TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | PwC acquires to prepare for Privacy 2.0 Related reading: PwC Adds Another Frontline Starter: Peter Cullen




The age of privacy as a matter of policy and law is over. Now dawns the age of privacy as a technical matter, of automation, operations, and execution.

At least that’s how PwC sees things, and that has fueled a pair of acquisitions in the identity and access management market, which will be bolted on to PwC’s growing cybersecurity, privacy and data protection practice.

“Maybe three or four years ago,” Partner in PwC Legal and head of the privacy and cyber practice Stewart Room told The Privacy Advisor, “you could build a professional services practice and talk about the creation of policy frameworks; but now, if you don’t have deep technical expertise, such as about how biometric authentication works in a technical sense, you don’t have any future in the market … that’s really at the heart of client interest and demand." 

"If you don’t have deep technical expertise, such as about how biometric authentication works in a technical sense, you don’t have any future in the market." -Stewart Room, PwC

Other consultancies seem to see the market similarly. As recently noted, Deloitte has partnered with IT company Equinix to open a cyber center in the Hague, while KPMG has acquired three firms in the cybersecurity space.

But why do behemoths like PwC and KPMG need to acquire relatively small 55-person firms like Everett, the company PwC bought in late July?

“With a business of our size and reach,” said Room, “and our performance expectations, we cannot possibly wait to develop the amount of talent we need on an organic basis. We want to make sure in key territories that if we haven’t grown it, then we will acquire it. And that’s really illustrative of this deal. The market needs is there and we want to satisfy that.”

Gerald Horst, Everett CEO, said the identity management space has evolved quickly, and like privacy has recently entered a new phase. Over 17 years, with a focus in the Netherlands, Germany, the U.K., and Italy, Everett’s business model has adapted a number of times, he said, but about 10 years ago began to focus exclusively in identity and access management, due to the complexity of the field.

First, identity management was about simply providing access to employees who were inside their office building. It was focused on accessing the network, their desktop PC and some key business applications.

“Consent wasn’t necessary,” said Horst. “It was part of their employee contract.”

Next came the need to document and plan for who had access to what, to comply with various legislation and audit operations.

Now, identity management has left the building.

“This last wave started about two years ago,” said Horst. “Customer-focused identity and access management. Everyone is coming online, businesses aren’t brick and mortar as much anymore, so they have to meet the expectations of their customers. And that’s the biggest growth driver in the market today.”

Customers want to be recognized, in a privacy-sensitive way, when they encounter businesses. They want to be able to speed through a transaction because the card is already on file. They want one-click purchasing. They want to have their preferences recorded and their experience customized.

For that, you need to be able to authenticate who a person is rapidly, without allowing someone to spoof the system.

And that’s the sticky part: “The end user needs to provide his or her consent for specific data that’s being used,” Horst noted.

Does that sound like a solution to the myriad hurdles raised by the GDPR surrounding documenting consent, allowing for that consent to be revoked, and the right to be forgotten?

However, Room says an acquisition like Everett isn’t meant to serve just the GDPR or any specific data protection legal problem. “You need to think also about some of the more economic and technical goals around data,” he said. “Where we perceive data privacy to be is no longer at organizational level, it’s at the data level, and it’s at the personality level, and that’s what this acquisition is helping us to tackle.”

“For the first time,” agreed Horst, with customer identity and access management, “we’re helping drive the bottom line of businesses, instead of increasing security or cutting costs. It’s about ease of use, and creating a competitive advantage, and creating an easy solution.”

“For the first time, we’re helping drive the bottom line of businesses, instead of increasing security or cutting costs." — Gerald Horst, Everett

By managing consent and helping the customer pick up that rental car faster or check in to the hotel at the bar, privacy best practices are driving profit, rather than simply making sure the big, bad regulator doesn’t come knocking.

Of course, that means it takes a far more savvy and strategic privacy officer to recognize those kinds of opportunities for a business. More often than not, Everett is engaging first with a marketing officer, or a chief data officer. Only recently, said Room and Horst, maybe in the last 18 months, has a strategic privacy officer begun to be involved in some of the early conversations around engaging Everett and figuring out new ways to manage customer identity.

“The shift to privacy officer with the budget to start these kinds of projects is happening,” said Room, “but, from my perspective, it’s still early days.”

Photo credit: Playing with the weather 6 via photopin (license)

1 Comment

If you want to comment on this post, you need to login.

  • comment Sheila Dean • Aug 25, 2016
    Oh. Ok, PwC.  It depends on that client doesn't it. 
    Biometric auth for billing authentication is going to get normative consumer push back.  YouTube is a great self-education tool for all types of innovations.
    What if  the consumer doesn't trust you? If bank bosses monitoring your transactions like it's their property and personal anthill, is that trustworthy?  Is it attractive to people who want to retain operative control of anonymity? 
    I think you've got you adjust your market impact for the business basics, like ... adoption and consumer trust. Part of that would kick back to consumer consent contracts.  If PwC doesn't honor Terms of Consent for employees at will, now we know!  Thanks!!
    Presumption and transactional mandates of identity may drive you into   Gartner's showroom of identity curio, but consumers who want privacy won't trust you.  Prospective employees for privacy departments won't trust a over dependence on technocrats. Because most people don't work out of a contracting hive at a bank or an air force base. That's just the way it is.