Brands want customers to enthusiastically share data. Knowing they can take it back makes it easier to commit.
Within the organisation, trust percolates to the culture that flows towards customers via service, products and marketing. Outside, it drives loyalty. According to a report, Trust Across America (TAA), an initiative that identifies the most trustworthy public companies in the US, companies deemed “trustworthy” made it to the top quarter of the Quality Shareholders Initiative (QSI), which acts as a litmus test for long-term investor sentiment. Two-thirds of these companies made it to the top quarter, and all but two (92%) were in the top half.
Consumer trust is on the decline since the pandemic, and the privacy conversation is hotting up. Data privacy laws are entering a new era in 2023, and brands need to take proactive steps to show their stance. There is a global shift in the philosophy underlying data privacy laws from a “harms-prevention-based” to a “rights-based” approach.
Is it time for enterprises to measure their privacy maturity?
Debbie Reynolds, aka The Data Diva, works as an advisor to multinationals to help handle global data privacy strategies as the Founder, CEO, and Chief Data Privacy Officer of Debbie Reynolds Consulting. According to Reynolds, organisations can gauge their privacy maturity by assessing how many data processes and procedures consider potential human harm or legal rights implications. Immature organisations may not have these considerations in place. “With the increasing reliance on data, it is crucial for organisations to proactively address privacy concerns rather than wait for regulations to dictate their actions. A lack of trust in an organisation’s ability to protect personal data can lead to individuals choosing to give their data to more trustworthy organisations. Trust is the new gold.”
Jodi Daniels, CEO and Privacy Consultant at Red Clover Advisors says enterprises can judge their maturity in a variety of ways such as how many privacy discussions were held in the business such as in HR, marketing and the core product. For tech companies, ask if engineering is building privacy into the code, testing for privacy and security issues, measuring which stage privacy is considered in for different projects, how many privacy impact assessments and vendor assessments were completed, how many people have been trained in the organisation, and how efficiently they are able to respond to individual rights requests.
Data protection officers (DPO) can leverage a privacy maturity model, where the company conducts a self-assessment against a specified framework. They can find assessments from privacy and security companies, analyst firms, or even from a data protection authority (DPA) like CNIL in France.
Other indicators of privacy maturity include how quickly an organisation can understand and apply policies when new privacy laws come into play. “Companies who are far along on their privacy journey are generally able to adapt to new laws with minimal disruption,” said Blake Brannon, Chief Product & Strategy Officer at OneTrust.
True Value Versus True Cost
At OneTrust, Brannon works to help companies manage privacy, security, and governance requirements in an evolving regulatory environment. A solid data governance programme starts with data identification and classification, which enable companies to know what kind of data they own and how to protect it, he says.
“Some companies embrace a compliance-first strategy, which focuses on checking all the boxes needed to avoid regulatory enforcement. But they miss the bigger picture. A privacy strategy rooted in trust is far more sustainable, especially as trust is now a business driver and trusted companies are shown to reap the benefits financially.”
Privacy by Design is a good start, but Trust by Design takes it a step further, and screens new initiatives for trust impacts before going live, he says.
Instead of looking for a GDPR fix, Trust by Design offers a methodology that instils trust into services and products from the outset.
It starts at the initial stages of product, service, or process development, where organisations detail the context of their project, identify measures intended to be implemented as part of their project plan, and apply the relevant trust requirements through scalable measures. Trust by Design ensures that the four main drivers of trust – privacy, security, ethics & compliance, and ESG – are considered throughout the design lifecycle.
Two weeks ago, Meta was ordered to pay two fines — a €210 million fine over violations of the EU’s General Data Protection Regulation (GDPR), and a €180 million fine linked to breaches of the GDPR by Instagram – totally, a whopping €390 million. This ruling is significant since it buttresses the overarching theme of the EU’s landmark legislation: the individual’s right over their data and the need for a person to give explicit consent before their data can be processed.
The fact that the fine came at a time when Meta’s forecasts for profits in 2023 fell nearly 50%, according to data from Bloomberg, is worth remembering.
Companies are capturing more data than ever and want the advantages of using that data to make informed decisions, gather insights, and fuel innovation. Poor data governance is shown to drive most GDPR fines. The Meta example proves how data captured without a foundation of strong governance can prove futile. For companies found to be non-compliant, the data is unusable and must be deleted.
Is It Worth Investing In CMPs?
Consent management platforms (CMP) allow companies to meet compliance guidelines with the latest data protection laws by asking permission and generating a data governance policy on how and what the data can be used for.
Daniels insists that enterprises first need to understand the volume of requests, the expense in both resources and time to complete a single request, and then look at how quickly and how much more accurately a request can be completed. “There’s a cost analysis that needs to be performed for dollars and resource time. Is the time saved able to be spent on something more productive for the company? Can the software help provide reporting and insight into the process that manually would be too taxing to complete?” For platforms handling data inventory – the more complex the systems are and the more data in them – the more an automated system will allow for easier updates to multiple people in the organisation. Ultimately, this allows companies to ensure they have the most accurate picture possible.
There is a larger advantage for marketers, says Brannon.
It pertains to compliance guidelines that include using cookies or tracking technologies such as web analytics, personalisation, etc. It extends to how a company can leverage first-party data, which affiliates you can share this with, and if you can use it to train AI models.
A CMP enables companies to drive brand consistency across websites and apps, centralise their processes, and obtain compliant, transparent opt-ins. Promising the customer transparency is one thing; easing the implementation for the team helps deliver on that promise. Brands want customers to enthusiastically share data. Knowing they can take it back makes it easier to commit.
In view of 2023 marketing priorities towards driving measurable results, an increase in opt-in rates can lead to metrics like more tracking, better analytics, and better ad targeting. As third-party cookies are phased out, it’s increasingly important to ask consumers to opt-in to sharing data such as contact information directly. Since many CMPs enable customisation and A/B testing, marketing teams can test banner placements and language, for example, to better understand how these factors can influence user engagement and opt-in consent to tracking.
A strong privacy stance can be a competitive advantage for organisations, says Reynolds.
Companies that future-proof their data collection are far better positioned to withstand regulatory changes and drive a more successful data strategy. “As companies put data at the core of their initiatives, future-proofing their data collection helps ensure that the inevitable changes in the regulatory landscape don’t compromise their ability to use that data, and it remains an asset, not a liability,” said Brannon.
If you liked reading this, you might like our other stories
How Enterprises Can Scale AI Sustainability In 2023
How Attack-signal Intelligence Can Stop Cybersecurity Talent Drain