By Dan Webber, Faculty, Master’s in Public Relations & Corporate Communications. This story was originally published on Edelman Digital.
Acting on privacy concerns is a necessity in today’s world. For the past few years, the technology sector has been the most trusted by the informed elite and public overall but, in 2018, trust in technology showed a decrease worldwide. This fact is directly linked to the questions surrounding the use of consumer trend data and even personally identifiable information (PII). The most recent Edelman Trust Barometer shows that safeguarding privacy is a top trust-building mandate. Furthermore, in markets with extreme trust losses in the past year, protecting consumers and their privacy must be priorities in order to regain trust.
Concerns tied to how companies and organizations use the breadth of consumer data collected online are nothing new, but lately, privacy has been thrust into the spotlight. Current events, including the fallout around Cambridge Analytica, have created a new level of anxiety for business, the media and consumers. As a result, data privacy and security have become top regulatory priorities as evident by the European Commission’s General Data Protection Regulation (GDPR) and a pending ballot initiative in California (California Consumer Privacy Act of 2018).
Unfortunately, many marketers and communicators wait too long to bring their respective privacy offices or outside privacy counsel into the strategic planning process–a key to abating privacy issues. Following numerous conversations with several privacy officers across a variety of industries, nearly all expressed some concern they are not as informed as they should be about communications programs that involve PII. Marketers are often quick to utilize and benefit from the wealth of consumer data now available through various digital and social channels, but commonly delay privacy and security reviews until campaigns and programs are already live. This delayed involvement can blindside the CISO as well as the privacy office and lead to potential additional costs and angsts for teams involved when non-compliance is exposed.
The stakes are too high for marketers to continue in this way from both a reputational perspective as well as cost. This is particularly true under the new world of GDPR where an organization may be fined the greater of EU20M or four percent (4%) of annual global revenue. Moving forward, marketers need to become symbiotic partners with privacy teams. Good privacy practices are great for business and best for consumers, brands, marketers and communicators.
To shift to this mindset, consider the following core aspirational elements to help with governance, process, and evolving a better partnership with privacy offices.
1. Evaluate the Data Value Exchange and Consider Risk Both Holistically and for Each Initiative:
Privacy offices are often tasked with developing and implementing policies designed to protect data from unauthorized access and explaining how the organization handles privacy data gathered as part of its operations. But this is not a static process.
Each new campaign or initiative may have new data privacy implications. We have seen many campaigns launch with apps, websites, surveys, email lists, sweepstakes/promotions, etc. set up to collect significant amounts of relevant data which, once collected, could help further the value of the exchange between the organization and customers, employees, clients, etc. However, without proper planning, protection and regular evaluation of how the data is being used, this activity might be considered intrusive by some on one end of the spectrum (collecting too much data). On the other end of the spectrum it could be a missed opportunity to provide a better personalized experience or even other long-tail revenue opportunities for the organization by having a deeper understanding of various audiences.
For marketers and communicators to be able to differentiate a safe opportunity to leverage data from a risk of privacy breach, partnering with privacy teams is a must.
2. Include Privacy Impact Assessment Forms at the Planning Stage of Campaign Development:
Many of the privacy officers surveyed stated that the budget process or contract negotiations stages are when they get called into an engagement. However, by that time, required changes can have significant impact on the actual ability to fulfill the original objectives of the program (or completely kill it).
It is when projects are in the planning stages that marketers should immediately think to trigger a privacy assessment if the project will do anything that involves PII and/or device identifiers (a distinctive number associated with a smartphone or similar device). This will help trigger a privacy review of the project before it goes into budgeting and contract negotiations.
And this is not a “set it and forget it” situation. The gold standard should be that once a program launches, additional privacy impact assessments should be conducted each time there is a scope change or new use purpose/new data collection/new data sharing tweak.
Regrettably, we have seen several client projects run into significant roadblocks or entire programs scrapped because the privacy impact assessment was not completed until everything was fully baked. Remember that launching an entire program that potentially violates privacy policies and creates legal problems if launched is avoidable.
3. Develop a Marketing/Communications Data Register:
With GDPR now in place, marketing and communications departments need to regularly review the various tools they use for apps, analytics, performance marketing programs, and email campaigns. These tools now create potential areas of risk–especially if organizations are not actively aware of or do not understand all the data streams that exist.
One way to approach this is to conduct an audit and develop a data register that clearly articulates what data is being collected by each tool or platform and how it is being used. This can also include what filters can be turned on, targeting options, etc. Our Edelman team recently did a data audit for a client and filled up 60+ pages of documentation. This was an eye-opening exercise for the client but serves as a great benchmark going forward and an educational tool to share with their legal and privacy partners to ensure the campaigns and programs are navigating data aggregation in an appropriate way. The register also now provides a single location for privacy and marketing teams to review and assess how the organization is conducting data-driven programming across various channels, users, and devices.
Once a register is in place, the privacy team and the marketing and communications team can dig deeper and ensure that proper data storage and access protocols are in place to help reduce risk and comply with various standards (e.g., PCI DSS compliance standards). Additional evaluations can be done regarding data tracking to better understand if other organizations have access to this data and how much it is being used.
4. Educate Your Privacy Office on the Nuances of Marketing and Communications Programs:
Like other departments or groups in an organization, marketing and communications-related programs are often unique and require a certain working understanding or awareness of tools and vendors. Not understanding these details can create some serious challenges when a privacy office conducts a review of a proposed or ongoing program.
I regularly hear that privacy officers are interested in trainings, discussions or workshops on marketing programs and getting familiarized with the tools needed to execute them. Hosting trainings is a way to bring the privacy office into the marketing and communications world and to ensure that there is a shared understanding when collaborating.
There are some great certifications and programs hosted by the International Association of Privacy Professionals that help cover these issues and can kick start a close partnership internally.
5. Partner with Your Privacy Office to Conduct Scenario Planning:
Once a close relationship is established with the privacy office, the marketing and communications team should start to consider proactive steps which can be taken to mitigate potential areas of risk or incidents that might arise. For example, what should a marketing or communications team do if they receive a complaint tied to GDPR (regardless of whether the company is based in the EU)? Or what happens if there is a security related concern specific to data? These are all scenarios that should be discussed and planned far in advance.
The saying of “not if, but when” regularly plays out in the data security and privacy environment and conducting regular scenario planning exercises is incredibly important. A common scenario that is often forgotten during planning phases is: What does an organization do if a data stream ceases to exist and stops for whatever reason (e.g., a social media channel makes changes to its data API)? Is the organization impacted in a material way or is it just a complicating factor? If it is a material impact, is there any recourse or work around?
If any of the five core elements above come as a surprise or concern you should set up some time to engage your privacy office or privacy-related counsel. To be clear, implementing all of these is not the current standard that we are seeing, but should be viewed as aspirational in nature and worth prioritizing based on where you are in your privacy and data journey. Navigating security and privacy-related risks and concerns is only likely to get trickier as technology and privacy-related regulation continues to evolve. Wherever you are in your marketing and communications programs, it is strongly encouraged to keep privacy teams in the mix.