privacy.
Consider how BT implemented the “cookie law” in the U.K., which requires companies to obtain the consent of their website users before using cookies to track behavior online and personalize services. To comply with the law, BT implemented easy-to-understand practices for visitors to its website. A simple pop-up screen allows users to discern the strictly necessary cookies required for the site to operate properly (from which customers do not have the right to opt out) and the functional and targeting cookies that enable social sharing and behavioral tracking but that also allow the best experience. The company clearly explained what customers get for the information they give.
National and regional governments are actively looking to legislate and regulate the personal-data ecosystem. Current regulatory approaches could fundamentally change the ways businesses use data to create value for customers and shareholders, in particular their ability to use big-data sets.
In the EU, the proposed General Data Protection Regulation would have meaningful impacts on businesses around the world. (For a summary of some of the key concerns raised, see Exhibit 2.) In the U.S., efforts with significant bottom-line results include the Consumer Privacy Bill of Rights, recent multiyear Federal Trade Commission enforcement actions against companies such as Google and Facebook, and legislative efforts related to cybersecurity. In India, a rolled-back requirement for more explicit consumer consent could have resulted in a huge blow to the nation’s outsourcing industry; in other countries, the regulatory process may not necessarily seek to align with Western approaches.
Many regulators are responding to valid consumer concerns about privacy and protection. However, we see a need to engage in a multisided debate about how to strike the appropriate balance between allowing data to flow to create value for everyone and restricting that flow to protect individuals.
Ahead of the approval of the EU General Data Protection Regulation, for example, many global companies are actively working to influence aspects that could undermine many of the popular and often free offerings that depend on personal data. More specifically, businesses are beginning to establish a set of clear and contextually specific usage rules, such as voluntary industry codes of conduct, that reflect the nature of data and the specific uses of data. The complexity of developing an actionable and lasting framework is increasing awareness of the need to collaborate across industries and jurisdictions and to help educate policymakers and regulators about the world of big data. We have found that many regulators are open to a multisided dialogue to help solve these issues together.
All these efforts point to an overarching message: there is less and less difference emerging between strategy and policy. Major Internet players have already seen how regulatory efforts can have a big impact on their corporate strategy. Other companies will increasingly need to understand how the policy world will define or restrict their strategies as well.
It is clear that data represent a significant opportunity. In fact, we estimate that leveraging personal data can be a key driver of growth in many of the world’s economies.
Given the size of the prize and the potential brand risk for the business from getting things wrong, personal-data management cannot sit within one group in the company. It needs to be deeply embedded in the company as a whole, especially in the C suite.
Typically, issues involving personal data are dealt with at a rung or two down the ladder from the C suite, often at the level of the chief privacy, legal, or compliance officer. The approach is one of compliance and risk management, rather than proactive leveraging of personal data to create strategic value.
It is no longer enough for CEOs to delegate this issue to their security, government affairs, and privacy executives. Top executives need to realize that data lie at the core of new business opportunities, efficiency gains, and corporate strategy in the digital economy. Ultimately, we maintain that the personal-data opportunity is so great and the downside of mismanaging personal data is so large that the entire C suite of a company must engage with these issues as the top priorities they are.
A trillion-dollar opportunity has opened up for businesses to create value from personal data. These benefits will flow to shareholders, customers, and society at large. But to treat personal data as a valuable asset class, businesses need to understand the ways in which such data work. They must also ensure that there are appropriate rules and processes around the use and management of personal data so that the risks are properly mitigated. For data to flow freely, businesses must begin to rebuild customers’ trust, from the top.