Privacy is a team sport requiring all hands -- marketing, legal, IT and HR -- on deck. It is not hard to see why. Adapting to the new privacy landscape -- with its complex new (and ever-changing) laws and consumers’ conflicting desires for both increased privacy and personalization -- requires a company-wide push. But successful collaboration to support a comprehensive privacy compliance program requires stakeholders to coordinate as a team.
It is not productive when stakeholders do not share a common understanding of purpose and the tools to achieve that purpose. This misalignment can result in endless meetings, with compliance achieved slowly, at great cost, and easily undone by legal or policy changes. Ensuring that stakeholders clearly understand the privacy objectives, and the business and technical support necessary to achieve those objectives, removes friction and fosters high-level collaboration resulting not only in legal compliance but a competitive advantage through greater insights derived from responsibly-leveraged data. In this article, we’ll explain how to form a collaborative, value-driven privacy program and best practices to avoid the frustrating technical challenges too many companies struggle with today.
First, realize that while diligent and highly aware legal policy owners are vital, successful engagements involve multiple stakeholders across the organization. Each department brings particular knowledge power to support a proactive privacy posture.
Responsibilities and contributions of each department include:
- Defining regulatory positioning and legal bases; balancing compliance and growth objectives while mitigating risks
- Tracking and responding to ever changing privacy regimes (which can feel like a game of whack-a-mole)
- Drafting disclosures and notices (while maintaining brand integrity/on-brand voice)
- Influencing user experience
- Utilizing data from and for the consumer
- Expressing brand values; building trust and conveying transparency
The marketing department is a translator between legal and the consumer. Privacy notices, disclosures and preference centers impact user experience and typically occur early in the buyer journey -- upon first visit to a website, for example. Their language, style and timing affect brand perception -- this is especially true where trust and transparency are core brand values. Marketing tunes these messages and builds them into a company’s branding to convey to consumers, with minimal interruption, that it respects their right to privacy.
Privacy programs and policies aren’t documents that just sit on a shelf. Their purpose is to ensure consumer consent and rights are respected, and this requires orchestration across internal and external third-party data systems. Some of IT’s responsibilities include implementing technology that honors the promises made in privacy notices and consumer consent disclosures, as well as adapting website and mobile infrastructure to collect and process data in a compliant manner. Data monetization and data privacy are increasingly necessitating IT input as part of the overall collaborative effort with legal, marketing and business departments. The result: alignment between compliance and growth.
IT contributions typically include:
- Handling systems complexity & managing consent across all systems
- Implementing changes based on new policies without breaking privacy architecture
- Ensuring consumer privacy choices are respected across third-party systems
- Managing cost; IT plays a significant role in reducing the cost of compliance by, for example, implementing programmatic versus manual approaches to rights fulfillment/consent orchestration, conserving time and labor resources
With the passage of the California Privacy Rights Act (CPRA), starting January 1, 2023, the CCPA employer exemption expires, granting employees in California the same rights that consumers have enjoyed since CCPA passed. This means businesses will need to have systems in place to:
- Notify employees of their expanded rights
- Fulfill employees’ access or deletion requests
- Harmonize privacy rights with employment requirements
In addition, CPRA provides new rights to both consumers and employees, namely rights to correct personal information and to data minimization and retention limitations. California has been at the forefront of data privacy legislation in the US; others (Virginia, Colorado) have followed suit, and more will undoubtedly follow.
True operationalization of privacy, not just the Hollywood facade, requires buy-in from all departments. Stakeholder collaboration, however, can become stymied without a clear understanding of the necessary legal, compliance, and technical requirements to fulfill the desired objectives.
Using first-generation technologies for privacy compliance, which rely largely on manual and process-driven efforts, and which lack interoperability, triggers a repetitive cycle of small tech fixes to broad enterprise needs with every small business or legal change. Sophisticated, productive collaboration depends on unified technology that adapts easily to change, and is easy to understand, use and deploy by all relevant stakeholders. Programmatic privacy compliance that accounts for these needs is vital to competing in today’s market.