“If the highest aim of a captain were to preserve his ship, he would keep it in port forever.”
– Thomas Aquinas
Just as a captain of a ship faces tough choices in plotting the course of a voyage, the team leading compliance efforts for a global enterprise faces tough choices on how best to mitigate regulatory risk. With the EU’s General Data Protection Regulation (GDPR) now in effect and several other regional data privacy laws being announced recently, the job of this team has never been more complex – or more vital to the success of the enterprise.
A recent research report from the CMO Council asked businesses: “Who is in charge of ensuring GDPR compliance at your organization?” The answers revealed an interesting split in the marketplace. While some businesses are viewing the evolving regulatory landscape as a chance to turn data privacy into a competitive advantage, others are treating it as simply a burden to bear.
In this post, we’ll analyze the pros and cons of the responses to this important question and explain how one approach offers the best course to navigate the rough waters of the GDPR era.
The Security and Risk Mitigation Approach
CMO Council Survey Results
Ten percent of the respondents said the COO is leading GDPR compliance efforts. Another eight percent said the CFO.
Security and compliance professionals are tasked, above all, with keeping the lights on and protecting the business from risk. When these stakeholders lead GDPR compliance efforts, the business can be confident it will avoid regulatory violations.
Unfortunately, risks arise in other areas. In a March 2018 research report, Forrester said:
“Security, risk, and legal professionals will tend to err on the side of caution – perhaps putting marketing program effectiveness at risk.”
The analyst’s forecast proved correct when GDPR enforcement began. In one of the starkest examples of radical risk-aversion, Tronc Inc. – formerly Tribune Publishing – completely shut down access to a number of news properties in the EU, including the LA Times, Chicago Tribune, New York Daily News, Orlando Sentinel and Baltimore Sun. The Financial Times also shut down their open marketplace activities in Europe, instantaneously slashing an estimated 10-20% of its programmatic revenues.
When faced with the GDPR storm, these companies chose to abandon their course and seek safe harbour.
The Marketing-First Approach
CMO Council Survey Results
Seventeen percent of the respondents said the CMO is leading GDPR compliance efforts.
When the marketing department leads the GDPR compliance effort, the database of leads, prospects and customers stands the best chance of staying robust. Since marketers are hungry for the data, they will look for every opportunity to preserve it.
This approach, however, can lead to GDPR violation risk. As an example, look at the flurry of email activity ahead of the May 25th enforcement deadline. Companies around the globe sent “last chance opt-in” emails to their marketing databases. Many of the emails didn’t follow GDPR requirements for unambiguous and verifiable requests for consent.
If these violations continue, an EU data subject could complain to his or her Data Protection Authority and the company could be investigated for GDPR noncompliance.
Companies taking this approach are trying to press ahead through the GDPR storm, but also risk crashing on the rocks of regulatory enforcement.
The IT-first Approach
CMO Council Survey Results
Twenty-seven percent of the respondents said the CIO is leading GDPR compliance efforts. Another four percent said the chief data officer (CDO) was leading the effort.
Since the GDPR focuses on data collection and processing, many businesses put the IT department in charge of compliance. By doing so, these technical experts can best assess current systems, find gaps and create a roadmap for compliance.
Yet, looking at this project as a checklist of system and policy updates misses the opportunity to put the customer first and differentiate in a market increasingly driven by customer experience. While individual experiences may be GDPR-compliant, the overall experience with the company’s ecosystem of brands may be disjointed, with multiple requests for consent and no easy way for the customer to manage his or her personal information.
In addition, the costs and time-to-market in an IT-first approach are more likely to skyrocket. Individual teams working on their own brand or property will use more resources and meet more delays than a centralized approach.
In the IT-first approach, the ship may sail into the destination port, but it will have taken a longer route than necessary.
The Cross-Functional Approach
CMO Council Survey Results
Thirty-three percent of the respondents said their company initiated a cross-functional team to lead GDPR compliance efforts.
Creating a cross-functional team offers the best chance to turn data privacy into a competitive advantage. This approach enables stakeholders to align behind a holistic strategy that balances customer experience, technical, regulatory and business requirements. Let’s look at how.
Capturing Identity, Consent and Preference Data the Right Way
According to the CMO Council survey, forty percent of the respondents said their GDPR readiness audits discovered more points of data collection than they originally outlined. If these points aren’t addressed, the company is at risk of GDPR noncompliance and breaking customer trust.
A cross-functional team offers the best chance for a company to identify and account for these collection points early in the process. In addition, a cross-functional team is better equipped to forge an enterprise-wide solution for personal data capture that is:
- Standardized, so requests for consent are unambiguous and verifiable, even as policies evolve
- Centralized, to facilitate the enforcement of consumers’ explicit consent choices throughout the digital ecosystem
- Integrated seamlessly into the digital experience, no matter the platform or device
Such a solution will help address GDPR requirements and – more importantly – build market-differentiating customer trust.
Going Beyond GDPR Compliance
At its core, the GDPR aims to put consumers in charge of the relationship with brands. This aim did not appear out of thin air; on the contrary, it’s a response to a global demand from consumers for more transparency and control from organizations that collect and process their personal data. Smart businesses understand this and are using GDPR to drive a truly customer-first approach.
To be successful, these businesses are going beyond the regulation’s technical requirements to re-focus their customer experiences with trust at the forefront. They’re balancing regulatory compliance with customer needs. And, they’re approaching every engagement through the eyes of the customer.
These efforts require complete buy-in from stakeholders across the enterprise. When successful, the company will reap the competitive advantage: more trusted customer relationships, better ROI, and more brand advocates. For example, data protection experts discussed in a recent webinar how they teamed with their marketing teams to deliver privacy policies in formats their audiences could better understand. They also designed cross-functional GDPR training to customer service staff to ensure data access requests were processed correctly.
Relevant and Consistent Personalization
Since the GDPR requires businesses to map all the personal data they store to a data subject’s consent for collection and processing, data management is a fundamental component of any compliance initiative. This opens the door for opportunity. The value of customer data is at an all time high, and making sure it is accurate and available for every touchpoint will create experiences that truly differentiate your business in the hearts and minds of your customers.
Businesses in the vanguard are not settling for well-mapped data. Instead, they’re reinventing their architecture to be more agile and accurate. How are they achieving this goal? They’re creating single, unified profiles for every customer on record. Made up of customer identity data, consent, preference and account status information, these profiles become the single source of truth for customers across the entire enterprise.
Compared to multiple profiles existing in multiple systems, the unified customer profile is the key to eliminating fragmentation. Once created, it can also be orchestrated and governed across the technology stack bi-directionally in near-real time, so it stays current as the customer engages with different properties, touchpoints and regions.
Unified customer profiles strengthen customer trust in two vital ways. First, they help ensure the customers’ preferences and consent choices are enforced across the organization. Secondly, analytics will yield more accurate, actionable results for marketers because the profiles are made up of consent-based, first-party data. This means personalization – in the form of recommendations, communications, customer service and even in-store experiences – will be more relevant, consistent, and valuable.
The retail industry provides an insightful example. By gaining permission to add customers’ histories and preferences to their profiles, a retail business can make each successive interaction less of a “wandering the aisles” exercise, and more of a curated, bespoke experience that encourages loyalty, repeat visits, and brand advocacy.
For More Information
As you can see, creating a cross-functional team to address compliance is the best way your business can chart a successful course through the stormy GDPR waters.
For more information about the global market’s preparation for the GDPR, download the entire CMO Council Report. You’ll learn valuable insights into how your company can turn this regulatory burden into a real competitive opportunity.
By Ratul Shah