OFAD80 Lecture 8 - Customer Privacy PDF

![](media/image2.png) **UNIT 7: CUSTOMER PRIVACY** **SUBTOPICS** - What is Customer Privacy? - Government Involvement and Customer Privacy Laws - Data Privacy in the Philippines - Analysis of CRM Strategies **LEARNING OBJECTIVES** At the end of the unit, the students will be able to: 1. Describe the concept of customer privacy; 2. Analyze the need for customer privacy; and 3. Identify the Analysis of CRM strategies **TOPIC DISCUSSION** For a long time, the conventional wisdom was that electronic communications constituted a major threat to individual privacy. Wiretapping, eavesdropping, and data banks were part of the Big Brother and Nosy Sister scenario. This fear for personal privacy is justified in the short term. But in the long term, the opposite is more likely to happen, because the electronic tools that permit privacy invasion are even more powerful in controlling an individual's informational autonomy. In the process, still another revolution is upon us, the revolution of access control. By gaining such control individuals achieve bargaining strength over those who seek information about them. They can establish a perimeter over the inflow and outflow of information. They can create property rights in personal information. Transactions become possible, and markets in private information can emerge. **What is Customer Privacy?** **Customer privacy** involves the handling and protection of the sensitive personal information provided by customers in the course of everyday transactions. This form of information privacy surrounds the privacy and protection of a consumer\'s personal data when collected by businesses. Businesses implement standards for consumer privacy to conform to local laws and to increase consumer trust, as many consumers care about the privacy of their personal information. In the information sector, privacy consists of two distinguishable but related aspects: 1. The protection against intrusion by unwanted information. 2. This is sometimes termed "the right to be left alone," and it is an analogue to the constitutional protection to be secure in one's home against intrusion. The ability to control information about oneself and one's activities; this is related in some ways to proprietary protection accorded to other forms of information through copyright laws, and security of information about oneself from tampering by others. The common aspect of both these elements is that they establish a barrier to information flows between the individual and society at large. In the first case, it is a barrier against information inflows; in the second instance, against information outflows. The concept of privacy is not without its detractors. **Government Involvement and Customer Privacy Laws** Eighteen percent of the world\'s countries lack data protection regulations. The United States combines state and federal laws, but there is no federal legal standard. Without a central governing body to oversee and enforce laws, this frequently results in legal loopholes or ineffective enforcement.\ \ As awareness of consumer data privacy has grown, state and federal governments around the world have enacted more comprehensive data protection legislation. 1. The **General Data Protection Regulation (GDPR)** is the European Union\'s (EU) recent update to reflect modern data practices. It added laws and updated existing ones to further protect individuals from unauthorized data processing and unsafe data practices. The EU has a central data privacy authority to oversee regulations, enforce guidelines, and issue legal and financial penalties when needed. GDPR applies to all companies inside the EU and any organization outside of the EU that sells products or services to EU consumers. It doesn\'t apply to any anonymized data if the subject of that data is not identifiable. Under GDPR, companies are only permitted to collect a consumer\'s data when they have a legal reason to do so, like protecting the public interest or as a part of a mutually agreed upon contract. All organizations must inform consumers what data they are collecting and the purpose of collecting it. They must also provide consumers information about their existing data rights. 2. The **California Consumer Privacy Act (CCPA)** took effect in 2020 and introduced a set of consumer rights and guidelines for organizations regarding customer data. It\'s the most comprehensive statewide data legislation in the U.S. to date and applies to corporations making \$25 million or more per year or those that collect data from 50,000 or more consumers in California. Third-party data companies are also required to follow all guidelines. The CCPA gives consumers a right to know how their data is being collected, if it\'s being sold and to whom, and the option to decline the sale of any personal information. It also includes special provisions for young children and minors aged 16 and under. Failure to abide by CCPA guidelines results in penalties and fines. Two bills associated with California\'s 2020 consumer data privacy legislation are AB 82 and AB 1281. AB 82 requires all data broker registration fees to be used to offset costs for websites if the information is accessible to the public. AB 1281 exempts the CCPA from some employment or personal information involved in business-to-business transactions and permits some parties, like employers, medical staff, owners, or employees, certain rights to data collection. ![](media/image2.png) 3. The **Consumer Data Protection Act (CDPA)** was enacted in 2021 and granted Virginia consumers more extensive rights to their own data. It acts similarly to the CCPA by applying to all companies that control or process data of 100,000 or more consumers or those that collect 25,000 consumers\' data and also earn half of their revenue by selling that information. It also applies to all companies that serve or sell to Virginia consumers from outside the state. The CDPA requires all companies to help data consumers understand their data rights by offering opt-in consent, the ability to opt out, and information about data collection and sales. 4. The **Colorado Privacy Act (CPA)** of 2020 applies to Colorado businesses that collect data from 100,000 or more in-state consumers or 25,000 consumers while deriving a portion of revenue from selling that data. It gives consumers the right to opt out of target advertisements and data sales, and the ability to request that companies delete their data. Some exemptions apply. **Data Privacy** **Data privacy** ensures the right of an individual to control the collection of, access to, and use of personal information about them that are under the control or custody of the government or the private sector. It refers to the handling of various types of personal information, such as personal health information (PHI) and personally identifiable information (PII). This information is collected based on the entity\'s request, which may include SSS/GSIS numbers, TIN numbers, health records, financial data, and personal data. Nonetheless, businesses use this data to help shape their decisions. Data collection in business typically includes the aforementioned variables, as well as other variables that assist the company\'s operations. This includes development data, feedback, and concerns, as well as proprietary research. a. **Data Privacy in the Philippines** **Republic Act No. 10173** or also known as **the Data Privacy Act of 2012.** It was signed into law by President Benigno Aquino III last August 15, 2012. This RA 10173 aims to: 1. protects the privacy of individuals while ensuring free flow of information to promote innovation and growth; 2. regulates the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of personal data; and 3. ensures that the Philippines complies with international standards set for data protection through National Privacy Commission (NPC). b. **Why Data Privacy Important?** Data privacy is important for several key reasons: 1. **Protection of Personal Information:** Data privacy safeguards individuals\' personal information from unauthorized access, ensuring that sensitive data such as social security numbers, financial records, and health information remains secure. By maintaining control over their personal data, individuals can mitigate the risks of identity theft, fraud, and other malicious activities. 2. **Trust and Confidence:** Data privacy is crucial for establishing trust between individuals and organizations. When companies prioritize data privacy and demonstrate their commitment to protecting personal information, they build a reputation for reliability and integrity. This, in turn, fosters customer confidence, leading to stronger relationships and long-term loyalty. 3. **Legal and Regulatory Compliance:** Various data protection laws and regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), require organizations to implement measures to protect individuals\' data privacy rights. Compliance with these regulations helps businesses avoid legal repercussions, hefty fines, and damage to their reputation. 4. **Ethical Data Practices:** Respecting data privacy is an ethical responsibility. Organizations that handle data must ensure they have proper consent for data collection, use, and sharing. By adhering to ethical data practices, businesses show their commitment to respecting individuals\' rights and promoting transparency in their operations. 5. **Data-driven Innovation:** Data privacy is not just about protection; it also fuels innovation. When individuals trust that their data will be handled responsibly, they are more likely to willingly share information. This data, in turn, can be used to derive valuable insights, drive personalized experiences, and advance research and development across various industries. 6. **Preserving Individual Autonomy:** Data privacy empowers individuals to maintain control over their personal information. It allows them to decide how their data is collected, used, and shared. By respecting individuals\' autonomy, data privacy ensures that personal information is not exploited or misused without consent. c. **Best Practices for Data Privacy Compliance** Complying with data privacy regulations in the Philippines isn't only a matter of protecting customer data. It can enhance customer relationships and promote a culture that respects consumer privacy. Below are a few data privacy best practices to comply with the Philippine data privacy regulations. 1. **Craft a clear privacy policy:** Develop a transparent and comprehensive privacy policy in the Philippines that communicates how customer information is collected and the intended use. An effective policy will require collaboration from your information technology (IT), legal, and data privacy officers. ![](media/image2.png) 2. **Conduct training and awareness programs for employees:** Complying with the DPA's regulations is an uphill battle when employees don't understand why data privacy is important or how it impacts your business. Data privacy awareness programs, workshops, and seminars are excellent ways to brief employees about the subject and align your team. Data privacy and cybersecurity are broad, providing you with multiple options of topics to tackle. For instance, suppose you offer financial services. In this case, you can invite an expert to discuss know-your-customer (KYC) protocols. These programs can also serve as upskilling opportunities for your workforce interested in cybersecurity, keeping them engaged and reducing employee attrition rates. 3. **Enhance data encryption and security measures:** Chapter VII, Sec. 23, (3) of the DPA states that the technology you use to access off-site data shall use a high level of encryption. It directly impacts your data management procedures if you're using a customer insight platform. There are two types of encryption you can consider to enhance your cybersecurity. **Symmetric encryption** involves using one key to encrypt and decrypt data. It's a straightforward method you can consider if you're a relatively smaller team. However, **asymmetric encryption** takes your security up a notch by requiring a public key to encrypt data and a private key to decrypt it. 4. **Asses your data privacy risk regularly:** The National Privacy Commission outlines how you can conduct a privacy impact assessment (PIA) to help you understand your current level of protection. In a nutshell, you must work with stakeholders to uncover how a process, information system, or any other personal information processing initiative can impact user privacy. 5. **Find the right data protection officer:** Privacy policy laws in the Philippines require you to appoint a data protection officer (DPO). This person will oversee your data collection and processing, ensuring they follow the act's guidelines and protect it well. The right DPO must at least be an expert in privacy and data protection policies relevant to your industry and business's operations. Their expertise lets them make knowledgeable decisions to guide your team on the most secure customer data path while balancing business goals. d. **Parameters of Data Processing of Personal Information** 1. Criteria for Lawful Processing of Personal Information. -- The processing of personal data can only be allowed when at least one of the following conditions exist unless otherwise prohibited by law: - The data subject has provided consent. - The processing of personal information is necessary and related to the contract. - The processing is necessary for compliance with a legal obligation. - The processing is necessary to protect the vital interests of the data subject, including life and health. - The processing is necessary for national emergencies, public order and safety, or the fulfillment of functions of public authority. - The processing is necessary for the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed. However, the processing is prohibited if it conflicts with the fundamental rights and freedoms of the data subject protected under the Philippine Constitution. (Section 12 of R.A. 10173, otherwise known as the Data Privacy Act of 2012). 2. **Sensitive Personal Information and Privileged Information.** -- Cases where the prohibition of processing of sensitive personal information and privileged information is exempted: - The data subject or all parties concerned with the privileged information has provided consent for the specific purpose before its processing. - If consent for processing is not required by law or regulations, the processing must guarantee the protection of sensitive personal information and privileged information under existing laws and regulations. - The processing is necessary to protect the life and health of the data subject or another person if the subject is not legally or physically able to consent to the processing. - The processing is necessary to achieve lawful and noncommercial objectives of public organizations and their associations as long as there is consent for the processing, the processing only confines and is related to the bona fide members of the organization, and the sensitive information is not transferred to third parties. - The processing is necessary for medical treatment carried out by a medical practitioner or institution while ensuring the protection of personal information. - The processing is necessary to protect natural or legal persons' lawful rights and interests in court proceedings, the establishment, exercise, or defense of legal claims, or when provided to government or public authority. (Section 13 of R.A. 10173, otherwise known as the Data Privacy Act of 2012). e. **The Right of Data Subject** 1. Rights of the Data Subject. -- The data subject is entitled to the following rights during the processing of their personal information: - Right to be informed - Right to access - Right to object to the processing of their personal information (where applicable) - Right to correct or rectify their personal information - Right to block or remove - Right to damages - Right to data portability - Right to file a complaint (Section 16 of R.A. 10173 otherwise known as the Data Privacy Act of 2012) 2. **Transmissibility of Rights of the Data Subject.** -- If the data subject has passed away or becomes incapacitated, their legal heirs or assignees may invoke their data privacy rights. (Section 17 of R.A. 10173, otherwise known as the Data Privacy Act of 2012). 3. **Right to Data Portability.** -- The data subject has the right to obtain a copy of their data undergoing processing in an electronic or structured format if such information is processed by electronic means in a structured and commonly used format. (Section 18 of R.A. 10173, otherwise known as the Data Privacy Act of 2012). f. ![](media/image3.png)**Penalties Concerning Data Privacy** **Analysis of CRM Strategies** CRM is about creating a competitive advantage by being the best at understanding, communicating, delivering and developing existing customer relationships in addition to creating and keeping new customers. The concept of product lifecycle is giving way to the customer life cycle, focusing on developing products that anticipate the future needs of existing customers and creating services that extend existing customer relationships beyond the mere transaction. The customer life cycle will focus on lengthening the life span of the customer with the organization rather than the endurance of a particular product. Customers have changing needs as their lifestyles alter---the development and provision of products or services that ![](media/image2.png)continuously seek to satisfy those needs is good CRM. Mission statements will focus greater attention on how to deliver customer satisfaction, and organizations will begin to structure themselves around customer segments and not product lines. A good CRM strategy will take the business vision and apply it to the customer base by asking the following questions: - What products and services are we offering now and in the future? - In what markets? - What customer groups will these products and services appeal to? - Which of these are of most value to the organization? In terms of spend? In terms of reliability? In terms of profitability? In terms of growth potential? - What additional needs do the most valuable customer groups have? Additional products? Additional services? - What different ways can we be doing business to deliver to our customers better? **Sources:** - Juntilla-Catacutan, E. J. (2022, December 9). *What you should know about data privacy in the Philippines*. Carpo Law & Associates. - Tobin, D. (2024, March 2). *What is Data Privacy---and Why Is It Important?* Integrate.io. - *National Privacy Commission*. (n.d.). National Privacy Commission. - Inquiro. (2024, August 14). *Data Privacy Philippines: 5 Best Practices for your business*. Inquiro.. -

OFAD80 Lecture 8 - Customer Privacy PDF

Document Details

Tags

Related

Summary

Full Transcript