Key takeaways:
- Integrate privacy with data analytics strategies:Organizations must carefully balance the business value of analytics with strong privacy protections as global data privacy regulations continue to expand.
- Recognize the shift toward consumer ownership of personal data:Regulations like GDPR and emerging state laws have prompted a cultural shift where organizations act as stewards of personal data rather than owners, fundamentally changing how data is managed and analyzed.
- Address overlap between privacy and data teams:Clear communication and collaboration across privacy, governance, data strategy, and related departments help clarify responsibilities and strengthen cooperation.
- Use stewards and committees to support data governance:Establishing privacy champions and forming councils or steering committees can help embed privacy principles into data strategies while improving compliance and visibility across the organization.
Data has become central to corporate decision-making, and the increasing reliance on analytics across nearly every business function has led many organizations to expand their data strategy programs with new platforms and additional staff.
However, for these initiatives to remain sustainable, data analytics strategies must be both accessible and compliant — especially as data privacy regulations continue to expand around the world.
Since 2019, 17 U.S. states alone have enacted comprehensive data privacy laws, and regulatory momentum at both the state and global levels shows no sign of slowing.
So what does analytics look like when privacy and data protection are part of the equation?
To explore this question, enterprise data strategy and privacy leaders recently came together for a panel discussion, Empowering Analytics Through a Privacy Lens, where they shared how their teams collaborate to maintain the business value of data while implementing necessary privacy safeguards.
1. How a Cultural Shift Is Returning Data Ownership to Consumers
The introduction of the European Union’s General Data Protection Regulation (GDPR) in 2016 served as a major catalyst for the cultural shift toward stronger privacy protections.
During the panel, Zeenat Syed, Director of Strategy at UPS, pointed to GDPR as a key factor driving this shift within her own organization.
“Privacy these days is so heavily tied to fines and compliance and what it does to your reputation,” Zeenat said. “We don’t have a choice but to shift our culture to adhere to the law.”
Few corporate functions have seen such rapid growth in terms of investment, regulatory attention, and public awareness.
When we surveyed surveyed Data Privacy Board members earlier this year, more than half of responding leaders said they expected their teams to grow in 2024 despite ongoing economic uncertainty.
For many years, consumer data served as the foundation for the world’s largest companies—fueling insights, forecasting trends, and enabling personalized services. As reported in Harvard Business Review, “For the past two decades, the commercial use of personal data has grown in wild-west fashion.”
However, increased regulation and rising consumer skepticism have dramatically shifted this dynamic.
In fact, the Cisco 2022 Consumer Privacy Survey revealed that 81% of responding consumers agreed that the way an organization treats personal data is “indicative of how it views and respects its customers.”
Sarah Stalnecker, Global Director of Data Privacy at New Balance Athletics, explained that this shift has fundamentally changed how organizations think about data ownership.
“You’re a steward of personal data, but you’re not an owner,” Sarah said. “I think that’s a fundamental shift in the way we have to think about data.”
Still, Sarah noted that one of the biggest challenges privacy leaders face is encouraging business partners to adopt this new perspective when working with data.
2. Why a Dedicated Privacy Office Is Essential is Crucial to Keeping Up With This Evolving Space
How an organization structures its privacy program can have long-term implications for success.
Panelists agreed that establishing a dedicated privacy office is critical for navigating this fast-moving regulatory landscape.
Zeenat shared that she recently connected with someone in UPS’ privacy office to discuss how they are tracking new artificial intelligence regulations and developing documentation so the organization can prepare for compliance requirements.
“We are not dealing with people who have a day job and are also trying to understand legal language. We’re not equipped to do that,” Zeenat said. “It is very important to have that dedicated privacy office.”
Rebecca also emphasized the importance of strong executive support for these teams. Having backing from the C-suite helps privacy leaders secure a seat at the decision-making table.
3. Managing Overlap Between Privacy and Data Analytics Teams
Organizational structure also plays a major role in how privacy and data strategy teams collaborate.
When Data Privacy Board members privately benchmarked their relationships with data strategy teams, those reporting through IT said they typically experienced stronger partnerships and easier access to stakeholders.
Meanwhile, members who reported through Legal shared that they often spend significant time explaining privacy considerations and operational impacts to data strategy teams.
Similarly, when the Enterprise Data Strategy Board held a confidential discussion about privacy partnerships, many members said that responsibility boundaries between departments were not always clear.
With multiple functions involved, such as data governance, privacy, security, and compliance, it can be difficult for employees to understand which policies apply in different situations.
There are going to be quite a few requirements out of you either as a data analytics professional or as a privacy professional to educate people and to help them understand that what we used to think of as personal data is much broader than it used to be.
Rebecca Whitaker, Principal Financial Group
During the panel, Rebecca Whitaker, Assistant Director of Privacy and Data Protection Officer at Principal Financial Group, acknowledged that even explaining what qualifies as personal data can be challenging.
“When I say personal data is something that we have to manage,” Rebecca said. “I’m sure everybody’s familiar with this sort of deer-in-the-headlights look that you get from some of your business partners.”
Because of this, Rebecca suggested that privacy and analytics leaders share responsibility for educating the broader business.
“I think it’s really important to approach it both from a cultural perspective and understanding that there are going to be quite a few requirements out of you either as a data analytics professional or as a privacy professional to educate people and to help them understand that what we used to think of as personal data is much broader than it used to be,” Rebecca said.
To encourage better collaboration, privacy teams should regularly connect with departments such as governance, analytics, IT, and marketing to build relationships across the organization.
During the panel, John Tucker, Director of Enterprise Data Governance at McDonald’s, described a major transformation underway at the company called “security arches.”
Just making sure that we’re all integrated. We’re all communicating on various laws that come into play, what we’re doing about it, and making sure that all of our various technologies talk together.
John Tucker, McDonald’s
These security arches are designed to create an integrated network linking privacy, data protection, and governance teams—helping ensure alignment, better communication, and stronger integration between technologies.
“It’s a community of practice,” John said. “It’s really just making sure that we’re all integrated. We’re all communicating on various laws that come into play, what we’re doing about it, and making sure that all of our various technologies talk together.”
4. Using Stewards and Committees to Align Privacy with Data Strategy
Privately, Enterprise Data Strategy Board members also reported tension between enabling new analytics use cases and interpreting privacy regulations conservatively.
It’s often seen as a tradeoff and can result in decision paralysis, where projects are neither approved nor ended but left in limbo. Members said it’s difficult to build a structured method to calculate the value benefit versus potential risk exposure.
Many members said they rely on steering or governance committees to help resolve these challenges. However, they stressed the importance of maintaining open communication, clearly defined expectations, and consistent enforcement.
Similarly, Zeenat said because their privacy office isn’t massive, they’ve structured councils for eight categories of data — consumer, work, asset, etc. — and given the privacy office a seat on each council. They meet monthly to benchmark ideas and discuss new topics.
I think that the primary challenge is how do you make it the responsibility not of a singular office, but the responsibility of the entire associate base?
Sarah Stalnecker, New Balance Athletics
Another effective approach is establishing a privacy steward or champion network, which helps raise awareness, flag potential risks, and support compliance across the organization.
Rebecca explained how her organization created a privacy champion network where individuals within each business unit support privacy efforts as part of an adjacent role.
“We have found that by starting and backing into it that way, it gives us a little bit more visibility in terms of what’s happening with data on the ground,” Rebecca said.
Rebecca also noted that this steward network has helped encourage business units to take greater ownership of how they use data. Ultimately, privacy principles must be adopted by anyone who collects, processes, or manages data.
“Anybody who works in privacy will tell you that it’s an incredibly difficult shift to get people to realize that they need to be a part of the solution as opposed to assuming that IT is going to fix all the problems,” Rebecca said.
Sarah agreed and said, “I think that the primary challenge is how do you make it the responsibility not of a singular office, but the responsibility of the entire associate base?”
