forrester report: build a data privacy organization that ... · › security satellites integrate...

organization

Build A Data Privacy Organization That Balances Marketing Innovation And Customer ExpectationsOrganization: The Customer Trust And Privacy Playbook

by Fatemeh Khatibloo, Heidi Shey, and Enza IannopolloSeptember 13, 2019

LIcEnSEd For IndIvIduaL uSE onLy

fOrrEsTEr.COM

Key TakeawaysPrivacy Management Oversight And Coordination Is A Business ImperativePrivacy is not the same as security, and it’s more than compliance and avoiding fines. done right, it can be a competitive advantage. unfortunately, many privacy organizations operate in silos today.

There Are Core Capabilities for Consumer Data Privacy ManagementManaging consumer data privacy requires a set of capabilities that span assessing, creating, enforcing, and evaluating policies and practices.

Each Type Of Privacy Organization Presents Challenges And OpportunitiesPrivacy is a business discipline that will evolve with your business’ privacy maturity and align with your existing organizational structures.

Why read This reportHow companies handle and protect consumer data privacy is more than a compliance issue: It’s a competitive differentiator. as a result, firms need to develop a cohesive privacy strategy and program, one in which B2c marketing leaders must actively participate. This report outlines the capabilities necessary to build a comprehensive consumer data privacy program, with an emphasis on the roles that marketing and business strategy leaders must play.

This is an update to a previously published report; Forrester reviews and revises it periodically for continued relevance and accuracy.

This PdF is only licensed for individual use when downloaded from forrester.com or reprints.forrester.com. all other distribution prohibited.

2

2

5

8

© 2019 Forrester research, Inc. opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, Techradar, and Total Economic Impact are trademarks of Forrester research, Inc. all other trademarks are the property of their respective companies. unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

Forrester research, Inc., 60 acorn Park drive, cambridge, Ma 02140 uSa+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com

Table of contents

To Innovate With Data, Marketers Must Play A Role In Protecting It

Let’s Level-Set on The need For a coordinated Privacy organization

Four Privacy Organization Models Tap Marketing Differently

your organizational Model Will Evolve

Successful Privacy Working Groups Are Multifunctional By Design

recommendations

Take A Lead Role On Your Firm’s Privacy Committee

related research documents

Brief: you need an action Plan For The GdPr

Marketing under GdPr Hinges on data Governance

The new Privacy: It’s all about context

For B2c MarKETInG ProFESSIonaLS

Build A Data Privacy Organization That Balances Marketing Innovation And Customer ExpectationsOrganization: The Customer Trust And Privacy Playbook

by Fatemeh Khatibloo, Heidi Shey, and Enza Iannopollowith Mary Pilecki, Stephanie Balaouras, chahiti asarpota, and Peggy dostie

September 13, 2019

share reports with colleagues. Enhance your membership with research Share.

http://www.forrester.com/go?objectid=RES136242




http://www.forrester.com/go?objectid=BIO2642





For B2C Marketing ProFessionals

Build A Data Privacy Organization That Balances Marketing Innovation And Customer Expectationsseptember 13, 2019

© 2019 Forrester research, inc. Unauthorized copying or distributing is a violation of copyright law. [email protected] or +1 866-367-7378

2

Organization: The Customer Trust And Privacy Playbook

To Innovate With data, Marketers Must Play a role In Protecting It

B2c marketers don’t stop to think about privacy the way their security and risk (S&r) and legal colleagues do. That’s oK: It’s a complex topic with lots of nuance. But marketers do need to understand the global privacy issues that affect their ability to collect, store, and use customer data. although IT is responsible for data privacy in 42% of firms, marketing practices like cross-channel device stitching and real-time bidding create significant risk in the organization.1 In firms where marketing is a key stakeholder in the privacy working group, risks go down, while opportunity for differentiation and innovation grows.

Let’s Level-set On The Need for A Coordinated Privacy Organization

regulations like the Eu General data Protection regulation (GdPr) and the california consumer Privacy act (ccPa) massively expand the definition of personal information to include data that marketers have long considered anonymous — cookie history and device Ids, for example. and, consumers’ expectations about how their data is used is changing as well.2 In order to play a meaningful role in their firm’s privacy efforts, marketers need to understand that:

› Privacy is not the same as security. Like security, privacy requires a combination of technology, processes, policies, and people. But while security and privacy are interdependent, they’re not interchangeable. For example, a piece of data might be well-secured even though the way your firm uses it violates privacy principles.3 Marketers must understand that just because they have access to a piece of data, that doesn’t mean they can use it indiscriminately.

› Privacy is more than just meeting compliance requirements. your organization must write its privacy and data-use policies recognizing the expectations of both regulators and customers. For example, what’s acceptable to one customer might feel creepy to another, regardless of specific regulatory requirements.4 Privacy practices must also reflect your firm’s internal standards and ethics, along with its appetite for balancing innovation and risk when it comes to using consumer data. as such, your organization’s S&r pros can’t be expected to tackle data privacy alone.

› Privacy infractions are expensive and hard to manage.5 The changing regulatory landscape has raised the financial stakes. In Europe, regulators are issuing GdPr fines and delivering judgments on many common marketing practices.6 In the uS, the FTc has fined Facebook $5 billion for violating a prior consent decree, and there is already a patchwork of state privacy laws, many of which provide for hefty fines and class action lawsuits.7 With stakes like these, every firm needs more stewards of data privacy.

Four Privacy organization Models Tap Marketing differently

In organizations where privacy is seen as a strategic business opportunity, there is sometimes an apex stakeholder: the privacy committee (see Figure 1). dell created a cross-functional team comprising legal, marketing, project managers, and IT.8 The team’s remit is to develop a balanced perspective




3


to privacy management. While the legal team looks at regulatory requirements, the marketing team focuses on the actions it must take to protect the brand from reputational damage. But not all firms are like dell. In fact, the vast majority still practice privacy in silos. This is no longer enough: Firms have to build a more robust privacy organization to survive today’s customer and regulatory environment. Forrester categorizes most privacy organizations today as one of four types — compliance cub, Security Satellite, Marketing Maven, or Business Booster — although some firms have characteristics that may straddle the different structures (see Figure 2).

› Compliance Cubs cover regulatory basics but miss out on data opportunities. This model of privacy management focuses on meeting compliance requirements, with a legal or compliance group that oversees customer privacy efforts. Because compliance cubs tend to see data as a liability, they miss out on opportunities to deliver rich customer experiences rooted in data innovation. and, because the marketing organization may sidestep the compliance teams to keep up with customer expectations, these firms’ privacy policies — created unilaterally by the legal folks — may not reflect the reality of their data use. “right-to-Know” rules in recent privacy laws make this an especially risky situation.9

› security satellites integrate privacy but not business strategy. These firms make privacy the security team’s responsibility, which can result in a heavy emphasis on risk mitigation and data protection. unfortunately, since security rarely has a seat at the business planning table, privacy efforts don’t get the attention they deserve. In addition, this structure can create conflicts of interest, since the group making policy is also the one enforcing it. Marketers tend to see Security Satellites as the “no, you can’t do that” group, and may avoid opportunities to strategically leverage data as a result.

› Marketing Mavens seize data opportunities but don’t understand risk. Marketing Mavens push the boundaries of data with innovative analytics, context-based personalization, and behavioral tracking tools — all while trying to balance customer expectations for privacy and data use. However, in their enthusiasm for innovation, they may engage data, technology, and services vendors that expose them to third-party risk. Because this kind of privacy team sits outside the technology organization, it may not understand the firm’s privacy policy enforcement capabilities or the technology infrastructure that exists to deliver on promises made in public-facing privacy policies. Marketing Mavens should be careful about going it alone on the privacy front.

› Business Boosters break down silos and enter uncharted waters. organizations at the leading edge of privacy bring together IT, security, marketing, cX, procurement, legal, compliance, Hr, and other lines of business, breaking down the privacy silos within their organization. This typically starts with a privacy committee that defines a privacy vision that aligns with corporate values. Business Boosters treat privacy as a competitive differentiator that guides everything from solution requirement design to brand messaging and identity. The challenge for these firms is to reach consensus on how much detail to share about their privacy practices and how to respond when a risk-versus-reward analysis of a data set’s collection or use is not clear.




4


fIGUrE 1 Privacy committees Must Be cross-Functional To Succeed

Security

Infrastructure and operations

Data architecture and masterdata management

Chief privacy of�cer

Data protection of�cer

Legal

Risk/compliance Customer insights

Brand marketing

Digital marketing

Customer care and experience Privacy committee

Channel leaders

HRSourcing/procurement

Privacy committees must be cross-functional to succeedBuild a data privacy organization that balances marketing innovation and customer expectations

fIGUrE 2 Four common Privacy organization Models

Compliance Cub Security Satellite Marketing Maven Business Booster

Four common privacy organization modelsBuild a data privacy organization that balances marketing innovation and customer expectations

Your Organizational Model Will Evolve

no single privacy organization structure is perfect for all firms. rather, your privacy team’s structure will evolve with your firm’s maturity and adapt to changing internal and external needs. It may be centralized or decentralized; it can be business-led or technology-led; and it will be influenced by factors like geography, the nature of your business, and the products and services you sell. ultimately, every successful privacy organization will:




5


› Appoint a privacy leader. The privacy organization lead is the main point of contact who drives the privacy program and manages coordination among key stakeholders. This individual is most often a chief privacy officer (cPo), data protection officer (dPo), or other similar title.10 In less mature firms, where privacy teams may not yet be fully funded, privacy leadership may be fluid, rotating to the best-qualified stakeholder depending on the privacy initiative at hand.

› Identify and limit potential conflicts of interest. competing business objectives are fundamentally disruptive to an emerging privacy organization, so identify scenarios where conflicts of interest could occur. For example, a firm with aggressive digital customer acquisition goals shouldn’t put privacy enforcement in the hands of its marketing team.

› Create escalation procedures. Escalation should be a last resort, but most marketers will happily push their own privacy boundaries if it means better customer experiences and engagement, so escalation procedures are necessary. Stakeholders use this process to gain exceptions to established policies, and, depending on the extent, an escalation can make it as far up the chain as the board of directors. However, firms that embed privacy education across the workforce typically see fewer escalations.11

› Audit data assets. This isn’t just about data schemas or integrations. Privacy organizations must understand how line-of-business technologies, applications, and solutions handle and touch customer data. only then can you map data flows to improve network architecture design and data protection controls, and then set appropriate data privacy requirements for third-party partners and suppliers.12

› Think globally and locally. Privacy touches myriad business functions, technologies, and processes. Successful privacy organizations engage a multitude of stakeholders in order to operationalize privacy. Moreover, teams in multinational firms should consider installing in-country privacy leads to better align with the challenge of specific local business and regulatory needs.13

Successful Privacy Working Groups are Multifunctional By design

Privacy teams range from part-time one-man bands to full orchestras of professionals under the leadership of a cPo. But managing privacy as a strategic function requires a broad set of capabilities that, by definition, span multiple teams within your organization. To help you identify the key stakeholders for each capability, Forrester has developed a consumer data privacy management raScI. use this tool to map roles to capability responsibility: responsible, accountable, supporting, consulted, or informed (see Figure 3). We’ve used generic team names that should align with those in most enterprises; we encourage you to modify them to reflect the terminology your firm uses.




6


fIGUrE 3 Forrester’s consumer data Privacy Management capabilities Map

Assess

Internal standards

Vendor inventory

Vendor requirements

Privacy impact and risk assessment

Create

Data governance policy

Vendor requirements

Privacy impact and risk mitigation

Data request requirements

Enforce

Policy

Vendor requirements

Privacy impact and risk mitigation strategy

Compliance with data requests

Privac

y com

mitt

ee

Custom

er in

sights

Brand m

arke

ting

Digita

l mar

ketin

g

Channel

leader

s

Info

secu

rity

Risk, g

overn

ance

Data

arch

itect

ure

Infra

stru

cture

, ops

Sales,

serv

ice

Legal

Product

dev

elopm

ent

Cust. e

xper

ience

Marketing Business tech Operations

Forrester’s consumer data privacy management capabilities mapBuild a data privacy organization that balances marketing innovation and customer expectations




7


fIGUrE 3 Forrester’s consumer data Privacy Management capabilities Map (cont.)

Evaluate

Policy

Regulatory impact

Establish thought leadership

Internal privacy champion

Privacy leadership

Regulatory liaison

Metrics

Training

(R) Responsible

(A) Accountable

(S) Supportive

(C) Consulted

(I) Informed

The owner and primary performer of the task

The ultimate authority for the task, determining its success or failure

The person who provides resources and support for the task

The person who provides input and advice necessary to complete the task

The person who needs to be informed of ongoing progress and �nal results of the task

Privac

y com

mitt

ee

Custom

er in

sights

Brand m

arke

ting

Digita

l mar

ketin

g

Channel

leader

s

Info

secu

rity

Risk, g

overn

ance

Data

arch

itect

ure

Infra

stru

cture

, ops

Sales,

serv

ice

Legal

Product

dev

elopm

ent

Cust. e

xper

ience

Marketing Business tech Operations

Forrester’s consumer data privacy management capabilities mapBuild a data privacy organization that balances marketing innovation and customer expectations




8


recommendations

Take a Lead role on your Firm’s Privacy committee

B2c marketers are uniquely well-suited to leadership positions on privacy teams. This may seem counterintuitive: Why would the teams most dependent on unfettered access to customer data join a team looking to restrict it? Think of it differently. as a marketer, you can help shape your firm’s privacy practices, balancing the need for innovation and competitive advantage with the desire to protect customer privacy and win trust. This is because B2c marketers are:

› Data-aware. as the keeper of customer data, you already have a stewardship role and understand the risks of badly applied customer analytics. you have a clear understanding of how your firm uses customer data for business insight and strategy, and you can rattle off the top five data initiatives on your organization’s customer centricity road map. you’re fluent in both data and strategy, so you’re an excellent liaison between the traditional and new privacy stakeholders.

› Increasingly technology-savvy. as marketing technology has become more powerful and complex, you’ve identified the tools that create a competitive edge for your firm. you understand how your organization uses different solutions and which cutting-edge tools are interesting — but risky bets. you know that good technology can simplify business processes, so you’ll advocate for technical solutions to improve privacy. you’ll work with security colleagues to identify the right tools to manage privacy across your ecosystem of marketing vendors, from technology firms to agencies and other service providers.

› Customer and brand advocates. Marketers get a lot of flak for being too aggressive with new marketing tactics or “going rogue” with the use of data and technology. The reality is that these tactics are usually in service of improving customer experience and engagement. That’s why it’s critical for marketers to have a strategic seat at the privacy planning table. as an advocate for both the brand and the customer, you can help more cautious peers understand the value of customer data — and the business outcomes that directly depend on open, ethical access to that data.




9


Endnotes1 Base: 3,417 global data and analytics decision makers. Source: Forrester analytics Global Business Technographics®

data and analytics Survey, 2019.

2 customer data is at the heart of systems of insight, which help companies transform what they know about their customers into actions to win in today’s marketplace. See the Forrester report “digital Insights are The new currency of Business.”

3 Forrester built a data security and control framework to enable organizations to secure their valuable data assets; it also details how to map policy creation to this framework. See the Forrester report “develop Effective Security and Privacy Policies.”

4 See the Forrester report “Brief: Be cool, not creepy.”

5 Source: “Protecting consumer Privacy and Security,” Federal Trade commission (https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/) and rebecca r. ruiz, “F.c.c. Fines aT&T $25 Million for Privacy Breach,” The new york Times Bits blog, april 8, 2015 (http://bits.blogs.nytimes.com/2015/04/08/f-c-c-fines-att-25-million-for-privacy-breach/?_r=0).

Engage With an analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.

forrester’s research apps for iOs and Android.Stay ahead of your competition no matter where you are.

Analyst Inquiry

To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.

Learn more.

Analyst Advisory

Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.

Learn more.

Webinar

Join our online sessions on the latest research affecting your business. Each call includes analyst Q&a and slides and is available on-demand.

Learn more.






http://www.forrester.com/app

http://forr.com/1einFan

http://www.forrester.com/Analyst-Advisory/-/E-MPL172

https://www.forrester.com/events?N=10006+5025




10


6 British airways and Marriott received the largest-ever fines under the Eu’s General data Protection regulation in early July of 2019. British airways is fined a proposed $230 million for an incident that took place from June to September 2018 and compromised the data of 500,000 customers. Marriott is fined a proposed $123 million for the loss of 339 million guest records, reported in november 2018. Source: Kate Fazzini, “Europe’s huge privacy fines against Marriott and British airways are a warning for Google and Facebook,” cnBc, July 11, 2019 (https://www.cnbc.com/2019/07/10/gdpr-fines-vs-marriott-british-air-are-a-warning-for-google-facebook.html).

The uK Information commissioner’s office (Ico) ruled that real-time bidding (rTB) is in violation of Europe’s General data Protection regulation (GdPr), stating that “it captures and circulates personal data without appropriate consent and other required controls.” Source: Greg Sterling, “uK regulator says real-time bidding violates GdPr,” Marketing Land, June 25, 2019 (https://marketingland.com/uk-regulator-says-real-time-bidding-violates-gdpr-262918).

7 Source: Lesley Fair, “FTc’s $5 billion Facebook settlement: record-breaking and history-making,” Federal Trade commission Business Blog, July 24, 2019 (https://www.ftc.gov/news-events/blogs/business-blog/2019/07/ftcs-5-billion-facebook-settlement-record-breaking-history).

Many uS states have laws regulating some portion of privacy. Here are two examples: nevada’s consumer privacy law, passed on May 29, 2019 and effective on october 1, 2019, gives consumers the right to opt out of the sale of their personal information. Fines can result up to $5,000 per violation. Source: “Following california’s Lead, nevada Privacy Law Gives consumers right to opt out,” cooley, June 18, 2019 (https://www.cooley.com/news/insight/2019/2019-06-18-nevada-privacy-law-gives-consumers-right-to-opt-out).

The second example is Maine’s recently signed “act to Protect the Privacy of online consumer Information,” which will require internet service providers to ask customers’ permission to use, share, or sell any private data. This legislation, going into effect on July 1, 2020, will also stop internet service providers from offering discounts to entice customers to give their consent. Source: casey Leins, “Maine Passes nation’s Strictest Internet Privacy Protection Law,” uS news, June 7, 2019 (https://www.usnews.com/news/best-states/articles/2019-06-07/maine-passes-nations-strictest-internet-privacy-protection-law).

8 Source: Interview with privacy team leaders at dell.

9 The right-to-Know law refers to workers’ right to information about chemicals in their workplaces. Source: “right-to-Know Laws and rights,” aFScME (https://www.afscme.org/news/publications/workplace-health-and-safety/safe-jobs-now-a-guide-to-health-and-safety-in-the-workplace/chapter-5-controlling-chemical-hazards/right-to-know-laws-and-rights).

10 For more details about the role of the chief privacy officer, see the Forrester report “Job description: chief Privacy officer.”

11 Firms can use the number of escalations as one metric for measuring the effectiveness of their privacy education and training efforts. See the Forrester report “develop data Privacy Metrics That Matter To The Business.”

12 Firms need to understand what data they collect and use across three axes: sensitivity, identifiability, and scarcity. See the Forrester report “How dirty Is your data?”

13 an in-country privacy lead doesn’t need to be a standalone job. This type of privacy officer may have another primary job (compliance, legal counsel, etc.) and serve as a designated country privacy lead.





We work with business and technology leaders to develop customer-obsessed strategies that drive growth.

Products and services

› core research and tools › data and analytics › Peer collaboration › analyst engagement › consulting › events

Forrester research (nasdaq: Forr) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. For more information, visit forrester.com.

client suPPort

For information on hard-copy or electronic reprints, please contact client support at +1 866-367-7378, +1 617-613-5730, or [email protected]. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester’s research and insights are tailored to your role and critical business initiatives.

roles We serve

Marketing & Strategy ProfessionalscMoB2B Marketing

› B2c Marketingcustomer experiencecustomer insightseBusiness & channel strategy

Technology Management Professionalscioapplication development & deliveryenterprise architectureinfrastructure & operationssecurity & risksourcing & vendor Management

Technology Industry Professionalsanalyst relations

117926

forrester report: build a data privacy organization that ... · › security satellites integrate...

Documents