Why should marketers care about data privacy? The primary reason is obvious: because their customers do. Research consistently shows sharp increases in consumer concern about maintaining (or regaining) control over their data. For example, this Ponemon Institute survey-https://www.idexpertscorp.com/ponemon-privacy-security-2020 found 68% of U.S. adults said they have become more concerned about the privacy of their personal data over the past three years and 74% feel they have little or no control over data gathered about their online behaviors.  

One result of this concern is growing regulation, as governments respond to voter interests by limiting what businesses can do with personal data and by granting consumers more control over how their data is used. This creates a secondary reason for marketers to care about data privacy: complying with new privacy regulations directly affects how companies relate to their customers. 

Done well, compliance interactions such as cookie opt-ins, consent gathering, and data access requests can build strong customer relationships and ensure an ample flow of properly-authorized personal information. Done poorly, those same interactions can deter customers from providing any data at all. Just as war is too important to leave to the generals, privacy compliance is too important to leave to the lawyers.

Despite the high stakes, many marketers would still have avoided privacy issues until yet another factor made privacy impossible to ignore. This is the loss of data gathered by other companies (“third party data”), a loss due to both regulations and to browser blocking of third party cookies (which send information to companies other than the owner of the Website being visited). These changes threaten the foundation of much online advertising, which relies on third party cookies to identify, target, and track site visitors. Marketers, and the advertising technology companies who serve them, are now scrambling to replace third party cookies with alternative means of customer identification. Nearly all the proposed solutions rely on some form of consensual data gathering, such as permission to use an email address for ad targeting. This means that marketers with no ambitions beyond maintaining current levels of advertising effectiveness are still forced to expand their customer data privacy programs.

The result is that marketers must now learn the details of managing customer data privacy. A lack of enthusiasm is understandable: this is yet another chore added to an already-full agenda. One small advantage is that marketers have spent the past two decades dealing with other technologies. So most have already built a basic understanding of how their systems work and how to manage technology in general.

Starting from that foundation, let’s define the main tasks involved with managing customer data privacy. These include:

1. Inventory customer data

You can’t manage data you don’t know about. The first task in protecting customer privacy is therefore taking an inventory of existing systems to see where your customer information is currently stored. To be a little more precise, the inventory includes both “personal information,” which is any information associated with an individual, such as purchases or location, as well as “personally identifiable information” (PII), which is unique identifiers that directly link to a specific individual, such as name/address, email, or passport number. 

The inventory process, often called “discovery,” will document which system holds each data element, where the data originated (if it came from a different system), the nature of the element, and technical information such as format. While discovery for privacy management is often handled by specialist systems built for just this purpose, it also overlaps with general data management tasks such as data governance, data quality, enterprise data dictionaries, and master data management. In some cases, the privacy managers may be able to use these or other general purpose resources instead of conducting a separate privacy-focused discovery process. For example, the research conducted when implementing a Customer Data Platform also requires identifying where customer data is being captured. This is one of several places where CDPs overlap with privacy management. 

2. Define data policies  

Privacy regulations apply different rules to different types of data, with more control over items that can identify specific individuals. Exactly what’s permitted with a particular data item may vary based on where and how it was collected, where the person it describes lives, what permissions that person has granted, who is using the data, whether identifiers have been removed or obfuscated, and the nature of the use itself. To make things even more challenging, these rules change over time as new regulations appear and regulators change or clarify existing rules. Any substantial privacy solution will have a place to store all the rules that currently apply and will map the rules to the inventory of data elements in the company’s systems. 

The larger privacy management process also needs a way to keep track of rule changes, such as a service that monitors regulatory actions and alerts subscribers to relevant events. Privacy system vendors will usually provide a set of default or sample rules for clients to use in setting up their own policies, but it’s ultimately up to the company to ensure its rules meet legal requirements. The precise control required by privacy regulations makes it unlikely the general-purpose corporate data access tools will be adequate substitutes for specialized privacy policy systems. But the broader tools may work in tandem with the privacy system, for example by excluding some data items from any access, applying encryption before data is made available, or limiting the data available to particular users and destinations.

3. Enforce data policies

Policy definition is the relatively abstract task of setting up rules and mapping them against available data. Enforcement connects the rules to real systems that request the data and use it for specified purposes. The privacy system might act as a supervisor that approves the requests before other systems execute them, or it might act as a broker that intercepts the requests, checks them against policy, runs the extracts when allowed, and passes on the results back to the original system. The first approach is easier to deploy while the latter approach puts more burden on the privacy system but is harder to subvert. The second approach also becomes easier when a Customer Data Platform is in place, since extracts come from a single source. 

Either way, enforcement requires receiving the requests; capturing the details of who is making the request, which data is involved, how it will be used, and what’s the legal justification; checking against policy and identifying any policy violation; and keeping a history of requests so they can be audited if necessary. The privacy system might take an even more active role in enforcement by doing things like applying its own encryption, anonymizing identifiers, or adding seed names to catch unauthorized future use. This is yet another set of capabilities that probably won’t be available in general-purpose data management tools. The privacy system might still draw on some corporate IT resources such as user directories that control who can connect with the system and security processes that prevent unauthorized access.

4. Interact with customers

Some privacy regulations forbid certain actions altogether, but most are aimed at giving people (a.k.a. customers, users or subjects) control over how their information is used. This means the privacy system must either directly interact with people to gather their consent for different uses, or read consent collected by other systems. In fact, an entire class of software, consent management systems, specializes in these tasks. The job includes collecting consent at the point of data capture and enabling users to review and modify consent after the data is collected. 

Other interfaces are needed to manage “data subject action requests” (DSARs), which let people view, modify, and delete their personal data. The privacy system might execute the DSAR or simply receive it, check it’s validity, and pass it on to other systems to complete. The validity check is critical, since sending data to someone other than the owner would itself be a grave privacy violation. As with other actions, it’s much easier for the privacy system to just track DSARs than to actually execute requests that involve changing data in other company systems. 

CDPs can provide a central location to store consent data, which might not have a natural home in any other corporate system. Many CDPs extend this by providing their own consent management modules, either built by the CDP vendor or through integration with third party consent platforms. CDPs or other external systems may also play a role in linking all data related to the same customer, a specialized function called “identity resolution” that is not always part of a privacy system’s core capabilities.

Of all the processes related to customer data privacy, customer interactions are the most likely to engage marketers precisely because they are a direct interaction between the customer and the company. This means they can either build customers’ trust that the company will respect their wishes and handle their data carefully, or discourage customers from sharing their data at all. Research on this point  https://www.w2ogroup.com/data-privacy/  is consistent: trust is the main factor determining whether customers will grant access to their data, and trust is based on companies providing specific information on how the data will be used, options to opt out of different uses, and ability to withdraw data altogether. While offering these options is a legal requirement that must be met by all companies, presenting them in ways that customers will find compelling is not. This is where marketers’ skill at communication will make the difference in customer behavior. The benefit that marketers gain from collecting customer data gives them even greater motivation to do the job well.

5. Maintain security

Most privacy rules regulate what a company can intentionally do with customer data. Some rules attempt to control unintentional use by imposing security standards. This is where standard corporate IT practices most clearly overlap with privacy rules, since data security has always been a primary concern for IT. But there are still some specialized processes that must be added to comply with privacy rules, including data inventories, risk assessments, and breach notifications. There may also be new penalties for inadequate security on personal data, which in turn creates requirements to document existing practices such as breach detection and encryption. Security teams may also take advantage of the privacy data inventory to identify personal information that needs special protection.

Now that you have a clearer understanding of the mechanics of privacy management, we can get to the real question: what should marketers do about it? 

As we’ve seen, marketers’ most important job is to ensure that customer interactions for consent collection, preference management, and access requests build trust and generate the most possible positive response. This will draw on the communications and user experience skills they’ve developed for other purposes. It may require some effort to become part of that discussion, since compliance teams are already struggling to keep up with their workload and may not wish to complicate their lives still further. But marketers have a lot to contribute and the stakes are high, so it’s important that their voice be heard.

The second major role for marketers is to work on policy definition and enforcement. Standard data access policies are controlled by IT, data, and security teams, who have limited understanding of privacy rules. Compliance teams will understand the privacy regulations but not all the ways that marketers might use personal data. So marketers must work with all groups to craft privacy policies that encompass all marketing data uses, ensuring that regulations are met while avoiding rejection of requests that should be permitted. Marketers don’t need to become full-on privacy experts but they do need to understand the rules well enough to design programs that comply with legal requirements – and to explain their reasoning to compliance teams who prefer to err on the side of caution.

Finally, marketers need to be alert for new opportunities to replace data and methods that are no longer available. There’s no denying that the loss of third party cookies makes effective advertising more difficult. Many industry players are offering solutions to help fill the gap. Often these are superficially appealing but suffer from practical limits such as reliance on unobtainable consent or on data that is not widely available. Such options must be assessed carefully to determine how effective they will be in the real world. Marketers must also explore ways to make better use of their own “first party” data, both within their company and in cooperation with other companies in tools like privacy sandboxes and second party data sharing. Evaluating and deploying these options will take considerable work, but the proven benefits of data-driven marketing show the effort is worthwhile.

DR
David Raab

David Raab is the Founder and CEO of the Customer Data Platform Institute, a vendor-neutral organization that helps marketers make the best use of their customer data. Mr. Raab has a long career as a marketer and marketing technology consultant. He named the CDP category in 2013.

Leave a Reply

Your email address will not be published.