How Southeast Asian retail CIOs can balance customer data and privacy

Throughout Southeast Asia, most businesses have been facing unprecedented challenges due to the COVID-19 pandemic and its financial repercussions for more than one and half years now. Frequent lockdowns across the region and the rise of remote work have placed both traditional retail outlets and food and beverages establishments in a fight for survival. To survive, every brick-and-mortar business is in a rush to make its products and services available online.

Thus, the e-commerce market has grown rapidly in the region. For example, the Southeast Asian e-commerce gross merchandise value is estimated to exceed US$172 billion by 2025. According to an report by Google, Temasek Holdings, and Bain & Company, there was a surge in Southeast Asia’s e-commerce sector in 2020, with some 40 million new users coming online, bringing the total number of regional internet users to about 400 million.

In such a scenario, data is one of the most powerful tools at the hands of the consumer goods industry, to retain and grow their customer base and their revenue by creating improved customer experience to attract consumers and reward loyalty, to optimise supply chains to increase profits and decrease costs, and to open up new revenue models.

Jason Van, CTO of e-commerce company Hoolah, says that effort starts with the registration and identification process when customers first sign up for the product or service. Then, through continued contact with customers, CTOs in the retail sector can gather more layers of data that can help them make filtered and targeted decision analysis on business performance.

Data from retailers (both physical and online) come from many sources, including point-of-sale data, number of customers who visited your stores last week, and your sales conversion rate for a particular store. “Data is always in the centre of the retail sector,” says Angus Luk, CTO of Smart Retail at computer hardware maker Lenovo. How much a company truly knows about its consumers is gained through real data, he said — not by “feel”.

Data and privacy issues in Southeast Asia retail

While the business potential of harnessing customer data is immense, with it comes a great responsibility: data privacy. Breaching data privacy can not only damage a brand’s reputation and in turn its revenues, but also has regulatory consequences.

Breach of personally identifiable information (PII) is becoming a vital issue with strict enforcement of regulations, says Raju Chellam, chairman of the Cloud & Data Standards Technical Committee at Singapore’s IT Standards Committee. The strongest, and perhaps best known, privacy standards are the European Union’s General Data Protection Regulation (GDPR). GDPR mandates that the user’s consent should be valid, freely given, specific, informed, and active.

But Southeast Asia has its own privacy regulations. In 2010, Malaysia initiated the Personal Data Protection Act (PDPA) to protect the PII of individuals for commercial transactions; the law came into force in 2013. The penalty for noncompliance can range from RM100,000 to RM500,000 (US$23,600 to US$118,000) and up to three years of imprisonment. Singapore’s PDPA Act 2012 came into effect in July 2014 and was updated in November 2020. Organisations that breach Singapore’s PDPA regulations may be fined as much as S$1 million (US$735,000) and suffer reputation damage. Thailand’s version of the PDPA is expected to come into force in mid-2022.

“Personally identifiable information is the Holy Grail for any consumer-facing business,” says Gurnoor Singh Dhillon, CEO of e-commerce firm GoToko (a joint venture between the Unilever group and the Gojek group). “This has to be protected at all costs. Most of the time, this data is the currency value of the company’s valuation. Every CIO and CTO should invest heavily in data architecture which can safely store this data with ironclad encryption. At the same time, it is important to invest in data modules which can use PII data as a source for creating different use cases without ever exposing the data via APIs or other solutions.”

How to use customer data effectively

There are two main aspects CTOs need to consider when using customer data for business, says Sujith Rao, managing director of performance-marketing consultancy Reprise Digital: transparency and the data’s application.

“Transparency is key,” Rao tells CIO ASEAN. “It is important for the businesses to demonstrate how they plan to use the data. You will be surprised to see that people are more than willing to share their personal and private data when they feel they are getting value out of it. For instance, mothers often give out their data when it concerns their children, such as to ensure their child gets the best nutrition for their child, or to track their growth and development. However, these very same people will be the first to opt out should they feel they are not getting the value they deserve.”

The next aspect is the company’s application of the data, which goes well beyond just promotion and sales. “The fundamental thing that CTOs and businesses should do is to spend time building use cases, and only then invest in data-collection mechanisms,” Rao says. “Consumers are more and more sophisticated, and now want to know how their life will be benefited by use of their data. By spending time to craft this journey, the privacy of users can also be respected.”

GoToko’s Dhillon says CTOs need to have a modular design thinking for their data architectures. The best practice should be to treat data sets differently and have a hierarchy. Every data signal should be labelled and stored in different data containers as per the purpose of the business. For example, PII is at the top of the hierarchy for privacy and should be stored in heavily encrypted vaults requiring the highest amount of security. However, the audience segments for retargeting or monetisation should be in a separate container module which can be accessed via middleware or analytic queries or external APIs. This approach of use-case-based access can help CTOs maintain the balance between using data and taking care of privacy concerns, he says.

“Leveraging data for business without compromising security begins with security by design and privacy design — and this is something that starts from inception, not put in place as an afterthought,” says Jeffrey Lim, a director at Joyce A. Tan & Partners and chair of the Singapore Law Society’s Cybersecurity and Data Protection Committee. “In practical terms, you need to be clear what the parameters are: What you should be looking out for, where the limitations set by risk and risk appetites are. Let that and advice from your functional leads such as risk and legal be your north star. Once you know that, sandbox your ideas, and test them in the design phase. Be prepared to reiterate. Rinse and repeat.”

With the right strategy, privacy can be a source of business growth, says Purushothama Shenoy, CTO at IBM Singapore. “Businesses need to look beyond compliance and to the role that privacy can play in helping build brand equity and better customer relationships,” he said. To build a strong privacy programme, CTO should consider the following, he says:

1. Assess your personal data landscape to understand where you have data, its risks, and the responsibilities you have towards customers and for regulatory compliance.
2. Protect your personal data using a zero-trust approach to apply appropriate data privacy protection.
3. Respond swiftly to customer requests and compliance requirements with unified data privacy and security workflows and automation.

Similarly, Hoolah’s Van has the following advice for CTOs on how to strike a balance between data and privacy issues:

• CTOs should design and architect their systems around taking what they need to satisfy a known and prescribed data outcome. Only collect data that you need and can use with purpose.
• Encrypt data in transactions and encrypt that data at rest in your systems. Use techniques like creating nonserialised unique user IDs (UUIDs) for consumer details rather than using an email address as an internal system identifier on its own, for example, when transacting between systems.
• Create workflows that break up the data being transferred from one system to another; for example, in a mobile application registration form for a consumer. Doing so prevents all of the consumer’s data being taken in one page and potentially hijacked in the event of an attack.
• Operate on a “need to know” basis in your organisation and with external parties, and give internal and external parties access to data only to those who need it for a defined purpose — remove access to people and systems who don’t need that access and periodically review that access.

“The retail sector has the power to create audience segments and shopper profiles which can be used by different industries for their consumers,” Dhillon says. “The trick is to ensure that you never expose your PII or sensitive information but at the same time be able to offer shoppable awareness modules externally to solve business problems.”