Customers want brands to take their privacy seriously. Most marketers know this. But getting privacy right requires buy-in from colleagues outside the marketing department.
We asked experts what it takes to build a privacy-centric organization; their answers were both thought-provoking and varied.
Of course, we heard that a strong privacy-centric culture starts at the top. But we also learned some practical strategies to improve corporate governance, break down silos, build trust, and improve the customer experience.
Change takes work, but it’s work that pays off. Our experts were clear that businesses see improved performance from their marketing efforts by putting privacy first. Here’s how to get started.
Make it human with storytelling
“We need privacy storytellers within organizations. We need people who can make this subject a little bit more human. It’s not just about data or a privacy notice on a website. It’s about the way we deal with people and their dignity. Some leaders will warn teams about the threat of fines if they get anything wrong. But the best leaders are storytellers, articulating what the organization can gain by embracing a privacy-first approach.
Effective storytelling is crucial to get everyone working together and speaking the same language.
“To get my team aligned, I’ll sometimes talk to them about recent privacy stories in the news. We talk through the issues, dilemmas, and potential solutions, and this case study brainstorming gets everyone on the same page. In my team, I have people from all different backgrounds: security, legal, data management, and more. Effective storytelling is crucial to get everyone working together and speaking the same language.”
Dispatch ‘privacy ambassadors’
“Building a privacy-first organization begins by placing accountability on the wider team. Each team, in each country, needs to ensure they are accountable. This isn’t just the job of one person at the top. This approach has helped Nestlé implement privacy standards across a global organization of more than 270,000 employees.
“My direct privacy team is accountable for global policy, standards, and governance, and then at a market level, a network of privacy ambassadors is accountable for local implementation. Our ambassadors are often from IT security, who understand the needs associated with data protection. Ambassadors come from legal too. These ambassadors have a dotted line to me, ensuring they aren’t siloed from their local teams. We provide the support and tools they need to be successful, and we keep everyone connected through regular discussions.
“When it comes to privacy at Nestlé, we have three separate lines of defense. The first line is every employee and executive who processes data. The second line is our privacy community, which I just mentioned. Our third line is internal auditors. Having auditors sends a message that we take this seriously. Auditors working at both a global and market-level — whether in Bangladesh or Italy — use the same, consistent framework to check and quickly identify any red flags so we can activate as necessary.”
Create the right culture
“Nobody expects everyone in the C-suite to understand the minutiae of privacy legislation. But you still need senior leadership to champion privacy. If the CEO does not care, why should anyone else? It’s about creating a culture where people feel comfortable raising concerns. Think about whistleblowers in the news — these individuals didn’t feel their concerns were heard.
“You create the right culture by introducing smart processes. At Omnicom Media Group U.K., we have a clear process to deal with any data mishaps. For example, if a client mistakenly sends us data, there are reporting mechanisms in place for team members. Plus, if a team is starting a new project, we’ve introduced a planning process to help them think about overlapping considerations related to privacy and marketing metrics. We get people to think about privacy, risk, and data at the start.
We hold ourselves to account through a data ethics board that includes lawyers, privacy specialists, and clients.
“We also hold ourselves to account through a data ethics board that includes lawyers, privacy specialists, and clients too. This range of perspectives helps us more confidently make decisions on privacy issues and be deeply respectful in our approach.”
Bring in a proactive marketing team
“I’ve run the numbers and seen that privacy-centric companies perform better than the rest. In fact, our privacy-first partners have 20% to 30% lower cost per acquisition. They are respecting users, and it leads to a virtuous cycle. You don’t need to sacrifice performance for privacy.
“If you want to build a privacy-centric organization, my number one piece of advice is to be proactive, not reactive, in getting the right team in place. You should start by finding a legal representative with the right mindset. You need someone who can set a positive tone, be business-oriented, and be able to work with a range of stakeholders.
“Next, bring in a proactive marketing team. Companies where marketing just follows what legal says are not privacy-first, they are legal-first, and there is a big difference. When legal and marketing work together collaboratively, your organization will be set up for growth.
“On top of that, you need a technical team that can clearly outline what is possible and what is not. You need this trio of legal, marketing, and technical teams to respect user privacy — and then get going.”