In a recent webinar sponsored by Gigya and hosted by the International Association of Privacy Professionals (IAPP), a major business pain point – and it’s solution – was explored:
The lack of communication between marketing and privacy/compliance teams within organizations.
During the presentation, Rita Heimes, data protection officer of the IAPP; Shopify’s Associate General Counsel, Privacy, Vivek Narayanadas; and I asked our audience of privacy professionals the following flash poll question: “Do you have a regularly scheduled meeting with your marketing team?”
A large majority of respondents (62%) said they did not.
On the surface, this result confirms the teams’ oppositional nature. Marketers sit on one side with their insatiable hunger for customer data; data protection officers, with their constant attention to privacy compliance and customer consent for terms, policies and marketing activities, sit on the other.
Yet all three of us on the webinar panel identified a common goal for both privacy and marketing teams: providing relevant, engaging and transparent experiences to customers. Additionally, all three of us agreed that regular communication between the teams is paramount to achieving this goal.
Rita said: “I put together a privacy working group that includes our head of marketing. It empowers him to feel like [privacy] is part of his job… It may mean more meetings than you’d like, but it always pays off in the end to sit down and talk with folks while they’re building something, not after they hit ‘send.’”
Vivek agreed, adding, “Having regular lines of communication, not just with the chief of marketing, but with folks on the marketing team is very helpful. It allows me [as the head of privacy] to be able to butt in when I hear something about a campaign without being intrusive.”
I added this is why team alignment – and specifically alignment between privacy compliance and marketing operations – is a key component of the Gigya Privacy by Design program: “As part of our implementation process, we offer a Privacy by Design workshop that helps build these privacy controls up front… before any code is even written.”
There are many more helpful recommendations on how best to align privacy and marketing teams in this webinar. We also discussed relevant and timely issues such as:
- The impending effect of the European’s Union’s General Data Protection Regulation (GDPR) on privacy and marketing team operations;
- How privacy teams can best start “consent conversations” with marketing teams; and
- Who should “own” the consent records.
You can access the full discussion and the presentation slides at How to Align Privacy Needs with Business Objectives. If you’re interested in enhancing brand reputation, strengthening customer relationships and minimizing regulatory scrutiny, I’m confident you’ll find the discussion insightful and helpful.
At the end the webinar, we promised to answer questions from attendees that we didn’t have time to cover live. Here you go:
- Will you discuss what solutions are available for marketers to balance compliance with the need for more customer data?
From Jason Rose of Gigya: The category of customer identity and access management (CIAM) – where Gigya is the leader – exists to solve this problem. CIAM solutions collect customer data, in some cases even before the point of formal registration, in a centralized and secure database. This database can also store consent agreements, allowing organizations to deliver personalized experiences to customers while still respecting privacy regulations. To learn more, check out recent reports from Forrester, Gartner and KuppingerCole on CIAM.
- Can the information security officer combine his function with the DPO role, or is this a conflict of interest?
From Rita Heimes of IAPP: The best guidance to date on this subject comes from the Article 29 Working Party, which writes: “[T]he DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case. As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.” Based on this analysis, the Information Security Officer would likely be considered conflicted for the DPO role in many firms.
- Do you link different email addresses for opt-out purposes?
From Jason Rose of Gigya: I don’t claim to be a legal expert, but it certainly makes sense to respect the intent of consumers when they opt out. In almost all cases, consumers opt out because they don’t want to hear from that organization again – period. So failing to link different email addresses for individuals runs the risk of alienating them when they opt out from one email address and still get messages from your organization through another email address. Also, one attendee offered this suggestion: “Hash the email address in an opt-out list and compare the hash, not the plain-text email.”
- I like the master “do not mail” list. But can you have that in GDPR if the person said to “forget me?” That is, can you keep them on the list of “forgotten?”
From Rita Heimes of IAPP: The right to be forgotten/ right of erasure is not absolute. Many commenters interpreting the GDPR (informally) tend to agree that it is acceptable to maintain an email address on file in order to respect a data subject’s withdrawal of consent to receive communication.
- Is there a regulatory entity that has decided that you MUST offer varying degrees of opt out? In other words, can you as a company simply provide one opt out method?
From Rita Heimes of IAPP: Each nation has its own data protection laws. Those doing business in Canada must comply with CASL, for example, while firms doing business in the European Union presently have to comply with the privacy laws of multiple EU member states implementing the Data Protection Directive and the ePrivacy Directive. Soon, however, all EU member states will be subject to the General Data Protection Regulation which requires, under Article 7, that “it shall be as easy to withdraw consent as to give it.” Recital 32 also discusses the requirements of consent. Under the US Can-SPAM law, moreover, “unsubscribe” options must be clearly available in all commercial emails.
- Wouldn’t a global company have a new product development policy and guidelines? What is the phase of this product in?
From Jason Rose of Gigya: Your question refers to our hypothetical example in the webinar, where a chief privacy officer discovers at the last minute that the marketing campaign for a big new product launch has been planned without any regard for privacy regulations. In a perfect world, this would never happen. In the real world, sad to say, it happens all the time. As mentioned above, our instant poll during the webinar revealed that 62 percent of privacy professionals don’t have a regularly scheduled meeting with their marketing teams. I encourage you to listen to the full webinar replay for some excellent suggestions from Vivek Narayanadas and Rita Heimes on strategies for guiding marketing teams to take responsibility for privacy compliance.
By Jason Rose