Data privacy competency
I have spent the last six months speaking with over 500 businesses and marketing leaders and discovered that “data privacy” is a term that elicits strong reactions, and for good reason. Take for example the constant introduction of new cookie-less addressability solutions or the interoperability standards across ID resolution platforms; these are just some of the changes that are making it ever so hard for brand teams to think about data privacy.
For the first time in the digital age, brands are also being challenged (and rightfully so!) to be more responsible and purposeful with the data they collect and how they use that data to engage consumers and achieve their business goals. However, when it comes to data collection, it is not always easy to interpret government regulations, and it can be even less clear what steps an enterprise should take to achieve compliance.
The privacy landscape has been shifting so much that one colleague described it as a chameleon; a constantly changing reptile that, if we’re not careful, can be overlooked. However, after speaking with various leaders over the course of 6 months, data privacy to some can resemble a much different animal, something closer to a Godzilla than a chameleon. But data compliance shouldn’t be scary, and it starts with understanding the inner working of ones’ organization.
So how can enterprises better prepare for what’s ahead?
This is where data competency is critical, which in my view is the first step towards data compliance. Data competency goes beyond understanding legal jargon and focuses on asking the right questions, ensuring there is a common language, and assessing risk. It’s about understanding the inner workings of existing data processes, data sharing and data storage. Data competency focuses on an organization’s readiness and fitness and aims to answer questions that are usually given less attention, and most of the time are left unanswered.
In total, there are 40 key questions that can help organizations establish data competency, and they all fit within four key workflows:
- Governance: Is there a unified understanding of the data policies and practices around collection, storage, use and sharing?
- Talent: Does an organization speak the same language, and does it have the competencies, training and accountability required to make the right technology decisions?
- Media: Does the organization invest in building strong relationships with its customers beyond the transaction, and are marketing teams exploring and testing new measurements frameworks?
- Leadership: Has an organization identified the key areas or risk, and is leadership ready to make the necessary decisions to meet changes to government regulations once they’re passed?
Four Key Data Competencies for Organizations:
Competency 1 - Governance: There are three components that make up the first competency, and they are: Data collection, data storage and data sharing.
Good governance is about how enterprises collect data, store it, and share it across their martech and adtech ecosystems. It can be as straightforward as whether an enterprise is deploying server-side tagging, which provides full control of the data collected from the website, landing pages, and apps, all the way to the endpoint to which that data is being sent to, or not.
A good governance framework includes a robust process across the entire organization, where objectives are clearly understood and prioritized. This information should also inform privacy roles across the enterprise. It's helpful to also document and assess potential problematic data actions, as efforts by enterprises to demonstrate progress and efforts to address potential gaps and areas of concern within their data governance are helpful to demonstrate compliance.
Furthermore, is the data being collected aligned to the organization’s needs? Is what's being collected a requirement or luxury, and what utility does it serve? Canadian privacy law requires organizations to limit the amount and type of personal information gathered to what is necessary for the purposes identified to the consumer (e.g. in a privacy policy). It also has an overriding obligation that any collection, use or disclosure of personal information only be for purposes that a reasonable person would consider appropriate in the circumstances. Collecting more data than what's required creates added risk as it has to be logged, stored and shared.
Lastly, what are the data flows between internal and external platforms and are they well documented and well understood? Each platform and vendor must have a clear alignment on what data is being processed and how it's being utilized. The most common requirement for these workflows is for opt-out requirements, which often clarify how opt out requests are managed and organized between partners.
The key questions to assessing the Governance competency include:
Data Collection:
- Are our IT, marketing and legal teams aligned on what user data we need to collect to achieve our business goals?
- Is all data we collect on our users mapped and inventoried?
Data Storage:
- Do we have a solid understanding of systems and technologies that process consumer data?
- Is there a clear understanding across our marketing, IT and legal teams of the purpose of the data collection?
Data Sharing
- Do our customers trust us with their data?
- Are data flows between internal and external platforms well understood and documented?
Competency 2 - People & Culture: There are three components that make up the second competency, and they are: competency, training and accountability.
Organizations should aim to create a common language around data, and foster an environment that empowers individuals and teams to engage in data privacy dialogue. They should also ensure that the right people can make the right decisions when acquiring new technologies, or when evaluating new vendors to onboard.
Talent is the foundation of competency, and includes applicable knowledge, attitude and experience. When it comes to building a robust data team, I’m a huge fan of the structure Simon Wardley outlined in his book ‘Wardley Mapping’ where adapting towards a future requires a multifaceted organization and different levels of expertise. For privacy compliance, companies in Canada are required to have a privacy officer that is ultimately accountable for privacy compliance decisions. That said, success is achieved when we adopt a village thinking, encompassing what Simon refers to as PionEers, Settlers and Town Planners.
Pioneers are the data people. They are able to explore the never before discovered data concepts; the uncharted data flow and state.
Settlers are also data people, and can transform a messy and less understood ecosystem into something useful for the wider organization. These individuals can help build trust and competency within an enterprise, and can build understanding around data flow, build a unified level of understanding and also lay the roadmap towards achieving data compliance.
Town Planners are those teams (for example marketers) that take something and industrialize it by taking advantage of economies of scale. Marketing and Dynamic Ad Insertion teams are great at this. It requires immense skill, and you can measure the impact of their work and execution. They take almost any type of data and identify ways to make it relevant and actionable. Simone has referred to them as "the industrial giants we depend upon. They build Rome".
The key questions to assess the Talent and Culture competency include:
Competency:
- Do we have the internal expertise to make decisions on technologies and assess the privacy compliance practices of partners and vendors?
- Are our marketing, IT and legal teams empowered to address data privacy risk quickly?
- Have we established a data governance body internally that encompasses people from different teams and departments?
Development:
- Do we have, or plan to hire, a Chief Privacy Officer to lead and guide our internal privacy processes and risk assessments?
- Are we investing (or continuously investing) to train our teams on data privacy, data security and data compliance?
Accountability:
- Do we have a clear understanding of roles and accountability as it pertains to user data collection and storage?
- Is there a single point of accountability on data compliance, and who should be engaged?
Competency 3 – Media Utility and Activation: Marketing departments can be the biggest users of data. It’s important to assess an organization's ability to generate data (zero party data, 1st party data) and its level of dependency on external partners and vendors for audience insights and targeting.
There are a number of key elements that encompass Media Utility and Activation:
- The ability to capture data from web properties, apps etc. (how well you're able to create your data collection endpoints)
- The level of data transformation utilized (e.g. profiling, leveraging AI), which includes how much data manipulation is applied to make the data useful. Are you using the data in a descriptive, diagnostic, predictive or prescriptive capacity, or all of the above?
- How the data is leveraged for media and marketing (e.g. media partnerships, media platforms, the Trade Desk). Is that data improving service, or delivering personalization? Are we able to deploy tactics around detaching certain data sets from each other that would prevent nefarious third-party processors from stitching together users?
- What is the current measurement approach (data-driven attribution, mixed media measurement etc.)?
The key questions to assess the Media Utility and Activation competency include:
Audience Creation:
- Is our marketing reliant on user PII data?
- Do we transform user data for marketing activation purposes (e.g. profiling)?
- Do we have a clear understanding of how our media partners generate, and transform user data?
Audience Utility:
- Are our data analytics inputs and outputs evaluated for bias?
- Do we pass customer data to external partners for marketing activation purposes?
- Do we currently sell or share customer or audience data with external partners?
Measurement:
- Do we leverage data-driven attribution? What is our primary measurement framework?
- Have we tested new measurement frameworks to track the impact of our marketing spend on business outcomes?
Competency 4 - Leadership: Lastly, leadership is all about the decisions an organization is making or needs to make to minimize risk and improve overall fitness. This is where we evaluate whether there is a clear understanding of the organizations' overall mission and objectives, which informs and guides our data privacy processes and decisions. And if there is a clear roadmap of the technology changes that they need to make to meet upcoming changes to government legislation.
The key questions to assess the Leadership competency include:
Risk Appetite:
- Are the risks associated with processing user data well researched, documented and communicated (data inputs and outputs documented, reviewed and communicated based on risk to business)?
- Have we made the necessary decisions to mitigate the highest risk areas of our business?
Mission/Vision
- Do we have a good understanding of the benefits that user data has on our business, including our ability to effectively execute marketing strategies and tactics?
- Is there a clear understanding of the overall organizations' mission and objectives, which inform and guide our data privacy processes and decisions?
Partnerships
- Do we have a clear roadmap of the technology changes we need to make to mitigate data risk?
- Are we actively working with our data and tech partners to ensure we're prepared to meet upcoming changes to government legislation?
My aim with this framework and thinking is to help organizations simplify the narrative around data. The complete assessment goes into more areas and encompasses more than 40 questions designed to get organizations to be better evaluate readiness and fitness.
Data can be a complex topic and, as some have hinted, a Godzilla-like issue. I’m much more optimistic and believe that data leaders and organizations can simplify some of the language around data privacy to encourage a more open dialogue. The ideas behind this competency framework are intentionally meant to be simple, which is essential to ensure that more people from across the organization (regardless of role and seniority) can collaborate and add value.
My hope is that by focusing on these competencies, organizations can move forward with more confidence and be better prepared to tackle changes to government regulations as they go into effect rather than just wait for change to disrupt their business.