If there is one common challenge that became obvious in 2022 and was shared by all organisations, it is certainly the data privacy one. It’s not necessarily a new challenge but rather a challenge that became front-and-center, at least from our point-of-view being a customer data strategy agency.
Bridging the tension
We have received increasing demands to help build bridges between marketing, legal, data and IT teams. Why do we speak of bridges? For years the relationship between the business teams (marketing, data and IT) and legal have become more intense but also more tense. Why is that? Even though both sides work for the same organisation, they have different objectives. The role of business teams is to make the business grow. Marketing teams tend to deploy all tricks in the book and tools provided by external partners (examples are Facebook and Google) to meet their objectives. Legal teams on the other hand have an objective to minimize risks. Where legal is by default risk averse, marketing oftentimes leans more towards riskier strategies and tactics. The result - tension.
This article shares 5 things we learned about working with Data Protection Officers in the last year that could help you build bridges and reduce tension.
Here are 5 things we have learned:
1) Being a DPO is hard
The role of the Data Protection Officer (or DPO) was introduced in 2018. A DPO is defined by the EU as follows:
The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.
source - https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en
This means that in today’s world, where the collection of personal data is not only exploding but also becoming more technical, a DPO should not only master legal matters but is expected to keep up with technical jargon, data collection methods and industry standards. In short - it’s a challenge.
To complexify the story even further, by design, the people that would have been the best positioned to take over the role of DPO, meaning people that have hands-on experience with manipulating data were not allowed to take it in order to avoid the conflict of interest.
source - https://iapp.org/news/a/the-dpo-must-be-independent-but-how/
Learning: being a DPO is a relatively new role, the industry is moving fast and the people who were most qualified for the job were not allowed to take it. DPO’s are required to have a wide skill set to actually be an ace in their roles. Keep that in mind and be understanding if one of these (skill set) fields is not yet fully developed.
2) Take the technical gibberish down a notch
As stated above most DPO’s do not have the technical baggage in order to always keep up in the ever evolving digital landscape that marketers and data teams call home. This also explains why marketers can get frustrated when talking to their DPO about server-side tracking, proxy’s or pseudo anonymisation. To help DPO’s make sense of the technical gibberish we found it more useful to talk about what we’re trying to achieve rather than focusing on the how. Usually a DPO can already flag if something is allowed in the organisations context or not by simply looking at the desired outcome.
Learning: Even though we’re all excited about technical problems, technology and tools - Take the technical gibberish down a notch. As a marketer start by explaining WHAT you are trying to achieve instead of HOW you plan to get it done.
3) Let’s be honest, marketers are confused too
This learning is a critical one as in most cases the privacy discussions are introduced by the marketers in order to address business challenges. Nevertheless, we have come to realize that most marketers are mixing up a lot of different concepts which leads to even more confusion when trying to clear things out with the legal counterparts:
Cookie consent is often confused and mixed up with preference centers and opt-ins. While those are complementary concepts, they serve different purposes.
If you would do certain research on the web you could easily find articles stating that server-side tracking can circumvent all consent limitations. While technical analysts play with this idea for the sake of technical possibilities and exercise, it’s not necessarily the case. Unfortunately marketers often consider that if it is technically feasible it is legally correct.
Learning: Marketing can still feel like the far-west. Beware of false prophets. Don’t accept everything you read without doing your own proper due diligence
4) Work the problem (like NASA does)
Even though privacy should be easy, it is often not. Marketers tend to make things more complex as we immediately set off with solution design (see points 1 & 2). This makes it oftentimes hard to follow and understand what can, or can’t be done in which scenarios. We like to use Chris Hadfield’s idea of how NASA tackles problems as described in his book “An astronaut’s guide to life on earth”.
“Working the problem” is NASA-speak for descending one decision tree after another, methodically looking for a solution until you run out of oxygen.
This approach can be applied in the privacy context too: breaking up the problem in small bits and walking through them piece by piece throughout the entire sequence. So that is exactly what we do. By walking through a customer journey from a data collection point-of-view (thus creating a data collection journey) we found it easier to communicate with DPOs and address exactly in which cases data could or could not be captured. This methodology is a visual representation of all challenges represented above and lays it out in a way that is understandable without much technical knowledge. It answers questions such as - “can we send server-side data to destination X after a user submitted a form in which an opt-in was given for category Y of which destination X is part of?”. We have seen that solving things visually with DPOs (with actual customer scenarios) helps to clarify, simplify and demystify some of the obstacles. We have been able to achieve more in a 1H drawing session with a DPO than with any other type of workshop.
Learning: Work the problem. Visualize, design the processes and document.
5) Stop patching for compliance, start by applying privacy by design
Unfortunately many companies are just trying to get around the latest legal restrictions. And that is exactly because they look at them like obstacles they need to work around. One key point they are missing is that privacy is not only here to stay, it's taking front-and-center. We don’t need to patch things going forward, we need to build things with privacy taken into account from the start.
As a matter of fact we see a new role emerging rapidly on the market: privacy engineer. In a nutshell (as their role could be described in an article itself) privacy engineers represent the technical side of the privacy profession. They could be seen as the role that’s designed to build the bridge that we talked about at the start of the article. Privacy engineers ensure that privacy considerations are integrated into product design. Privacy engineers today work as part of product teams, marketing teams, design teams, IT teams, security teams, and yes, sometimes even legal or compliance teams.
Learning: Privacy is not only here to stay, it’s here to be in the lead. Hire, design and build for it.
If you need help navigating the complexity of privacy, don’t hesitate to reach out. We would be happy to help!