Meeting growing customer demand for relevant, personalised experiences while managing the regulatory demands of protecting data is emerging as one of the most significant challenges facing businesses today. Aspects such as managing customer consent and conforming to data privacy legislation create complexities for cloud-based data and analytics solution providers, the brands that use them, and the customers themselves.
Given how the management of personal information (PI) is driven by the likes of the General Data Protection Regulation (GDPR) in Europe and the Protection of Personal Information Act (POPIA) in South Africa, companies and providers need to navigate a minefield of compliance requirements to avoid significant financial fines and reputational damage, amongst others. But it is not as easy as simply tightening control at the expense of digital usability.
A recent global customer experience research survey has found that 65% of South African customers will continue using digital channels even in a post pandemic environment. Of those, 37% indicated that they will start using even more online and digital apps than they do currently. This adoption comes with an expectation that service providers will be able to deliver an integrated experience across all touch points and deliver solutions tailored at an individual customer level.
The same research has found that 38% of South African customers would ditch a brand after just one or two poor experiences. This means that instead of restricting data usage, customers want brands to leverage it and improve their offerings. Customers are therefore more willing to provide personal data to companies especially if that will result in an improved customer experience.
While POPIA is broadly aligned to GDPR, there are some differences that brands (Responsible Parties) should be aware of, in terms of managing customer data in accordance with POPIA i.e., it is a requirement that Responsible Parties (known as Data Controllers in the EU) conclude written mandates (referred to as an Operator Agreement) with Operators (Data Processors in the EU), where the latter needs to act in accordance with those terms, thereby adhering to POPIA. Under POPIA it is the Responsible Party that bears the compliance burden and accordingly the consequences of non-compliance, which may include the risk of fines.
“Essentially, this means that locally, a brand must ensure its 3rd party Operator complies within the Operator Agreement or the brand themselves may be found liable for any issues of non-compliance,” says James MacDonald, senior business solutions manager at SAS in South Africa.
This results in some legal expense and an increase in risk to meet the terms of the Operator Agreement.
“Fortunately, this only applies to PI and not anonymised data that cannot be re-constituted. Even so, with the shift away from third-party cookie browser support, first-party PI data is going to become even more important especially as people will rely more on online services for work and their personal engagements,” says Okeletsang Mookeletsi, head of legal: Africa at SAS.
Mookeletsi says that this results in a web of Responsible Parties and Operators that can quickly become difficult to manage effectively, especially as the relationship between them can change depending on the use cases.
MacDonald agrees and indicates that this results in a chain of responsibility between the Data Subject (the customer), the Operator, and the Responsible Party. And there are many things a brand must focus on especially when it comes to PI.
“Ideally brands need a customer experience and engagement data architecture that is flexible and allows them the option of managing their customers PI on-premise, within their own data centres, whilst still being able to benefit from SaaS-based customer experience solutions which may be acting as third-party Operators. Working with a trusted Operator that understands the nuances and challenges of what this entails – both technically and from a business perspective – can help alleviate some of the complexities and inadvertently being out of compliance,” says MacDonald.
Refining information about the specific needs and interests of the individual customer is the aim of data-driven customer experience. Collecting and analysing data from all the many touchpoints a customer may have with a company will make for the kind of sophisticated customer profile that will allow prediction of their preferences to an astonishing degree of accuracy. But this requires brands to work within specific parameters as determined by the regulatory environment, especially POPIA.