The Fifth P: Privacy Lands Squarely in the Marketing Mix

August 3, 2020

Data privacy, once seen primarily as a legal and IT concern, is now integral to marketing, and marketers are increasingly central to ensuring compliance with privacy regulations.  To do this, marketers need to understand how privacy compliance will change their marketing and how those changes relate to the company as a whole.  This is a complex and rapidly evolving area that’s crucial to moving forward with a successful data strategy.

Marketers widely recognize that getting ahead of privacy regulations is good for business.  In one recent report, 94% said they saw advantages in implementing stricter privacy standards before they became mandatory, citing benefits including better brand perception, higher market valuation, industry leadership, and long-term cost savings.  And they’re acting on that belief: 71% expected (pre-COVID) their company increase privacy investments in 2020.  Yet more than half cited complexity, cost, and time as barriers to implementation.

Clearly, marketers are looking for help.  They recognize that people and process are part of the solution but also that technology is essential for moving ahead.  Privacy-related systems perform four main tasks:

  1. Data Management.  This is knowing what data you acquire and hold.  It requires examining your existing systems to identify any customer information they capture and store and processing this information so it can be used appropriately.
  2. Regulation Tracking.  This is knowing what information you’re legally allowed to have and use.  It requires tracking regulations for different data types and jurisdictions and mapping these to your customer data stores.
  3. Policy Implementation.  This is governing access to customer data.  It ensures that your company operations comply with privacy regulations and that you keep the records to prove it.
  4. Customer Interface.  This is capturing consent and responding to customer requests to view and change their data.  It’s how you ensure that your customers trust the relationship they have with you, so they will remain loyal to you and your brand.

Each of these tasks requires different software functions.  Some vendors have built products to support just one task; some have combined several tasks in the same product; and some have embedded one or more tasks within broader software such as CRM or CDP systems.  The best approach for your company will depend on the size and location of your business, systems in place, and budget.  But, however you assemble the components, it’s important to understand what to look for in each category.  Let’s dive into those details with special attention to the vocabulary you’re likely to encounter.

Data Management.  This encompasses data collection, reading, comparison, mapping and sharing.  Key functions include:

  • Data Discovery and Data Classification examine existing systems to determine what data they hold and, in particular, to identify data that is subject to privacy regulation.  Such data may include:
  • Personally Identifiable Information (PII) which can be used to directly identify an individual.  Examples include name, email address, and passport number.
  • Personal Data which (as defined under the General Data Protection Regulation) can be used to directly or indirectly identify an individual.  In addition to PII, it includes unique-but-anonymous identifiers such as a browser cookie or IP address, which could be tied to an individual with additional information, and non-unique information, such as first name, birthdate, and postal code, which might be combined to identify an individual.
  • Personal Information which (as defined under the California Consumer Privacy Act) is any information that can be linked to an individual, whether or not it could be used to identify them.  In addition to PII and Personal Data, it could include Web behaviors, purchases, and demographics.

Particular features may include natural language processing to automatically identify data types; real time monitoring of data as it moves between systems to identify unexpected contents; and targeted searches for particular items or types.

  • Data Mapping records the results of data discovery and defines relationships between fields in different databases.  It is needed to orchestrate data migration, integration and other aspects of data management.  Some systems can automatically generate data maps based on their discovery and classification processes.
  • Data Retention defines how long your company holds onto various kinds of data.  This is often governed in part by regulatory requirements.
  • Encryption transforms data so it cannot be read without additional information, typically a key that is used to decrypt the data back into its original form.  This prevents unauthorized use of the data even if someone gains access.  Encryption may cover data at rest (i.e., in storage such as sitting on a disk drive), in transit (which is it being moved from one system to another), or in-memory (when it is being processed).
  • Data De-identification uses processes such as pseudonymization (replacing personal identifiers with anonymous IDs that can later be reconnected with a specific individual), anonymization (replacing personal identifiers with IDs that cannot be reconnected with an individual), or other means to make data useable without identity.  It’s important to realize that even when data is encrypted or anonymized, there is a risk it could be re-identified through matching, AI, or other hidden clues.
  • Data Security controls which people, systems, and processes within a company can access its data.  It includes data access rules that govern what is allowed and data protection measures, such as encryption and de-identification, that prevent unauthorized use.  Privacy-specific security features should be integrated with the company’s primary security systems.
  • Data Sharing controls data sent outside the company.  It includes sharing with vendors (data processors, in GDPR language) who work for the company and with third parties who license the data for their own purposes.  Both types of sharing are generally governed by contracts with the company that owns the data, which remains responsible for ensuring it is used appropriately.  Cross-border transfers often require special treatment to ensure the data remains properly controlled when it is outside of its original location.  European Union rules require that such transfers be covered by Standard Contractual Clauses which are standard terms that comply with GDPR rules.
  • Data Subject Request Fulfillment describes execution of requests made by customers to exercise privacy rights including review of data the company has collected about them, correction of errors, and removal of stored data.  Manual execution of DSRs can be very expensive, so automation is important.
  • Data Deletion is the function of removing customer data from company systems.  Some privacy regulations give customers the right to require complete deletion of their data.  This can be difficult because it requires changing backups and historical information.
  • Data Breach Management helps a company respond if a data breach occurs.  Breach identification would be handled separately by security systems, but breach management includes standard processes to secure the breach, access the impact, and inform the affected individuals and authorities.
  • Data Protection Impact Assessments are required by GDPR at the start of new data projects.  Some systems provide assistance such as templates and access to data maps that isolate the risks associated with whatever data elements are used in a planned project.

Regulation Tracking.  This is determining what laws apply to you, both geographically and in your business category and operations. It requires working with legal experts, either on staff or outside the company, to understand current laws and develop policies that embody them.  Key functions include:

  • Compliance Benchmarking to identify which local, national and international laws, such as GDPR (EU) and CCPA (US-California), apply to which data and what those laws require.  Jurisdiction may be determined by where the person lives (GDPR), where the company is based (CCPA), where the data is processed, or other factors.  Some systems provide a knowledgebase of compliance regulations to help in this process.  Some vendors also have expert staff available to help their clients.
  • Privacy Analysis to link the data elements uncovered in the Data Discovery, Classification and Mapping projects with the laws that govern them.
  • Privacy Law Obligation Comparison to identify the specific obligations created by each law for each data element it governs.
  • Risk Analysis to assess the exposure created by existing processes and to help prioritize remediations.
  • Privacy Law Alerts to stay abreast of changes in compliance laws and the cost of non-compliance.

Policy Implementation.  This is the cluster of functions that ensure your company publishes accurate and current privacy policies.  Functions include:

  • Privacy Policy Authorship to manage the writing and legal vetting of the privacy policy and related documents defining how your company will act.  Some systems provide automated privacy policy generators.
  • Policy Monitoring and Change Detection to keep abreast of legislative changes and determine when they require a change to your policies.
  • Policy Management to ensure necessary changes are made and that corporate and management are kept current.
  • Privacy Policy Enforcement to specify who is responsible for making sure policies are adhered to company-wide and how they will do this.  This is the critical link between published policies and the execution of those policies within the Data Security and Data Sharing components of Data Management.
  • Employee Management and Incentivization to educate and motivate key stakeholders and staff to enable them to help execute and internally monitor compliance.

Customer Interface.  These functions control the direct interactions between the company and its customers.  They may be the most critical for marketers because they create the trusted relationship needed for people to willingly share their data.  Usability is a key issue, since users need to be offered a large and complicated set of choices in ways that are understandable and easy to execute.  Components include:

  • Advertising and Marketing Compliance involves how you treat potential customers before they identify themselves.  This covers where their data comes from, how it is captured, which elements are retained, who has access to the data, and what they can do with it.  Functions to manage include:
  • Cookie Consent for use of Web browser cookies
  • Mobile App Consent to collect and share data through mobile apps
  • Website Monitoring to manage data captured by site tags and other technologies that do not involve cookies
  • Data Rights Management gives identified customers control over data they have provided.  Functions include:
  • Identity Verification enables customers to prove they are who they claim, before they can change permissions or view or change their data.
  • Consent Management outlines what permissions customers can provide, including what data will be collected, how long it can be retained, what it can be used for, and specify how long the data can be retained and what it can be used for.  It also includes tools for customers to change their permissions over time.
  • Preference Tracking under GDPR, which requires giving contacts the right to opt out of your tracking their Web behavior including opens, clicks, forwards, shares and browsing behavior.
  • Data Subject Access Requests (DSARs) let consumers review and correct data you have collected about them.  Privacy regulations including GDPR and CCPA include specific requirements for DSAR accessibility, response times, and documentation.  Request fulfillment is a Data Management process, although automated fulfillment requires direct integration between the interface that collects the requests and the systems that execute them and return the results.
  • Subject Erasure Handling, also called the Right to Be Forgotten, lets customers request that you delete all of the data you have collected about them.  Like Data Subject Access Requests, these must be fed to Data Management processes for execution.
  • Data Deletion Validation confirms that data removal requests have been successfully completed.