Why Data Privacy Should Be Your Company’s Top Priority


Gibu Mathew, VP & GM APAC, Zoho Corp.

Concerns over data privacy will impact software solutions in 2021, and here’s why businesses should prioritise data privacy both on their own platforms and in solutions managed by vendors.

Privacy regulations are on the rise globally

Following the passing of the General Data Protection Regulation (GDPR) in the EU we have seen versions of the Personal Data Protection Act (PDPA) coming into force in Singapore, Malaysia and Thailand, in Indonesia and Philippines personal data is comprehensively covered in various personal data and privacy laws. Privacy regulation is definitely on the rise. Developers not only need to be concerned about users’ privacy for their own applications, but they will need to be cognizant of privacy policies for services they integrate with and share information with as well. Apple, for their part, rolled out a new iOS 14 privacy feature for the iPhone and iPad in early 2021 that requires developers to ask users for permission to track them and collect their data on websites and mobile apps. Increased regulation will change the types of applications developers look to build in the coming year.

Additionally, remote working increases data privacy and security risks, especially in highly regulated industries. Data access controls and authentication forms will play a critical part in mitigating these risks.  

Increased awareness of consumers of surveillance practices

For many tech companies, user data is a key source of revenue. Nowhere is this truer than with companies that offer their products for “free.” Free is never really free—at least not online—since these companies actually depend on advertising revenue to prop up their bottom lines. Increasingly, savvy consumers are now scrutinising cookie policies on websites, Google’s proposed browser tracking known as Federated Learning of Cohorts (FLoC) was broached as more consumers reject cookies.

Derivatives of business actions are creating privacy issues

You’ve probably heard: “If you’re not paying for it, you are the product.” Businesses driven by an online advertising model have stretched this maxim even further: “If you’re not paying for it, you, your friends, and your family are the products.” Many leading technology companies relentlessly monitor the actions, clicks, and conversations of their users with the primary motive of uncovering personal habits and interests. This data is neatly pressed into “actionable market segments”, packaged and sold off to the highest bidding advertisers, so that they may target their messages to the consumers likely to buy. User tracking to serve ads has turned into adjunct surveillance, a term we use at Zoho when companies collect data without consumer knowledge. This trend started with B2C services, but it’s alarming to see it has carried over to the B2B world, especially given how essential SaaS solutions are for working remotely during the pandemic. According to our global survey, 62% of companies don’t inform customers that they allow tracking code from third-party services on their websites, despite the majority claiming to have well-defined consumer data privacy policies that are strictly applied. For Zoho, our solutions do not use an 3rd party cookies and even use our own private clouds and hence does not leak even usage data to public cloud providers.

What does this mean for businesses?

Increasingly, regulators are waking up and taking action. Governments in Europe, India and elsewhere are demanding change since they understand that many of today’s tech-business models depend on the violation of consumer privacy. The among many, EU’s GDPR, PDPA in Singapore, are some examples of regulatory responses.

Increasingly, the burden of protecting consumer privacy is falling back on to the shoulders of businesses. Companies must now make consumer privacy their responsibility; not just because governments are forcing them to, but because it’s the right thing to do for their customers and therefore for themselves.

You might be asking: How can your company make privacy a core responsibility?

The first step is to examine your processes for data collection. Adopt a policy of asking for the least amount of user information, gathering only what is needed to do business. For example, if you only need a customer’s email to conduct a transaction, ask not for their home address, telephone number, and date of birth as well.

Next, if you do collect customer information, let them know what you have on them. Most people are shocked when they uncover the amount of information social media and other companies have gathered about them. Be open and transparent with customers so there are no surprises down the road.

Companies shouldn’t treat data privacy regulation, like GDPR, as a cost of doing business as though it were some burdensome audit process they must comply with.

Here’s an analogy. In the past, a company facing new environmental regulations in one region would simply move its operations, or waste, to another region with weaker regulations and trash the environment there. Such practices are no longer acceptable: today’s savvy consumers simply won’t stand for it. Similarly, companies that skimp on privacy protections—or honor them only where they’re mandated—are destined to be shunned in the long run. We live in a global economy where privacy is not a first world prerogative. Here are some key steps for companies seeking to priortise privacy:

  1. It’s time to rewrite your privacy policies. Today, most are written by lawyers with the intent to obfuscate and confuse. Consequently, most consumers just click the “agree” button without even knowing what they have haplessly agreed to. Don’t be the company with that privacy policy.

  2. Make your policy so plain and simple that even a 5th-grader will know what data you’re collecting. Who knows? It might actually be a 5th-grader that is your user today, and possible patron tomorrow.

  3. Examine the privacy policies of your key vendors, your data is only as secure as the weakest link/vendor.

  4. Finally, if your business is ever breached, tell your users right away that their data has been compromised. Consumers today tend to find this out in the press. Your users deserve to know the truth, and they deserve to hear it directly from you, not from their newsfeed.

An approach to privacy stems from a corporate moral footing. When it’s a reaction to regulation, it will always fall short. Consumers are demanding full accountability and, increasingly, will reward those companies that make data privacy a central tenet of their business strategy.

What should you look for in a technology provider?

With more businesses turning to SaaS vendors for business solutions, it is important to ensure that your vendor values the privacy of your business data. At Zoho, protecting user privacy has always been part of our DNA since the company was formed 25 years ago. Zoho will never sell user data or drive ads by tracking user data. Zoho is able to make this promise as the company fully owns all core aspects of our technology stack, and does not run on public clouds. This ensures that third-parties will not be able to track users’ behaviour or have any access to customers’ data.