Securing Consumer Data: The Challenge for OTT Players

For over-the-top (OTT) content providers, the impending rollout of 5G presents an enormous opportunity – one which will only gain pace as viewers increasingly “cut the cord” and switch viewing allegiances from TV to the internet. Faster internet speeds and the ability to access OTT content over any device, at any time and location, will only add to this trend.

The emergence of 5G will also see an evolution in subscriber data management. Already several years ago, regulators identified the security aspects of this issue and raised a red flag accordingly. In response, they began to bring together experts to evaluate the various techniques, technologies, processes and devices to create a data protection framework that would secure subscriber data. One of the key outcomes was the General Data Protection Regulation (GDPR), which came into effect in Europe in May 2018.

To better understand the purpose of regulation vis-a-vis data, let’s delve a little deeper into how personal information is obtained and used by OTTs.

Subscribers interact with their providers’ network by consuming multiple services, whereby the network captures session data related to those interactions. This data represents a critical business asset for OTT programmers and distributors alike, as it enables them to better understand their viewers (i.e. who is watching, as well as when and via which media they are watching it).

The information captured is subsequently combined with additional data, including from third-party sources, and may include information on the viewers’ other interests and characteristics. Together, this is all used by the OTT to improve their services and provide relevant, personalised up-sell opportunities.

In practice, most OTTs already apply a variety of controls to safeguard their consumer data. For example, GDPR requires businesses to protect the personal data, as well as privacy of EU citizens for transactions carried out within EU member states. Yet OTTs have even greater compliance requirements when it comes to data processing activities performed by third-party suppliers, with the application of specific rules of engagement between the two entities (the supplier and the third-party supplier).

Such regulations are of particular concern to OTT executives due to the business and legal risk of non-compliance.

To avoid finding themselves on the wrong side of the law, OTTs who are yet to take action would be well-placed to begin by conducting a “data protection by design” review of their applications and services. In parallel, this should be accompanied by the development and implementation of a mitigation plan for any privacy risks and shortcomings.

Such a plan should comprise a combination of processes, communications and programs, rather than a single-point-in-time solution. To help them, various workshops are available, which provide detailed guidance on how to collect data from a consumer’s different devices using cross-device linking techniques.

Some OTT players are already well on the ball.

But to ensure compliance with all current – and future – regulations, such a proactive approach needs to be taken further. This means extending it all the way to addressing issues of data ownership, privacy and security in OTT distribution agreements. This will be particularly crucial as privacy regulators and advocates increasingly scrutinise online practices to ensure privacy and security of consumer data is appropriately protected.

Overall, such a comprehensive approach to data security is the only way to both securing data as a valuable business asset, and at the same time, mitigating compliance – and reputation – risk.

Vijay Khandelwal is head-customer services unit, APAC, Amdocs. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.