The role of insights

SEE TIPS

Data privacy competency

May 10, 2023
data Privacy

I have spent the last six months speaking with over 500 businesses and marketing leaders and discovered that “data privacy” is a term that elicits strong reactions, and for good reason. Take for example the constant introduction of new cookie-less addressability solutions or the interoperability standards across ID resolution platforms; these are just some of the changes that are making it ever so hard for brand teams to think about data privacy.

For the first time in the digital age, brands are also being challenged (and rightfully so!) to be more responsible and purposeful with the data they collect and how they use that data to engage consumers and achieve their business goals. However, when it comes to data collection, it is not always easy to interpret government regulations, and it can be even less clear what steps an enterprise should take to achieve compliance.

The privacy landscape has been shifting so much that one colleague described it as a chameleon; a constantly changing reptile that, if we’re not careful, can be overlooked. However, after speaking with various leaders over the course of 6 months, data privacy to some can resemble a much different animal, something closer to a Godzilla than a chameleon. But data compliance shouldn’t be scary, and it starts with understanding the inner working of ones’ organization.

So how can enterprises better prepare for what’s ahead?

This is where data competency is critical, which in my view is the first step towards data compliance. Data competency goes beyond understanding legal jargon and focuses on asking the right questions, ensuring there is a common language, and assessing risk. It’s about understanding the inner workings of existing data processes, data sharing and data storage. Data competency focuses on an organization’s readiness and fitness and aims to answer questions that are usually given less attention, and most of the time are left unanswered.

In total, there are 40 key questions that can help organizations establish data competency, and they all fit within four key workflows:

  • Governance: Is there a unified understanding of the data policies and practices around collection, storage, use and sharing?
  • Talent: Does an organization speak the same language, and does it have the competencies, training and accountability required to make the right technology decisions?
  • Media: Does the organization invest in building strong relationships with its customers beyond the transaction, and are marketing teams exploring and testing new measurements frameworks?
  • Leadership: Has an organization identified the key areas or risk, and is leadership ready to make the necessary decisions to meet changes to government regulations once they’re passed?

Four Key Data Competencies for Organizations:

Competency 1 - Governance: There are three components that make up the first competency, and they are: Data collection, data storage and data sharing.

Good governance is about how enterprises collect data, store it, and share it across their martech and adtech ecosystems. It can be as straightforward as whether an enterprise is deploying server-side tagging, which provides full control of the data collected from the website, landing pages, and apps, all the way to the endpoint to which that data is being sent to, or not. 

A good governance framework includes a robust process across the entire organization, where objectives are clearly understood and prioritized. This information should also inform privacy roles across the enterprise. It's helpful to also document and assess potential problematic data actions, as efforts by enterprises to demonstrate progress and efforts to address potential gaps and areas of concern within their data governance are helpful to demonstrate compliance.

Furthermore, is the data being collected aligned to the organization’s needs? Is what's being collected a requirement or luxury, and what utility does it serve? Canadian privacy law requires organizations to limit the amount and type of personal information gathered to what is necessary for the purposes identified to the consumer (e.g. in a privacy policy). It also has an overriding obligation that any collection, use or disclosure of personal information only be for purposes that a reasonable person would consider appropriate in the circumstances. Collecting more data than what's required creates added risk as it has to be logged, stored and shared. 

Lastly, what are the data flows between internal and external platforms and are they well documented and well understood? Each platform and vendor must have a clear alignment on what data is being processed and how it's being utilized. The most common requirement for these workflows is for opt-out requirements, which often clarify how opt out requests are managed and organized between partners.

The key questions to assessing the Governance competency include:

Data Collection:

  • Are our IT, marketing and legal teams aligned on what user data we need to collect to achieve our business goals?
  • Is all data we collect on our users mapped and inventoried?

Data Storage:

  • Do we have a solid understanding of systems and technologies that process consumer data?
  • Is there a clear understanding across our marketing, IT and legal teams of the purpose of the data collection?

Data Sharing

  • Do our customers trust us with their data?
  • Are data flows between internal and external platforms well understood and documented?

Competency 2 - People & Culture: There are three components that make up the second competency, and they are: competency, training and accountability.

Organizations should aim to create a common language around data, and foster an environment that empowers individuals and teams to engage in data privacy dialogue. They should also ensure that the right people can make the right decisions when acquiring new technologies, or when evaluating new vendors to onboard.

Talent is the foundation of competency, and includes applicable knowledge, attitude and experience. When it comes to building a robust data team, I’m a huge fan of the structure Simon Wardley outlined in his book ‘Wardley Mapping’ where adapting towards a future requires a multifaceted organization and different levels of expertise. For privacy compliance, companies in Canada are required to have a privacy officer that is ultimately accountable for privacy compliance decisions. That said, success is achieved when we adopt a village thinking, encompassing what Simon refers to as PionEers, Settlers and Town Planners.

Pioneers are the data people. They are able to explore the never before discovered data concepts; the uncharted data flow and state.

Settlers are also data people, and can transform a messy and less understood ecosystem into something useful for the wider organization. These individuals can help build trust and competency within an enterprise, and can build understanding around data flow, build a unified level of understanding and also lay the roadmap towards achieving data compliance.

Town Planners are those teams (for example marketers) that take something and industrialize it by taking advantage of economies of scale. Marketing and Dynamic Ad Insertion teams are great at this. It requires immense skill, and you can measure the impact of their work and execution. They take almost any type of data and identify ways to make it relevant and actionable. Simone has referred to them as "the industrial giants we depend upon. They build Rome".

The key questions to assess the Talent and Culture competency include:

Competency:

  • Do we have the internal expertise to make decisions on technologies and assess the privacy compliance practices of partners and vendors?
  • Are our marketing, IT and legal teams empowered to address data privacy risk quickly?
  • Have we established a data governance body internally that encompasses people from different teams and departments?

Development:

  • Do we have, or plan to hire, a Chief Privacy Officer to lead and guide our internal privacy processes and risk assessments?
  • Are we investing (or continuously investing) to train our teams on data privacy, data security and data compliance?

Accountability:

  • Do we have a clear understanding of roles and accountability as it pertains to user data collection and storage?
  • Is there a single point of accountability on data compliance, and who should be engaged?

Competency 3 – Media Utility and Activation: Marketing departments can be the biggest users of data. It’s important to assess an organization's ability to generate data (zero party data, 1st party data) and its level of dependency on external partners and vendors for audience insights and targeting. 

There are a number of key elements that encompass Media Utility and Activation:

  1. The ability to capture data from web properties, apps etc. (how well you're able to create your data collection endpoints)
  2. The level of data transformation utilized (e.g. profiling, leveraging AI), which includes how much data manipulation is applied to make the data useful. Are you using the data in a descriptive, diagnostic, predictive or prescriptive capacity, or all of the above? 
  3. How the data is leveraged for media and marketing (e.g. media partnerships, media platforms, the Trade Desk). Is that data improving service, or delivering personalization? Are we able to deploy tactics around detaching certain data sets from each other that would prevent nefarious third-party processors from stitching together users? 
  4. What is the current measurement approach (data-driven attribution, mixed media measurement etc.)?

The key questions to assess the Media Utility and Activation competency include:

Audience Creation:

  • Is our marketing reliant on user PII data?
  • Do we transform user data for marketing activation purposes (e.g. profiling)?
  • Do we have a clear understanding of how our media partners generate, and transform user data?

Audience Utility:

  • Are our data analytics inputs and outputs evaluated for bias?
  • Do we pass customer data to external partners for marketing activation purposes?
  • Do we currently sell or share customer or audience data with external partners?

Measurement:

  • Do we leverage data-driven attribution? What is our primary measurement framework?
  • Have we tested new measurement frameworks to track the impact of our marketing spend on business outcomes?

Competency 4 - Leadership: Lastly, leadership is all about the decisions an organization is making or needs to make to minimize risk and improve overall fitness. This is where we evaluate whether there is a clear understanding of the organizations' overall mission and objectives, which informs and guides our data privacy processes and decisions. And if there is a clear roadmap of the technology changes that they need to make to meet upcoming changes to government legislation.

The key questions to assess the Leadership competency include:

Risk Appetite:

  • Are the risks associated with processing user data well researched, documented and communicated (data inputs and outputs documented, reviewed and communicated based on risk to business)?
  • Have we made the necessary decisions to mitigate the highest risk areas of our business?

Mission/Vision

  • Do we have a good understanding of the benefits that user data has on our business, including our ability to effectively execute marketing strategies and tactics?
  • Is there a clear understanding of the overall organizations' mission and objectives, which inform and guide our data privacy processes and decisions?

Partnerships

  • Do we have a clear roadmap of the technology changes we need to make to mitigate data risk?
  • Are we actively working with our data and tech partners to ensure we're prepared to meet upcoming changes to government legislation?

My aim with this framework and thinking is to help organizations simplify the narrative around data. The complete assessment goes into more areas and encompasses more than 40 questions designed to get organizations to be better evaluate readiness and fitness. 

Data can be a complex topic and, as some have hinted, a Godzilla-like issue. I’m much more optimistic and believe that data leaders and organizations can simplify some of the language around data privacy to encourage a more open dialogue. The ideas behind this competency framework are intentionally meant to be simple, which is essential to ensure that more people from across the organization (regardless of role and seniority) can collaborate and add value.

My hope is that by focusing on these competencies, organizations can move forward with more confidence and be better prepared to tackle changes to government regulations as they go into effect rather than just wait for change to disrupt their business.

AUTHORED BY
profile picture

Basil Hatto

SVP Product & Growth Neil Patel Digital Canada

AdTech Committee



UPCOMING EVENTS & LEARNING OPPORTUNITIES

|

VIEW ALL

LATEST PERSPECTIVES

 | View All

Must-know 2024 Code updates for marketers

Apr 23
Tag:Code Tag:Standards
Council

Brand marketing: The essence of marketing

Apr 18
Tag:Brand Tag:Thought Leadership
Council

Cannes you have your Lion and eat it too?

Apr 16
Tag:Agency Tag:Partners
Council

Harnessing hyper-personalization in modern marketing

Mar 27
Tag:Marketers Tag:Thought Leadership
Council

Humour in creative campaigns

Mar 15
Tag:Creativity
Council

Navigating global brand positioning

Mar 08
Tag:Brand Tag:Thought Leadership
Council

Media trends to watch for in 2024

Mar 01
Tag:Media Tag:Trends
Council

Advice for marketers from the CMA Insights Council

Feb 29
Tag:Insights Tag:Thought Leadership

Taking Stock: Canada’s Digital Charter

Feb 29
Tag:Digital Tag:Standards

Proposed online harms law: What marketers need to know

Feb 28
Tag:Digital Tag:Standards
Council

Six tips for achieving your 2024 goals with consumer insights

Feb 20
Tag:Insights Tag:Thought Leadership

Ontario adopts updated consumer protection law

Feb 01
Tag:Consumer Protection Tag:Standards

Embracing AI as more than a buzzword

Jan 22
Tag:Adtech Tag:ai

Tips to avoid deceptive marketing

Jan 17
Tag:Deceptive Marketing Tag:Standards
Council

Knowing when to exceed customer expectations

Jan 15
Tag:CX Tag:Thought Leadership
Council

Enrich CX with a passwordless future

Jan 11
Tag:CX Tag:Thought Leadership

How AI is infusing empathy into digital CX

Jan 08
Tag:ai Tag:CX

Upskilling for marketers: Future-proofing talent

Jan 03
Tag:Professional Development Tag:Talent

Get up to speed on California’s privacy law

Dec 19
Tag:Privacy Tag:Standards

Contests 101: What marketers need to know

Dec 13
Tag:Contests Tag:Standards
Council

Unpacking consumer trends for future-ready marketing

Dec 08
Tag:Consumers Tag:Trends

The momentum and opportunity of AI for marketers

Dec 01
Tag:ai

Ontario’s proposed protections for consumers

Nov 21
Tag:Consumer Protection Tag:Standards

Have your say: New federal consultations affecting biometrics and generative AI

Nov 13
Tag:ai Tag:data

What You Should Know: Final consent guidance from Quebec’s privacy regulator

Nov 08
Tag:Privacy Tag:Standards

Opportunity on the open internet

Nov 03
Tag:Adtech Tag:Trends

Quebec privacy regulator releases final consent guidance

Nov 02
Tag:Privacy Tag:Standards

Mastering personalization in marketing with AI

Oct 31
Tag:ai Tag:Personalization
Council

Inflation trends this holiday season

Oct 27
Tag:Consumers Tag:Thought Leadership

Experts weigh in on recent developments in Canada’s privacy and AI landscape

Oct 26
Tag:ai Tag:Privacy

Major Sponsors

  • BMO-800x450
  • canada-post_2022
  • CIBC-800x450
  • Microsoft-2023

Featured Member