Why CMOs should embrace data privacy protection

In most enterprises, privacy is a growing concern, and in the wake of massive data breaches, rapidly evolving privacy regulations, and increasingly expensive fines, we typically see departments such as legal, compliance, security and IT working together to develop a data privacy protection strategy.

Unfortunately, one vital department, marketing, often ignores the call for the cultural and technology changes required to protect private information. This is because many of us are entirely focused on how to use data, not how to protect it. In fact, I’ve met some CMOs who actively resist data privacy protection measures as an impediment to their data-driven campaigns.

This is a mistake. Since today’s CMOs are data-driven, it is essential that we understand what’s at stake. It takes millions of dollars to build a brand, but a single major data breach can undermine the entire effort. When a breach occurs and your company name appears on the front page of a major newspaper, it’s the CMO who is called upon to do damage control, and the costs to a company can go way beyond fines, including lasting damage to the brand, leading to increased costs related to crisis management, lost opportunity, and new customer acquisition.

The impact of the General Data Protection Regulation (GDPR) is growing worldwide. In addition, the California Consumer Privacy Act (CCPA) is arriving soon and more regulations are on the way. But I believe this is a good thing. When data is properly managed to support data privacy protection, the benefits can extend far beyond cost avoidance and actually contribute to Marketing’s effort to ensure great customer experience and build customer loyalty.

It’s time for CMOs to embrace data privacy protection. Here’s how.

Data as an asset

Among their many provisions, key requirements of privacy protection regulations include:

• Collecting data for an expressed purpose and only with consumer consent.
• The ability to delete data upon request.
• The ability to limit who has access to sensitive information.

To satisfy these requirements, an organization must know what data it has, where it is, and who has access to it. That is, it requires better data quality and better data management. Far from restricting the ability of a company to use data analytics for personalization, understanding what data you have, the purpose for which it was collected, and who has consented to the collection of what data enables a far more refined and nuanced approach to personalization.

Customers and brands

Consumers are increasingly sensitive to privacy issues. So developing trust is now a vital part of brand management. Doing this requires transparency. For example, don’t force consumers to read complex disclaimers to ensure their privacy. Instead, have privacy as the default option. Moreover, understand your customers’ digital footprint and provide protection automatically. Another way to establish trust is to ensure processes favor consumer choice. Finally, to maintain trust, companies should reassure customers that their data will be protected no matter where it flows, including to third-party partners.

Essentially, your company should strive to be a business you would want to work with. It’s the right thing to do, and it’s a better business. This means marketing has a huge stake in what IT is doing to protect data.

Compliance and technology

While smaller organizations may be able to satisfy privacy regulation requirements and protect their data using manual processes (such as using spreadsheets to track consent or creating multiple data sets for users with different access rights), this is completely impractical and highly risky for larger organizations.

As enterprises grow, using the right technology enables them to protect the privacy and become data-driven – at scale. The fundamental capabilities of “Privacy Tech” include the ability to collect, manage and delete data according to requirements related to purpose, consent, and right to erasure. Building these capabilities requires a foundational data management layer that supports the following.

Discovery: Understand what data you have

If you don’t know what sensitive data you are collecting, such as credit card numbers and social security numbers – even email and IP addresses can be sensitive sometimes – you can’t protect it. The right technology can ensure that you can first discover what data you have in your data lake.

Audit or visibility: See who is accessing what data

An audit capability enables you to see if data usage conforms with consumer consent, the purpose for which the data was collected, and other current and future privacy regulations. It will enable you to see if individuals or groups are able to access data they shouldn’t. This auditing capability is essential to reducing the risk that private data will fall into the wrong hands, resulting in damage to the brand.

Access controls or protection

Ensure the right people have the right access to the right data at the right time – The technology should enable granular access control, such as limiting who can access what type of data by department and individual. It should also enable you to obfuscate or anonymize data, such as redacting social security numbers or allowing certain individuals to see only the last four digits.

Some organizations believe that if they encrypt data, they don’t need to worry about access controls. This is a limited view. Encryption is a critical line of defense against external hacking attacks, but internally, encryption is only as good as the organization’s encryption key management processes. Access controls are still required for managing who has access to the encryption keys.

For most larger organizations, privacy tech is essential. The ROI will depend on the solution or solutions acquired to meet the specific need. A complete solution may cost between $100K and $500K, with implementation times ranging from a few weeks to a couple of months (depending on the amount of data and number of users). So with the exposure to a GDPR fine starting at $22 million, the ROI can be huge.

In every case, building a compliance capability is far less expensive than crisis management. Not to mention the incalculable potential damage to the brand, or that this investment can lead to improved data analytics.

It’s time for CMOs to take privacy seriously. The privacy equation is simple. Privacy compliance creates more opportunities and protects the brand. Start building privacy protection into your budget for brand maintenance and help create a culture of privacy at your company. Put consumers first, collect data responsibly, focus on good data hygiene, put the right privacy tech in place, and support regular training on privacy issues. It’s the right thing to do.

R. Paul Singh is the CMO of Okera, a leading active data management company for data lake security and governance.