Putting Customers at the Center of Your Privacy Program
 

The privacy risk landscape is evolving quickly for today’s companies. Over the past five years, Europe’s General Data Protection Regulation (GDPR) was soon followed by the California Consumer Privacy Act (CCPA); Brazil, China, India and South Africa now have similar regulations in place. In response, businesses are increasing their privacy program budgets and their efforts to hire personnel focused on consumer privacy.

At the same time, customers are increasingly unlikely to patronize a business that they do not trust with their personal data, according to the McKinsey management consultancy. Its 2020 survey of 1,000 consumers in North America found that 87% would not do business with a company if they had concerns about its security practices, while 68% said the contents of their email should be accessible only to those entities that they authorize.[1] Research has also shown that customers’ willingness to share information with various brands is directly related to their feelings of autonomy and control over what they are sharing.[2]

Simply put, compliance and risk mitigation are no longer the ceiling for consumer privacy rights. Instead, they are the baseline. While this poses significant challenges for organizations that are left unprepared, it also presents an opportunity to rethink company privacy strategy, reframe users’ privacy experience beyond the context of compliance, and transform data privacy from a hindrance to a competitive advantage.

This report, based on a Gartner report titled “Predicts 2022: Privacy Risk Expands,” is part of a three-part series on privacy. Other reports in this series explore the regulatory, enforcement and litigation trends exerting new compliance pressures on companies.

A Lack of Strategy Leads to Complaints — and Worse

Amid the growing number of global consumer privacy laws and their corresponding complexity, companies have focused on privacy as a regulatory compliance issue. This is certainly understandable, but it has had a negative impact on the customer service experience. 

Overall, fewer than half of multinationals have a global privacy strategy, with roughly one-third of companies organizing data by jurisdiction and managing data according to local law, according to a survey by the International Association of Privacy Professionals (IAPP).[3] In the absence of a company-wide strategy, privacy programs have been implemented in an ad hoc fashion. 

As a result, companies have sacrificed their users’ privacy experience, leaving customers unable to locate or use the functionality that enables them to access, correct or delete their data as allowed under laws such as GDPR and CCPA. “Many are missing proper transparency, consent and preference management, and automation of subject rights request (SRR) responses, resulting in an abundance of complaints,” Gartner said. 

In some cases, consumer complaints are just the tip of the iceberg. Gartner continued, “With the expansion of compliance risk, the stakes get higher through class-action and mass claim opportunities. Organizations not only potentially face the scrutiny of regulatory authorities, but also will have to take into account consumer privacy activism more than before. Through 2026, organizations that mishandle personal data will suffer three times more financial damage from class actions and mass claims than from enforcement sanctions.”

5 Steps for Enabling a Holistic View of Privacy Strategy

In response to this expanded risk footprint, companies are investing in privacy staff and budget, according to the IAPP survey. Average privacy spending increased 9% from 2019 to 2020, and 29% from 2020 to 2021. Most companies expect privacy spending to increase in 2022 as well, with the average increase falling somewhere between 20% and 32%. As for personnel, about 45% of companies expect to hire additional staff, though the majority expect to hire for just one or two positions.

With privacy teams growing and privacy budgets increasing, now is an optimal time for companies to take a more holistic view of privacy strategy. Gartner predicted, “By 2024, large organizations’ average annual budget for privacy will exceed $2.5 million, allowing a shift from compliance ethics to competitive differentiation.”

There are five important steps that companies can take to enable this transformation, as detailed below:

• Shift the privacy mindset.
• Develop and fund a multiyear strategy.
• Prioritize privacy by design.
• Refine email security.
• Make response to data subject requests (DSRs) more efficient.

Shift the Privacy Mindset

The first step is to widen the company’s perception of privacy beyond a narrow programmatic focus on regulatory compliance. This allows the organization to see privacy from the customer’s point of view.

Accomplishing this mindset shift requires a broader inclusion of both the executive stakeholders who focus on privacy and the types of corporate initiatives that should be considered part of privacy. Gartner stated, “CIOs, chief data officers (CDOs) and information security professionals see parts of their expenditure go toward directly connected functions including, for example, data discovery, classification, end-of-life automation and automation of access controls … This organization-wide maturing of both privacy management and data-centric capabilities allows organizations to reach beyond mere compliance-driven work, toward customer-centric activities.”

Additionally, organizations need to look at the maturity of technologies such as data mapping and analytics, identity and access management, and data storage infrastructure, coupled with best practices for data breach identification, mitigation and response. According to McKinsey, this will enable a more proactive approach to addressing privacy and data protection requirements.

Develop and Fund a Multiyear Strategy

A steadfast emphasis on regulatory compliance and privacy management in the absence of a company-wide privacy strategy can lead to the implementation of one-off programs to address rules for a given geography or jurisdiction. This approach makes it difficult to address privacy holistically, as various parts of the business — and different segments of the customer population — are subject to inconsistent policies and user experiences. With privacy regulation efforts only expanding globally, this approach is also increasingly untenable.

Gartner indicated, “Those who go beyond mere regulatory requirements are in the position to capitalize on increased customer and ecosystem trust for business value increase.” Getting to this point requires regarding privacy as a longstanding initiative with a multiyear roadmap focused on increased collaboration across business units. It also requires an increase in privacy budgets, both for the privacy office and for the IT, data, security, marketing and customer experience teams.

Prioritize Privacy by Design

Article 25 of GDPR calls for privacy “by design and by default,” emphasizing the importance of considering privacy in designing products and systems. The International Standards Organization has also developed a range of specifications that target the management of privacy information in light of global consumer rights requirements.[4]

Embedding privacy into the design and development lifecycle elevates privacy from its typical status as an add-on or last-minute consideration. Privacy by design emphasizes proactive and preventive measures, transparency and user centricity. The goal is privacy by default, with no action required by the end user to protect their privacy.[5] This helps companies establish privacy as a key element of all customer-facing contact points, giving them more control over the data they share and the way they communicate with a business. 

Refine Email Security

Email plays an important role in privacy compliance. [kl1] Email marketing gets a significant amount of attention, as GDPR explicitly lays out the “lawful bases” for collecting, storing and using consumer data; for advertising relevant services to an email subscriber; and for requiring opt-ins and enabling opt-outs. 

There’s much more to consider that preventing spam, however, especially since email is a vast trove of personal information. GDPR also calls for data protection “by design and by default,” and while email encryption isn’t required under the law, it is the most feasible option for protecting email data from a potential breach. Likewise, GDPR calls for “the right to be forgotten,” which forces organizations that are used to archiving email for many years to consider updating email retention and deletion policies. Finally, GDPR compliance requires appropriate measures to protect personal data, which may necessitate more rigorous security systems and training to prevent breaches that stem from accidental or intentional employee activity.[6]

Make DSR Response More Efficient 

Privacy regulations give consumers the right to data subject requests (DSRs), which allow them to access, correct or delete the data that companies have about them. This is a complicated endeavor for global companies, since they tend to collect data from many jurisdictions; the vast majority (87%) also use third-party vendors to process personal data, IAPP reported. 

Along with the challenge of different regulations applying to different geographic areas, IAPP members reported that simply locating an individual’s data within the global organization can be difficult. In fact, this is the most pressing issue related to DSRs for 47% of global companies. These factors also impact the efficiency of the DSR response process. Only 22% of businesses can process a request within two days, compared to 40% who need at least a week. In addition, more than 50% of companies retain manual processes for DSR response, compared to 35% that have at least partially automated the process.

Two strategies can address the complications of locating customer data and processing DSRs, McKinsey said. One is to deploy technologies such as data mapping to categorize which types of data an organization collects from customers, and to couple this with revised data storage policies for each category of data. The other is to automate the submission of and response to the most common types of DSRs through self-service portals. Gartner noted, “Their intent is to not simply avoid regulatory fines, but also to bolster customer trust and maintain positive brand sentiment. Organizations that have adopted a self-service model have found further benefits from a more consistent user experience, often furthering brand loyalty and engagement.”

The Bottom Line: Privacy as a Competitive Differentiator

Gartner indicated, “By 2023, government regulations requiring organizations to provide free and accessible consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP.” As of January 1, 2023, California’s laws get stronger as well — “dark patterns” that can manipulate consumers to make decisions they may not otherwise make, such as arduous subscription cancellations or opt-out processes, will be subject to fines under the California Privacy Rights Act.[7]

Increasingly, compliance with consumer privacy regulations is a must-have for today’s global businesses. However, it is more than simply avoiding punitive action; it also means meeting customer expectations about how companies use their data. The time is now for companies to build a more robust data privacy strategy, starting with product design and evolving to touch all areas of the business where privacy and customer data intersect. A company-wide strategy to put customer privacy front and center in the user experience, and to give consumers clear choices about data sharing, will prove to be a competitive differentiator in the years to come. 
 

[1] “The consumer-data opportunity and the privacy imperative,” McKinsey

[2] “How Acceptable Is This? How User Experience Factors Can Broaden our Understanding of The Acceptance of Privacy Trade-offs,” Computers in Human Behavior

[3] “IAPP-EY Annual Privacy Governance Report 2021, International Association of Privacy Professionals and EY

[4] “Privacy engineering: The what, why and how,” IAPP

[5] “Privacy by Design: The 7 Foundational Principles,” Information and Privacy Commissioner of Ontario

[6] “How does the GDPR affect email?” GDPR.EU

[7] “Dark Patterns Come to Light in California Data Privacy Laws,” National Law Review

 [kl1]Renatta: I tried to link to this page: https://www.mimecast.com/solutions/governance-risk-and-compliance-grc but it keeps “flipping over” to the GDPR page (not always, but usually), which isn’t right for this link. Any chance of fixing it? Alternatively, this link: https://www.mimecast.com/products/cloud-archive/compliance/