Data privacy lessons marketers must take heed of in 2023

Getting marketers better prepared

Through all of this, it’s apparent marketing leaders and their teams have direct and indirect responsibility for improving data protection and management credentials across their organisations. Yet Saagar remains concerned they’re not taking enough accountability.

“There’s this pervasive thought this is not applicable to me/my company, as it is just a list of 1000-odd emails and we are not that big to make the news, even if this leaks,” he says. “Not knowing even one email of one customer is in the wrong hands with the right knowledge is a dangerous place to be.”

Every organisation and leader needs to take security more seriously and adopt role-based security training for all staff, urges Dinda.

“Considering people are responsible for so many security incidents, with attack vectors like phishing high on that list, it’s important everyone is aware of the part they can play in reducing risk. Yet very few companies are emphasising the need for higher levels of security awareness, especially for those who sit outside the security function,” she comments.  

Specifically for marketing teams, Dinda stresses the importance of vetting the martech stack to ensure it aligns with what should be high standards of security.

“The best vendors will be transparent about their security practices, especially in the wake of supply chain incidents dominating headlines regularly. Don't assume best practices, ensure they are proven,” she advises. “Another element that isn't exactly ground-breaking, but still tried and true, is to ensure robust lead scoring and segmentation are in place. Database quality depends on it, and you don't want to hang onto records that are not mutually beneficial.”

The Lumery solution consulting lead, Phil Wild, says the consultancy is talking to leaders who are now asking teams why a data point is being collected and stored.

“Although there used to be a period where it was all about collecting as much data as possible, now it’s quite the opposite,” he claims. “Although it’s not sexy, a data audit is a great tactic to better understand what you have and how to protect it, particularly when it comes to identifiable first-party data. Dive in and ask questions of your data: Who has what data? Who has access? Where is it stored and documented? Regularly auditing your data will greatly reduce privacy risks and help you see where the existing risks are.”

Preparing and testing a data breach response plan is an even better way of minimising risk, says Ryan. Porter Novelli in January launched its own data breach simulation model for agencies to help them better prepare. The company built the response models in partnership with forensic firms, legal partners and insurers over five years.

“Testing an organisation’s existing Crisis Response Plan against a realistic scenario with an annual simulation will help identify gaps in the plan before they’re in a live breach situation,” Ryan says. “If you’re not conducting an annual simulation with board-level involvement, you will likely be caught short when the dreaded email comes in.”

At a broader level, Ryan’s biggest concern is a large proportion of Australian businesses still think of data privacy as an IT or a security issue, when it is in fact it’s a board-level governance issue.

“Many are not preparing for what happens once a data breach is detected, which often results in massive communications requirements,” he says. “Moreover, threat actors are improving their targeting over time. Many organisations – particularly local, small and medium-sized business - are finding it difficult to keep up and adequately prepare for a data breach. If you haven’t considered whether you are a prime target for a ransomware attack, and whether you need insurance coverage – now’s the time. The cost of response to a large breach, particularly in legal fees and forensic IT costs, can run into the millions.”

As Harb advises, the foundation to improving data protection and management is being able to break down siloes to get a single, integrated view of all information within an organisation.

“By improving how to keep track of where data is located and stored, what types of data are being managed and when personal data need to be disposed of to satisfy data minimisation principles, organisations can reduce risk and meet growing data sovereignty requirements in complex regulatory environments,” he says.  

But there’s also specific things marketing teams can do too. “Marketers can design a brilliant marketing campaign to attract new business, but if their organisation’s commitment to the protection of personal data is lacking, there’s a good chance customers won’t stay loyal for long,” warns Harb.

“As the legislation evolves, marketers need to be particularly careful about monitoring for opt outs or consent so marketing campaigns to specific individuals are discontinued when a customer exercises their rights.”

A key area Devicie sees deficiencies in is accurate recording keeping of how, when and why a user opted in, and importantly if they have opted out and the actions taken.  

“There are many cookie management solutions, marketing list management and engagement, and CRM tools,” says Geoghegan. “Devicie is experiencing first-hand during our own activities how difficult it can be to provide a unified and consistent view of its interactions with customers, prospects, and other interested parties. Understanding where the gaps may be is critical in maintaining a fair and compliant approach in protecting individuals’ privacy. Regularly assessing and auditing activities against a superset of global standards will be an important way to achieve this.”  

The reputation and trust aspects of doing this can’t be underestimated. Beck believes consumers are yet to be convinced marketers are treating their data with due respect.  

“The general perception is marketers think the personal and private customer data belongs to them,” he says. “This is opposed to the view they are mere custodians, and the data still belongs to the customers.

“If organisations begin to adopt some of the emerging technologies that allows personal and private data to be stored securely, but still usable, they will start to win the trust of customers. Furthermore, if they display behaviour that shows they are only storing data on an as needs basis, they are treating the data with respect and showing acknowledgment they are being given permission by the end customers to use this data in an ethical and appropriate way.”

Schwalger echoes these sentiments. “Building a robust and secure model by which a brand agrees to engage with people that respects their privacy and keeps their personal information secure needs to be at the heart of an organisation’s promise and values and not just a statement at the bottom of the website,” he concludes.