The age of privacy as a matter of policy and law is over. Now dawns the age of privacy as a technical matter, of automation, operations, and execution.
At least that’s how PwC sees things, and that has fueled a pair of acquisitions in the identity and access management market, which will be bolted on to PwC’s growing cybersecurity, privacy and data protection practice.
“Maybe three or four years ago,” Partner in PwC Legal and head of the privacy and cyber practice Stewart Room told The Privacy Advisor, “you could build a professional services practice and talk about the creation of policy frameworks; but now, if you don’t have deep technical expertise, such as about how biometric authentication works in a technical sense, you don’t have any future in the market … that’s really at the heart of client interest and demand."
"If you don’t have deep technical expertise, such as about how biometric authentication works in a technical sense, you don’t have any future in the market." -Stewart Room, PwC
Other consultancies seem to see the market similarly. As Consultancy.uk recently noted, Deloitte has partnered with IT company Equinix to open a cyber center in the Hague, while KPMG has acquired three firms in the cybersecurity space.
But why do behemoths like PwC and KPMG need to acquire relatively small 55-person firms like Everett, the company PwC bought in late July?
“With a business of our size and reach,” said Room, “and our performance expectations, we cannot possibly wait to develop the amount of talent we need on an organic basis. We want to make sure in key territories that if we haven’t grown it, then we will acquire it. And that’s really illustrative of this deal. The market needs is there and we want to satisfy that.”
Gerald Horst, Everett CEO, said the identity management space has evolved quickly, and like privacy has recently entered a new phase. Over 17 years, with a focus in the Netherlands, Germany, the U.K., and Italy, Everett’s business model has adapted a number of times, he said, but about 10 years ago began to focus exclusively in identity and access management, due to the complexity of the field.
First, identity management was about simply providing access to employees who were inside their office building. It was focused on accessing the network, their desktop PC and some key business applications.
“Consent wasn’t necessary,” said Horst. “It was part of their employee contract.”
Next came the need to document and plan for who had access to what, to comply with various legislation and audit operations.
Now, identity management has left the building.
“This last wave started about two years ago,” said Horst. “Customer-focused identity and access management. Everyone is coming online, businesses aren’t brick and mortar as much anymore, so they have to meet the expectations of their customers. And that’s the biggest growth driver in the market today.”
Customers want to be recognized, in a privacy-sensitive way, when they encounter businesses. They want to be able to speed through a transaction because the card is already on file. They want one-click purchasing. They want to have their preferences recorded and their experience customized.
For that, you need to be able to authenticate who a person is rapidly, without allowing someone to spoof the system.
And that’s the sticky part: “The end user needs to provide his or her consent for specific data that’s being used,” Horst noted.
Does that sound like a solution to the myriad hurdles raised by the GDPR surrounding documenting consent, allowing for that consent to be revoked, and the right to be forgotten?
However, Room says an acquisition like Everett isn’t meant to serve just the GDPR or any specific data protection legal problem. “You need to think also about some of the more economic and technical goals around data,” he said. “Where we perceive data privacy to be is no longer at organizational level, it’s at the data level, and it’s at the personality level, and that’s what this acquisition is helping us to tackle.”
“For the first time,” agreed Horst, with customer identity and access management, “we’re helping drive the bottom line of businesses, instead of increasing security or cutting costs. It’s about ease of use, and creating a competitive advantage, and creating an easy solution.”
“For the first time, we’re helping drive the bottom line of businesses, instead of increasing security or cutting costs." — Gerald Horst, Everett
By managing consent and helping the customer pick up that rental car faster or check in to the hotel at the bar, privacy best practices are driving profit, rather than simply making sure the big, bad regulator doesn’t come knocking.
Of course, that means it takes a far more savvy and strategic privacy officer to recognize those kinds of opportunities for a business. More often than not, Everett is engaging first with a marketing officer, or a chief data officer. Only recently, said Room and Horst, maybe in the last 18 months, has a strategic privacy officer begun to be involved in some of the early conversations around engaging Everett and figuring out new ways to manage customer identity.
“The shift to privacy officer with the budget to start these kinds of projects is happening,” said Room, “but, from my perspective, it’s still early days.”
If you want to comment on this post, you need to login.