by Amy Yeung, General Counsel & Chief Privacy Officer, Lotame
What do a marketer, editor, and lawyer have in common? We all attended LiveRamp’s Ramp Up 2020 in San Francisco a few weeks ago. I spoke at the Innovation Studio with LiveRamp’s Chief Information Security Officer, Frank Caserta to explore how organizations can track and manage sensitive data across departments to mitigate security threats or reputational risks.
A few years ago, if you were to start a conversation about “data privacy,” you might get a few confused looks and vague responses. We’ve seen recently the tectonic shift in how people perceive data privacy—on both a professional and personal level. As new and changing privacy laws are ramping up (no pun intended), consumers are beginning to understand the importance of their data while organizations are entering a period where they need to understand how the organization can manage data with rapid succession of data regulation.
It’s no surprise that the uncertainty and challenges around privacy and security are top of mind across the industry. But one common theme I’ve seen at RampUp and from my conversations with peers, is how businesses are complying with and preparing for national, regional and even hyper-local regulations in their industry.
It’s clear that we need industry-wide change to thrive, remain competitive, and deliver what consumers really want and need. Based on the conversations I had with attendees and what I’ve observed, here are three privacy takeaways from RampUp 2020.
1) Privacy and security by design
GDPR taught our industry a hard lesson that we need to work together to do the right thing for everyone involved; business, and consumers. Privacy and security by design start upfront and must include the senior leadership teams. By taking this approach and making it core to every team, a company can fully acknowledge organizational needs and enterprise risks. Getting to zero risks is impossible (and impractical) but finding a strategy that balances business innovation and builds a healthy vocabulary of compliance considerations is important.
Companies today do not need to uplift their entire current legal process to get this in motion. Rather, all key stakeholders from Legal and Security to Engineering to Marketing and Product should have a seat at the table to discuss how they are working with sensitive data and current internal and external challenges to date. This permits security and data privacy teams to incorporate guidance and regulatory requirements during product development, rather than at the end, which can curb the need for significant and “last-minute” modifications.
The consequences of teams missing a isn’t just a monetary fine but brand reputation and deterioration of the business relationship are on the line. A study from Ping Identify showed that 81% of respondents would stop engaging with a brand online following a breach and 25% would stop interaction whatsoever. Yikes.
As you’re thinking about building a privacy by design mindset and practice, consider
- What type of data do you need; what data is being ingested but isn’t utilized (costing your business extra storage, encryption, and maintenance costs)?
- How you might use the data; how can you align teams to maximize data set to use?
- Where and how long will you store it; can you tighten timeframes and use where the data half-life is not worth the extra cost burden to your company?
- What value will you derive from your data?
All of the above are critical. Training teams to understand the baseline regulatory landscape is the first line of defense. Issue-spotting can mitigate inadvertent leaks, data commingling, or contractual breaches of your agreed-upon commitments.
2) Operational design controls
As increased technical controls and robust compliance monitoring is becoming more important, operational design controls will be the forefront to protect businesses from these process failures. As teams across the business are interacting with customer data, it’s imperative to understand how that information is accessed, shared, and used across the organization to mitigate risk. Since a data breach can cost an organization an average of $3.92 million, this is extremely important to get right.
Security breaches can happen in one of two ways: operational error or due to malevolent action. Human error was the cause of 60% of the 4856 personal data breaches reported to the Information Commissioner’s Office (ICO) in the first half of 2019. Operational controls that overlap with other processes within the company can also be a technique to minimize gaps and inconsistencies and otherwise mitigate operational errors.
Take your CRM (customer relationship management) system. How many teams potentially come in contact? Sales, customer success, support, marketing, and enterprise risk/compliance could have access to the CRM data where your customer data resides, using that data in different ways. Beyond that, CRM systems integrate across different applications and platforms where there’s a whole new subset of users who have access to it. This can raise concerns if you don’t have visibility into who has access or backtrack because it’s not a direct correlation now.
On average, an organization has 16 martech products in their stack, 20 if they’re B2B. The number of people accessing and using the data can multiply intensely—even so, employees who have access to data can send it in an unencrypted email or share in a non-password protected document.
When privacy and security by design are implemented, operational design control can identify the impact and reduce operational errors. Breaches are not always caused by bad actors, often they’re consequences of technical or operational errors internally so ask yourself:
- Is it possible that not enough attention is placed on preventing accidental releases of sensitive data?
- What types of strategies or programs can mitigate these cases?
Privacy and security by design are a critical foundation for companies interacting with sensitive customer information. Operational design control helps ensure processes are running smoothly to properly respond. Notably, this is an iterative process—as processes and regulations change, the data flows and controls evolve and should adapt to the needs of teams.
3) Privacy and security risk affects everyone
The industry is experiencing the rapid emergence of new standards for privacy and security across an increasingly complex ecosystem. Customer data is being created so fast that our infrastructure is being put to the ultimate test. We’re coming to the point where the new and yet-to-be-passed laws are not matching the technology used to flow data across the business landscape.
Traditionally, incident response is closely coordinated across relevant stakeholders such as Security, Privacy, Legal, and IT; however, stakeholders from other organizations such as Marketing or Customer Success need to be looped in so they know how to properly respond, communicate, and route requests. Perhaps this is a commonplace view for some organizations, but even in the wake of coronavirus, I am again reminded that not every organization has the benefit of structured “go-to” team lists.
With the emergence of new privacy laws and the legal accountability associated with them, privacy and security risk is increasing across the entire data ecosystem. Organizations today need to engage in industry dialog to balance risks with the value of a data-driven economy. If you need more urgency, 83% of internet users worldwide are concerned about their privacy. But just concern isn’t enough.
There needs to be an open industry solution on how data practices can be technologically implemented to help:
- Create a standard set of expectation for all companies in the ecosystem, or at least recognition of a standard for consumers
- Provide transparency to the consumer. Implement organizational transparency and consistency to empower employees to be data privacy compliant
All things considered, security awareness training, re-evaluating internal policies, and cross-department process creation can be the first steps organizations can take. eMarketer put together a checklist to start thinking about actions your organization can take today.
After the fireside chat, I had an opportunity to continue the conversation in a video interview with Jon Watts from Beet.TV on why as an industry, we need an open framework after cookies.
This topic will continue to be relevant across the data ecosystem and companies today need to engage one another. I’m interested in hearing about your experience and how your organization is preparing? Send me a note on Twitter.