Data, a massive amount of data, seems to be the holy grail in building more sophisticated AI’s, creating human-like chatbots and selling more products. But is more data actually better? With GDPR significantly limiting the way we generate intelligence through collecting personally identifiable data, what is next? How can we create a specific understanding of our customers to exceed their expectations and needs with less data?

Many of us collect anything we can get our hands on from personal information, behavioral data, to “soft” data that one might run through a natural language processing (NLP) program to examine interactions between devices and humans to pull meaning from conversations to drive sales. We believe the more we collect, the more we know. But is that belief true or merely a belief?

Today, there are an estimated 2.7 Zettabytes of data that exists in the digital world, but only 0.5% of this data is analyzed. With all of this data being collected and only a fraction of it being analyzed, it is no wonder that 85% of data science projects fail, according to a recent analysis by Gartner.

Why?

Data science is utterly complex. If you are familiar with the data science hierarchy of needs, AI and machine learning, you know that for a machine to process data and learn on its own, without our constant supervision, it needs massive amounts of quality data. And within that lies a primary question — even if you have an enormous amount of quality data, is it the right data to drive the insights we need to know our customers?

A client of ours shared their dilemma, which might sound familiar to you. They collected all possible data points about their customers, data that was bias-free and clean.

“We know where the user came from, what they bought, how often they used our product, how much was paid, when they returned. Etc. We created clusters within our database, segmented them, overlaid with additional identifiable data about the user, and built our own ML algorithm so we could push the right marketing message and price point to existing and new customers to increase sales volume.”

All this effort and all this data did not lead to increased sales, they still struggled to convert customers. Was their data actionable? Our client assumed that the data available was directly correlated to driving the purchases.  And here lies the dilemma with our assumptions and datasets — we believe the data we collect has something to do with the purchase when in reality the answer is, not always.

Solution?

Humans are “wired up” to use multiple factors to form a buying decision. Those decision are not made in a vacuum. They don’t just happen online, or offline. Each product, service or brand is surrounded by a set of factors or needs by the customer that play a vital role in their decision-making process, which in most cases has nothing or little to do with one’s demographics, lifestyle, price of the product, etc.

This idea is based on the principle of behavioral economics, which explains that multiple factors - cognitive, social, environmental and economic — play a role in one’s decision process and directly correlates to how we decide what to spend our money on and how we choose between competing products/experiences.

All these factors combined allow customers to individually determine if a brand can fulfill their expectations or why they may prefer one brand over another.

Relevance?

Product preference is directly linked to market share in sales volume. An analysis by MASB found a direct linkage between brand preference and market share across 120 brands and 12 categories. So, if the data that is collected does not directly link to preference how can any data model, ML algorithm, or AI be useful in stimulating sales?

Stephen Diorio, from Forbes, argues, “if more executives understood the economics of customer behavior and the financial power of brand preference they would be better armed to work with CMOs to generate better financial performance.” To remain competitive and stop the rat race for more data, many urge that “companies must apply the latest advances in decision science and behavioral economics to ensure that investment in market research and measurement will yield metrics that isolate the most critical drivers of brand preference.”

In the future, collecting data will become more complicated and in some senses, limited by GDPR, CCPA, and other privacy laws worldwide. To get ahead of the curve companies should quickly shift their perspective from gathering data about who, where, when, what and how, to a broader understanding as to why customers prefer what they prefer and what drives those preferences. Understanding your customers from a behavioral economics point of view will deliver superiority over the competition, how to exceed your shoppers’ expectations and how lean their preference in your favor.

Shooting from the hip is easy, because it is fast and sound like you’re making an impact. But do you hit the mark? When you study the ‘art of shooting’ a bit there is a whole lot of practice to it, it takes time and every shot is highly contextual. No soldier goes into battle without a thorough preparation and training. The target, the terrain, the road in and the road out, weather, it all plays a role in hitting the mark. Becoming really good is hard, takes a long time, and ultimately also depends on context. Yet it always beats shooting from the hip.

Every so often I talk to people in the field of Identity and Access Management and within a minute I’m feeling like I’m talking to the trigger happy hip-shooter. I can’t help to think that they’ve never seen a line of code of an IAM solution, never talked to the end-user, never were first responder to an incident or a breach. Because IAM is hard, complex and highly contextual. Yet it seems so simple to the outsider. Because it’s about logging in, and how hard can that be, right? Everyone logs in, sometimes hundreds of times per day. Sometimes without even realizing it (through SSO solutions for example).

For Identity and Access Management you need to be able to combine competencies and skills that you rarely need to combine in another area of expertise.

• The conversation with the business and executives needs to be simple yet clear. The complexities of IAM need to be hidden because these will not be understood and will obfuscate any real question to business or decision by business. In these conversations the IAM expert needs to put himself in the shoes of either the user (logging in, how hard can it be) or in the shoes of the stakeholder (the project manager of a large IT project, requiring proper access and changes to authorizations, in time). One can mention technology, but always from a use or management perspective.
• Talking to the CISO and the security team it’s about risks, threats and vulnerabilities. And how IAM can aide in reducing the attack surface, reducing the issued permissions to a need-to-have, preventing segregation of duty conflicts and also monitoring actual use through user behaviour analytics. Often this conversation also includes audit and audit-ability of the IAM processes and solutions that are in place. These conversations involve the risk managers and internal auditors. Technical detail can be part of the conversation, but always from a risk and security angle.
• Engaging with architects and policy makers can be a challenge since it requires a more conceptual approach to technology and IAM services. One should not immediately look at the applicability of what is discussed here, but much more on a longer term of what is required and desirable. Since these discussions are also about the guidelines and architectural boundaries that are defined it can feel a bit restrictive. Yet when understood properly as an IAM expert you can influence the architectural conditions in a way that benefits the service now and in the future. In addition architects require a broad approach and (should) see IAM in the context of enterprise or IT architecture as well.
• The conversations with colleagues in the IAM department itself are more detailed. Be it with operational support processing requests and providing customer support, product owners, engineers (devops), service owners, customer representatives or managers. These are the internal conversations where the functional conversation and the technical conversation merge with the customer perspective on IAM and the management perspective on IAM. Here the IAM experts do not only need to understand what services they deliver and how technological solutions enable them, but especially how the people work together and what the ‘dot on the horizon’ is for everyone. Since most colleagues in an IAM department have deep expertise and knowledge it is essential to engage with them from a single starting point that combines all perspectives on IAM. (for this we’ve created in Rabobank four perspectives on employee IAM that are leading for everything we do)
• Talking to vendors of IAM solutions it’s about technology, integration and benefits for the organization. Not all vendors are open to discussing a functional perspective on IAM first, but the good ones are. They understand that their technology serves a functional and business purpose and that without it the technology itself is just expensive and not usefull. As an IAM expert you need to know your technology but also be skilled in vendor management, discussing potential solutions not only based on a successful POC but also based on long term maintenance effort, integration with legacy environments, efforts of upgrades and the (always lurking) risk of takeovers. Some products ceased to exist after the vendor was taken over by another vendor with a different focus.

And I can imagine that I’m forgetting some of the conversations that are taking place with Identity and Access Management as a topic.

Is it possible that this is one person? It is highly likely that it is not. When dealing with IAM the range and spread of skills and competencies is so wide that you need a team. Therefore for IAM I come back to the same statement that was also made for digital: digital success depends on peole (not on technology). It’s almost as if I hear Richard Branson speaking ‘take care of your employees, they will take care of your …’. With a solid team that has the right skills combined and is able to work together you can fire the perfect shot. A team takes time to built, and the temptation is present to quickly shoot from the hip. But I would urge you to start slow in order to go fast later. Focus on the people and the team, and they will move IAM forward.

Guest Author: Vinny Lingham, CEO, Civic Technologies

Bitcoin. Blockchain. Crypto. Decentralization. Tokens. A lot of buzzwords have emerged alongside the rise of blockchain technology. Yet, there is often a lack of context about what those terms actually mean and the impact they will have.

Decentralized identity re-envisions the way people share access, control, and share their personal information. It gives people power back over their identity.

Current identity challenges all tie back to the way we collect and store data. The world has evolved from floppy disks to the Cloud, but now, every single time that data is collected, processed, or stored, security and privacy concerns emerge. With the rise of the digital economy, consumers have unintentionally turned banks, governments, and stores into identity management organizations, responsible for the storage and protection of an unprecedented amount of personal data. Unfortunately, as recent hacks have shown, not all of them were ready to deal with this new role.

Decentralized identity puts that power and responsibility back in the hands of the individual, giving them the ability to control and protection their own personal information. This concept is made possible by the decentralized nature of blockchain and the trust created by consensus algorithms.

How Blockchain Creates Trust

The most prominent blockchain application to date is Bitcoin, a technology that emerged following the U.S. financial crisis of 2008 when trust in institutions was at an all-time low. Blockchain technology, specifically the public blockchain, has several unique characteristics that solve problems of trust and make it a great fit for identity solutions.

First, blockchain is immutable, or unchangeable. Blockchain transactions are processed by a network. Computers work together to confirm a transaction, and every computer in the network must eventually confirm every transaction in the chain. These transactions are processed in blocks, and each block is linked to the preceding block. This structure makes it reasonably impossible to go back and alter a transaction. Additionally, blockchain is transparent. Every computer in the network has a record of every transaction that occurred.

Decentralization is the essence of blockchain: no one party control the data, so there is no single point of failure or someone who can override a transaction. Second, it is reasonably impossible to alter blockchain transactions. And this is how blockchain builds trust: when data cannot be modified and is independently verifiable, it can be trusted.

How Blockchain Helps Decentralized Identity

Currently, there is a presumption that knowledge of information is identity. If a person knows a social security number or password, they are presumed to be the person who that information represents. And if a person knows your personal information, they can impersonate you.

Using blockchain technology to decentralize identity is about digital validation and keys. For example, a digital wallet with cryptographic keys that cannot be recreated. You must have physical access to a device to validate identity. With a decentralized identity system, a remote hacker might have access to pieces of personal information but being able to prove an actual identity would require physical possession of that person’s device. Decentralized identity is literally putting the power back in the hands of the people.

Why It Matters

In 2017, Equifax became one of the worst data breaches in corporate history, exposing personal information of over 147 million people, including Social Security numbers, dates of birth, home addresses, driver’s license numbers, and credit card numbers.

In 2018, the Cambridge Analytica scandal about user data misuse has continued to unfold, as the F.B.I and Justice Department are investigating Facebook for failing to safeguard 87 million user profiles.

Equifax and Cambridge Analytica are two prime examples of how current systems for sharing and storing personal information have proven to be not as safe, secure, or trustworthy as previously thought.

And everyone feels this impact.

Governments are implementing more stringent laws and regulations for consumer protection. In May, the General Data Protection Regulation (GDPR), a standard for data collection and storage, went into effect. In July, California passed the California Consumer Protection Act enacting similar standards. And this is probably the first in a wave of consumer protection and privacy policies that will come to life.

Consumers are concerned as well. In a recent Deloitte study, 81 percent of U.S. respondents feel they have lost control over the way their personal data are collected and used. 

The ability to prove you are who you say you are is critical to engaging with the world and being a part of the economy. Decentralized identity gives that control back to people. 

Get to know more about Blockchain and listen to my Keynote "Practical Examples of Decentralized ID's in the Real World" at the Consumer Identity World USA in Seattle in September.

For a deep dive into the Blockchain topic please find the following blog posts:

• Blockchain for Identity – Myth or Potential?

• Blockchain Identity – Success Factors and Challenges

Cybersecurity needs to be at the heart of the digital transformation, but organisational models will have to evolve

Cybersecurity is in the process of becoming an essential component of any organisation’s digital transformation journey. There is no way around this, especially as policymakers start dipping their toes into privacy and security issues, and societal norms are shifting on the topic.
Most new technology layers enabling the digital transformation need to be protected from interference, intrusion, or corruption. This is especially the case across industry sectors seeking to take advantage of the enormous opportunities offered by driverless vehicles and the logistics sector – amongst others - could be unrecognizable in ten years’ time.

New technologies will also generate and feed on massive amounts of data - most of it sensitive or private - that will need to be collected, processed, and safeguarded in a way that is both sensible and ethical. The concepts of security by design and of privacy by design will inevitably become any organisation’s best allies in its innovative endeavours and must be taken seriously by all digital transformation players, especially as the regulatory and social contexts become harder to navigate.
There is no doubt – in our opinion – that organisations which put information security and privacy at the heart of their digital transformation from the start could obtain a real competitive advantage in the mid-to-long run.

As a matter of fact, the recent launch of the General Data Protection Regulation (GDPR) in the EU is changing dramatically the incentives landscape for all businesses active in Europe. In addition to the fines of 4% of the global turnover, firms are now required to report any relevant data breach to the regulator within 72 hours. This will require capabilities of detection, analysis and reaction, which go far beyond the scope of the security teams and will force many corporate stakeholders to work together on those matters (security, IT, legal, DPO teams, senior management etc…). As such, the GDPR could be a painful lesson as to why cybersecurity is necessarily a transversal matter for organisations of all sizes.
Finally, and perhaps most importantly, respect for privacy and the protection of personal data is likely to become a true competitive advantage as our societies become increasingly warry of these issues.

This shift is well illustrated by the first complaints filed under the GDPR framework. Privacy activists such as Max Schrems or the French Quadrature du Net, for example, have already started to drag high-profile tech companies (Facebook, Google, Instagram, etc…) into what could become lengthy legal proceedings. Depending on how the regulators react, this could have deep implications on how data-driven businesses are to operate in Europe.

Increasingly, security and privacy become intertwined, but it makes little sense from a corporate governance perspective to allow a new privacy organisation under a DPO to grow in parallel to – or in conflict with – existing security structures. Synergies are obvious and need to be leveraged, and where security practices are deemed dysfunctional or in need of improvement, this could provide an ideal opportunity.

In fact, it could be the start of a major evolution around corporate perceptions of security and privacy, from burden, annoyance and costs, towards becoming central management functions. But organisational models will have to evolve as a result to accommodate the truly transversal nature of security and privacy matters and carve out a niche for those new corporate functions.

At this junction, the traditional role of the CISO – heavily influenced by a technical bias, tactically-oriented and project-driven in many firms – could become exposed.
Not in its functional existence – IT security is more essential than ever – but in its corporate prominence. Having failed to project their roles beyond the tactical and technical fields for the best part of the last decade, many CISOs could find themselves pushed down the organisation while CSO and DPO roles take centre stage at the top.

With those new roles should come new people and a new focus, and probably a different way to approach security matters and talk about them.

We could be at the start of an exciting decade for all security professionals.

Learn more about this topic in my session at the Cybersecurity Leadership Summit 2018 Europe, November 12-14, 2018 in Berlin.

*** Please note this is a guest blog post and does not necessarily represent the opinion of KuppingerCole ***

Guest Author: Jordan L. Fischer, Esq., Co-Founder & Managing Partner of XPAN Law Group, LLC

Technology is changing rapidly, correlating in an increasing amount of data collected every second.  These technologies cross-borders and allow businesses to operate on a global scale, at a rate never before seen.  However, the corresponding legal infrastructures operate with borders -- hard borders -- that make the exchange of data, both internally and externally, complicated and challenging. 

In the last two years, new data protection regulations have gone into effect in a number of different regions:  Japan, China, Australia, and most recently (and with the largest “bang”), the European Union.  Each of these regulations imposed  nuanced requirements on companies, often asserting data localization requirements, implementing the principle of transparency and including consent initiatives when these organizations collect and process data. Most importantly, companies need to proactively be aware of the implications of the technology they use and the data they collect which depending on the regions in which they operate.  

This changing legal landscape is no more apparent than in the European Union (EU), with the General Data Protection Regulation (GDPR).  The GDPR imposes a number of proactive privacy measures on entities, both within the EU and outside of the EU, that are poised to drastically change the way businesses maintain and exchange data from within the EU.  At its core, the GDPR asserts data privacy and security principles on companies.  The GDPR does not discriminate depending on the industry or the size of the organization.  It universally and equally requires  data minimization, data localization, transparency, and accountability by all organizations.  The GDPR empowers data subjects to take control of the data collected by companies about them, and to require that those companies to account for all processing of that data, and all third-parties who have access to that data.

The “GDPR model” is becoming the de facto standard.  Canadian data protection laws are changing this fall, bringing them more in line with the the GDPR.  Even individual states are moving more towards providing similar data protections as the GDPR:  California is in the midst of a debate of how much control to give data subjects regarding their data.  What started as a potential ballot to be included in the fall elections has now become a bill in the California state legislature and appears to provide similar data protections as many of these international regulations.     

These varying principles of data privacy and cybersecurity converge when organizations exchange, transfer and process sensitive information across borders and, as such, implicate a number of different regulations. Take for example the growing prevalence of cloud storage, with companies opting to store data and systems off premise, in a data center located in a specific location, or in multiple data centers. Either option directly correlates with a legal obligation and potential ramifications for regulatory compliance and contractual agreements.

When addressing cross-border data management, companies should take key steps in order to better understand any legal obligations or liabilities, before an issue arises.  The first step is knowledge:  What data is collected? What is done with that data? Where is that data stored? These regulations increase the power of the data subject, which dovetails into a burden on companies to provide the necessary transparency, both prior to and after the collection of data.  In order to provide accurate information to meet these obligations companies need to know, before collecting the data, what it intends to do with that data.      

Second, a company needs to know who has access to that data.  This is both internal access -- a company’s own employees-- and external access -- third-parties or partners.  Understanding the “who” is involved in a “data transaction” is key to ensuring security along that entire chain and providing the necessary transparency to the data subject.  The use of processors and sub-processors is common -- but, companies need to ensure that each party involved understands its obligations and adequately protects and secures the data.

Third, a company needs to understand the data lifecycle: how long is the data needed? What happens when we no longer need the data? Data storage is expensive, especially if additional security measures are needed such as encryption or redundancy.  Often, companies are not even aware of all of the “old” data that it maintains -- old data that is no longer useful but remains a liability in the event of a breach.  Creating “house cleaning” policies (i.e. data destruction and retention policies) is key to decreasing costs and potential legal ramifications.

Ultimately, companies need to understand this convergence of domestic and international data obligations and its effect on creating efficient and secure data management practices in order to meet the needs of the business.  Technology and data is like a spiderweb within an organization -- it impacts a number of different business units, and requires a holistic approach.  Taking key steps early-on in the data collection process can drastically minimize long term costs and liabilities. 

Learn more about this topic in my session at the Consumer Identity World September 19-21, 2018 in Seattle.

* * * * *
Nothing contained in this blog post should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.

Identity isn't hard when you don't always use it. For example, here in the natural world we are anonymous—literally, nameless—in most of our public life, and this is a handy thing. Think about it: none of us walks down the street wearing a name badge, and it would be strange to do so. A feature of civilization is not needing to know everyone's name, or details about their lives, and to give others information about ourselves on a need-to-know basis.

To be anonymous, however, does not mean to lack distinction. In fact to be human is to be distinctive: designed by nature to look and sound different than other people, so we can tell each other apart. We also add to our distinctions through clothing, jewelry, haircuts, mannerisms and body art. Our souls are also profoundly original in ways that transcend our genetic portfolio. For example, television star Laverne Cox has an identical twin brother. So does transgender activist Nicole Maines. Being distinctive helps relieve us of the need to disclose our names all the time, because in most cases all we need is to be recognizable, or familiar, not identified by name. This too is a grace of civilization.

Our identities are also profoundly personal, and often complex. We start with the names given to us by our parents or our tribe. After that we add abbreviations and nickames, which have conditional uses and conventions. For example, my father was named Allen, but most people called him Al. He and my mother, who was named Eleanor and sometimes went by El, named me David Allen. Mostly they called me Dave. My son Peter's middle name is also Allen, and that's the name he mostly goes by, while family members call him Pete. When I worked in radio, somebody called my on-air persona "Doctor Dave." Then, after I started a business with a one of my listeners whose name was also David (and who didn't like being called Dave), he and our co-workers called me Doc to avoid confusion. As my social network expanded through our growing business, the nickname stuck, and I've been mostly called Doc ever since. (By the way, years after we went into business, I found out David's first name was Paul. David was his middle name. Nobody, even in his family, called him Paul.)

Everything I just described falls under the heading Devon Loffreto was the first to call self-sovereign identity: the kind fundamentally under the control of a single (or sovereign) individual. All the systems by which organizations give us identifiers he calls administrative.

From their start, administrative identity systems have had a hard time coping with the simple fact that identifiers are optional among human beings having human interactions in the natural world, that our default state within those interactions is to be anonymous yet distinctive—and that we especially value anonymity. Proof of how much we value anonymity is the exception to it we call celebrity. Ask any famous person about the cost of their fame and they'll tell you it's anonymity. The bargain is Faustian: while there are many benefits to celebrity, it is also a curse to be recognized by everyone everywhere, and known by name.

The world's administrative systems have little use for anonymity. After all, they require identifiers for people, so they can know who they are serving, arresting, or sending messages. Knowing people by name has many advantages for administrative systems, but also presents problems in the networked world for both those systems and human beings. Requiring "an ID" for every person puts operational and cognitive overhead on both sides. In the natural world, a boundless variety of business interactions only require that the business know who they encounter is human, trustworthy, and worth the time and effort.

In the networked world, however, we are still stuck with systems comprised of “identity providers” and “relying parties” that reduce individuals to mere “users” burdened with logins and passwords—or convenienced by the Faustian bargain of "federated" identities that let them login with Facebook, Linkedin or Twitter. In these systems, who we are as individuals is secondary to the needs of identity providers and relying parties and the transactions their systems perform, most of which eliminate anonymity. This is dehumanizing. Even the GDPR, which was created to cause respect for personal privacy, and to protect it, reduces us in compliance considerations to mere “data subjects”: a label that is barely less demeaning than “user” and “consumer.”

While these systems are digital, their legacy designs are industrial: top-down and one-to-many. They also grew into their current forms within the architecture of the client-server Web, rather than atop the peer-to-peer (aka end-to-end) Internet beneath the Web (and everything else). This made sense in the early days of dial-up and asymmetrical provisioning of bandwidth, but is a stale legacy in a time when everyone has ample bandwidth in both directions, most commonly on a mobile device that works as an extension of one's body and mind.

In today's networked world, we need approaches to identity that start with human agency, and are modeled on the way each of us operates in the natural world. We should be able to disclose and express our distinctions, choices, requirements and existing relationships with ease—and with anonymity as the defaulted social state until we decide otherwise.

These are the base requirements addressed by many of today's pioneering self-sovereign identity systems and approaches. Here's the key thing to bear in mind: while self-sovereign identity needs to work with existing administrative identity systems, self-sovereign identity cannot be fully understood or explained in terms of those systems—any more than personal computing can be explained in terms of a mainframe, or the distributed Internet can be explained in terms of a centralized LAN.
When each of us has full control of our naturally self-sovereign identity in the networked world, there is no limit to what we can do—while the limits of administrative systems are painfully apparent. (Example: logins and passwords, which everyone hates.)

This doesn't mean, by the way, that we should throw out the great work that has been done with administrative systems, especially those that have obeyed Kim Cameron's Seven Laws of Identity, which he first wrote in 2004. Here they are:

1.    User control and consent
2.    Minimum disclosure for a constrained use
3.    Justifiable parties
4.    Directed identity
5.    Pluralism of operators and technologies
6.    Human integration
7.    Persistent experience across contexts

Today those laws apply to both self-sovereign and administrative identity, and remain an especially helpful guide if we change the first word in that list from “User” to “Personal.”
The time has come to humanize identity in the networked world by making it as personal as it has been all along in the natural one. We can also make progress a lot faster if veterans of administrative systems try to understand self-sovereign approaches from the perspective of how they, as naturally sovereign human beings, choose to be known.

Guest post by Christian Goy, Co-founder and Managing Director of Behavioral Science Lab

In the future, marketing will be driven neither by demographics, on- or off-line behavioral identifiers or psychographics, but by understanding and fulfilling the individual utility expectations of the consumer.

Mitch Joel captures this view of future marketing by concluding, “If the past decade was about developing content and engagement strategies in social channels (in order to provide value, humanize the brand, be present in search engines and more), the next decade will be about the brands that can actually create a level of utility for the consumer.” 

No one disputes that a persuasive marketing message or social media campaign drives web traffic. However, if your brand does not deliver utility, it will not be purchased. Consumers do not love brands because of their brilliant ad campaigns or funny videos on Facebook. Consumers love brands that create utility or true value for themselves; this is what creates affinity between the consumer and the brand, not just the brand attributes. Utility is what consumers believe they cannot live without.

Utility is the heart of behavioral economics. The utility of each product or service is determined by a very specific set of psychological and economic elements, which determine how the consumer determines the expected value (utility) of each brand. Relative differences in expected utility associated with each choice option determines how much consumers will pay, what they purchase and how loyal they expect to be. Interestingly, we are learning that the economic and psychological factors that determine utility and purchase have little or nothing to with the buyer’s demographics or psychographics.

In none of our studies did demographic or psychographic segmentation explain why consumers switch or remain loyal to a brand. However, when consumers were typed by their utility expectation for individual brands, our clients were able to predict with extreme accuracy whether the consumer would stay loyal, switch away from their brand, and more importantly, why.

Knowing the expectation of utility explains why Instacart — an app that lets shoppers buy all their groceries online from any grocery store and have them delivered to their doorstep — became an instant hit for a small, but important, percentage of US shoppers.

Old line marketers assumed that a certain percentage of US shoppers with relatively high household income and education, who were environmentally savvy and attracted to organic produce would remain loyal Whole Foods or Trader Joe’s shoppers. What they didn’t understand was that the utility for those shoppers was not driven by their demographics or psychographics, but by what they were looking for — convenience, ease of shopping and minimal shopping time which could not be fulfilled by either Whole Foods or Trader Joe’s.

What is next for marketing?

To remain effective, marketing must move beyond traditional segmentation, psychographics, and message development strategies. Marketers should first understand what drives true utility for their consumers — what consumers value, what they can or cannot live without. As some are already doing, marketers will create personalized messages that maximize individual utility expectations requirements by:

Deeply understanding what drives the expectation of the utility of their products — These are the psychological and economic decision elements used by the buyer to define utility.

Defining buyers by their utility expectation — Group buyers on the basis of a similar utility expectation. This allows marketers to be more cost-efficient and effective in their messaging and product offerings because the specific needs of their customers will be met.

Creating products and services that address consumers’ psychological and economic needs — Do not just focus on the product. Understand how the consumer defines utility, and then deliver on it. In our studies, we have found that by only addressing and fulfilling the primary driver in consumers’ utility “equation,” the likelihood of purchase is very high. Just imagine how much greater the likelihood of purchase could be if the second and third drivers were addressed as well.

Product and service utility are the future of effective marketing. Start today with an understanding how your consumers arrive at their utility expectation to stay ahead of the game. 

Learn more about in my session at the Consumer Identity World from November 27-29, 2017 in Paris.

Guest post by Tim Maiorino, Counsel of Osborne Clarke

The newest EU legislation on data protection is the General Data Protection Regulation (GDPR) which will be enforceable from May 26^th 2018. It will bring several important changes, altering the requirements of data protection law in the European Union.

The GDPR will replace the EU-Directive on Data Protection and, by extension, all transposing national regulation. The GDPR´s objective is to harmonise data protection legislation across the EU and to “protect the fundamental rights of natural persons to the protection of their personal data”, while promoting free movement of data within the EU.

An examination of the GDPR and its rules is inevitable for any business involving personal information, as it provides a uniform standard for data protection throughout the EU and is directly applicable in all member states. Content-wise, German law has served as a role model to the GDPR. Although it replaces most of the current data protection laws across the EU, the changes – though far-reaching – do not override the fundamental principles of the current regime. Rather, it preserves the basic principles while implementing stricter and more extensive rules.

The most significant changes regard the scope and applicability, data governance and allocation of responsibilities, data subjects´ rights (facilitation and expansion), and sanctions, which include heavy fines. The fines in case of non-compliance may be up to EUR 20 Mio. or 4 % of your worldwide turnover within the previous financial year.

Therefore, further action is required by businesses regarding the handling of personal data.

1. Interacting with Data Subjects

The GDPR establishes detailed requirements for both internal and external facing processes and policies, which can be divided into several steps.

Firstly, the internal processes should be identified and any possible information on the future use of personal data gathered.

Secondly, current policies and any external measures taken or information given with regard to the collection and use of personal data should be identified. You should be aware in which circumstances and at what point data is collected and what information the data subject is given on the use of their data. It is also necessary to identify the method used to obtain the data subjects consent, where applicable, and what channels are used by data subjects to file access requests.

Hereafter, discrepancies between internal and external processes can be recognised. It is essential to validate that the external facing policies match the internal processes and actual use of data. Controllers thus need be aware what the data subject (which includes staff, if their data is concerned) is told about how their data is used. When all internal and external processes and policies are known, they can be updated to comply with the detailed requirements in the GDPR. Only if you know your policies and processes, you will be able to ascertain the necessary steps to meet the extended requirements and to provide guidance and training to your representatives and staff.

2. Managing Compliance

You might now consider this more trouble than it´s worth, but there are several ways to facilitate compliance with the GDPR.

For example, there is the option (and sometimes obligation) to appoint a Data Protection Officer who will, amongst others, monitor and work towards compliance with the GDPR. The contact details of the Data Protection Officer should be published and provided to the Data Protection Authorities.

Any data controller should undertake impact assessments and privacy by design as required. All existing processing operations should be identified and current record-keeping arrangements reviewed.

With regard to external policies, controllers have the possibility to use industry codes, which may provide an orientation for handling certain situations to their employees. Also, for reasons of facilitation, using templates for external notifications in case of data breaches may be helpful.

3. Processors and Transfers

Generally, where data is used, it will also be transferred to third parties or processors. As this is regulated by the GDPR, controllers should be aware of and map their (international) data flow.

As requirements for data transfers change, standard form contracts and addenda need to be updated and / or prepared. Also, updates of procurement processes are required and procurement and IT-teams need to be trained accordingly to identify potential issues. Moreover, it is always advisable for customers and suppliers to work together to address changes and potential issues as well as conduct customer and supplier audits to safeguard both parties´ interests.

Although, essentially, it evolves the current data protection law, the GDPR brings several important changes to the obligations of data controllers and processors and to the corresponding rights of the data subjects.

4. Conclusion

Hence, not only is data protection and the requirements it sets our for business dealing with any type of personal information lifted to a significantly higher (meaning: more detailed, stricter and even more complex) level. The prominence of the GDRP brings significantly more attention to the topic and potential breaches are sanctioned more strictly than ever before.

Guest post by Christian Goy, Co-founder and Managing Director of Behavioral Science Lab

The world of customer journeys is a terrible mess. The linear path to purchase does not exist. “Predictable shopping patterns, once so fundamental to marketing and advertising strategy, have gone by the wayside. Persona- and demography driven strategies now fall short – the winners in this new era are the brand and retailers who’ve put a plan in place to meet actual shoppers anywhere along their path to purchase,” says BazaarVoice.

Even though marketers claim to understand, use and predict consumers’ shopping patterns with (1) web and mobile analytics, (2) social analytics, (3) media analytics, (4) customer journey analytics, or (5) voice of the customer analytics, most marketers still do not know why buyers bought their brand or their competitors’. 

Take Jessica for example.  She is looking for a new tote – “a gift for herself,” she would argue. She needs something bigger for her personal items, as well as what her kids need. She wants something that can help her stay organized, is durable, practical and looks good.

She starts her journey on Google search; moves quickly to Pinterest, Instagram, and then reviews a few products sites that sell the bag for which she is looking. Two items look promising. She reads a couple of customer reviews and a week later looks for them in her favorite department store. Unfortunately, the store does not carry either of the two products which were at the top of her list. So she goes back online and finds a retailer’s web site that shows a real person holding the tote she wants and photos of the bag being used to carry diapers. She can tell from the pictures that it will work well for her, and she buys the tote. According to BazzarVoice that journey lasted thirteen days.

The problem is not a lack of understanding touch-points, channels used, time between channels and so forth, but rather a lack of understanding as to why Jessica chose the product she did. Current tools can do an incredible job aggregating the bits and pieces of what a person did — but not why. If marketers don’t understand why people choose a certain product, the path to purchase will always be of secondary value because it is only the means to an end, and not the factors that motivated its use in the first place. Without this basic knowledge, marketers can never put a strategy in place that delivers on what customers truly want, but only how they “get there.”

How Do We Solve That?

Human thinking is complex and trying to fit their behavior, which often appears irrational, is difficult.  The reason Jennifer is using so many channels to gather information is to find a product, which can fulfill the utility she expects from her new tote.

This idea of expected utility or value is at the heart of behavioral economics.  It assumes that the value of each product or service is determined by a very specific set of psychological and economic elements, which play a role in the buyer’s expectation of its value.  The relative value of purchase options determines how much we pay for something and how we decide what to buy.

In Jennifer’s case, we might assume she is looking for a tote bag that has certain attributes such as size which allow it to perform certain functions (economic), a price she can afford (economic), compliments her look (psychological), and perhaps, creates recognition of her shopping savvy among her friends (psychological).  Not only does she put these elements in a certain order, each element is surrounded by a set of decision heuristics (rules of thumb she has developed for herself) that Jennifer uses to evaluate which bag maximizes her expectation of utility.

How Do Marketers Create Utility?

To convince the Jessica’s of the world that you have the perfect tote for her; marketers need to first learn what drives utility and then deliver on those elements. Here are some simple, but important next steps to accomplish that:

Deeply understand what drives the expectation of your products’ utility — These are the psychological and economic decision elements used by the buyer to define utility.

Define buyers by how they make purchase decisions — Group buyers into segments with similar decision elements. This will allow the marketers to be more effective and specific in their messaging and product offering because your customers’ specific needs will be addressed. Jessica’s decision type would have started with functionality, then price, style, size, and so on.  

Create specific communications and channels to address buyers’ psychological and economic needs — Show the potential functionality buyer that one path is easier and more efficient than any other.  This adds value to the search process, rather than just adding to the “work” required to find the “right” product.  Fulfilling specific decision requirements through specific and individualized communication channels is the key.  We have found in our studies that if you are able to only address and fulfill the primary driver in a buyer’s decision system, the likelihood of purchase is very high.  Just imagine the likelihood of purchase if you could address the second and third drivers, as well.

Do not forget, the path to purchase starts in the buyer’s head; marketers should start there to understand how to sell more effectively.

Thanks to Dr. Tim Gohmann, Behavioral Science Lab Chief Science Officer and Ron Mundy, Chief Operations Officer for contributions to this publication.