Key takeaways:
- Integration of Privacy and Data Analytics: The intersection of privacy and data analytics is crucial as organizations seek to balance the business value of data with necessary privacy controls amid increasing data privacy regulations globally.
- Cultural Shift Towards Consumer Data Ownership: GDPR and emerging state regulations have sparked a cultural change shifting the ownership of personal data to the consumers. Organizations now see themselves as stewards rather than owners of this data, fundamentally changing how they handle and analyze it.
- Managing Overlap and Tension Between Departments: Clear communication and collaboration between privacy, data strategy, governance, and other departments is necessary to handle overlapping responsibilities and ensure stronger understanding and collaboration.
- Using Stewards and Committees for Effective Data Governance: Implementing privacy stewards or champions and forming councils or steering committees helps integrate privacy policies into data strategies and enhances visibility and compliance across the organization.
Today, data is integral to corporate decision-making, and the growing demand for analytics in almost every aspect of business has led to data strategy programs regularly bringing on new platforms and headcount.
Yet, to be sustainable, a data analytics strategy has to be both accessible and compliant, particularly amid burgeoning data privacy regulations worldwide.
Since 2019, 17 states in the U.S. alone have passed comprehensive data privacy laws, and regulatory activity at the state and global levels hasn’t shown signs of slowing down.
What does analytics look like at the intersection of privacy and data protection?
Recently, enterprise data strategy and privacy leaders joined a panel, Empowering Analytics Through a Privacy Lens, to discuss how they’re working together to preserve the business value of data while implementing the necessary privacy controls.
1. How a Cultural Shift Has Restored Data Ownership to Consumers
In 2016, the European Union’s creation of the General Data Protection Regulation (GDPR) was a catalyst for the privacy cultural shift we’re witnessing today.
During the panel, Zeenat Syed, Director of Strategy at UPS, pointed to GDPR as the spark behind a privacy-focused shift within her own organization.
“Privacy these days is so heavily tied to fines and compliance and what it does to your reputation,” Zeenat said. “We don’t have a choice but to shift our culture to adhere to the law.”
Arguably, few corporate spaces have undergone such rapid growth in terms of investment, public awareness, and legislative action.
In fact, when we surveyed Data Privacy Board members at the start of the year, more than half of responding leaders expected their staff to grow in 2024 despite turbulent economic conditions.
For years, consumer data has served as the foundation behind the world’s largest companies, driving insights, market predictions, and personalized services. As reported in Harvard Business Review, “For the past two decades, the commercial use of personal data has grown in wild-west fashion.”
Yet, regulatory action coupled with increasing consumer distrust has drastically changed the narrative.
In fact, the Cisco 2022 Consumer Privacy Survey revealed that 81% of responding consumers agreed that the way an organization treats personal data is “indicative of how it views and respects its customers.”
Sarah Stalnecker, Global Director of Data Privacy at New Balance Athletics, said this shift has sparked a change in the view of ownership of personal data, transferring the power to the consumer.
“You’re a steward of personal data, but you’re not an owner,” Sarah said. “I think that’s a fundamental shift in the way we have to think about data.”
Still, Sarah said the greatest challenge privacy leaders face today is how to make business partners care about this change in viewpoint and how they think about data processing and analysis.
2. A Dedicated Privacy Office is Crucial to Keeping Up With This Evolving Space
How you set the stage in terms of your organizational structure can have long-term implications for your program’s success.
Panelists agreed that having a dedicated privacy office is essential to keeping up with this rapidly evolving space.
Zeenat shared that she recently spoke with an individual within UPS’ privacy office to discuss how they’re monitoring incoming artificial intelligence regulations and developing documentation so that the organization can begin disseminating what needs to be done.
“We are not dealing with people who have a day job and are also trying to understand legal language. We’re not equipped to do that,” Zeenat said. “It is very important to have that dedicated privacy office.”
Furthermore, Rebecca highlighted how impactful it is to have a supportive executive team behind that dedicated privacy office. C-suite support is essential to gaining a seat at the metaphorical table where decisions are made.
3. Managing Areas of Overlap and Tension to Foster a Better Understanding Between Privacy and Analytics
Your organization’s structure is also a large factor in the working relationship between privacy and data strategy.
When the Data Privacy Board came together to privately benchmark their partnerships with their data strategy counterparts, members who reported vertically into IT mentioned a much stronger relationship and easier access to key stakeholders.
On the other hand, those in Legal felt they spent a lot of time explaining privacy impacts on enterprise operations to data strategy – even more so than they had expected.
Additionally, when the Enterprise Data Strategy Board met to confidentially discuss the relationship with privacy, many members in attendance felt the division of labor between various departments was unclear, both to them and the general enterprise.
Between data governance, privacy, security, and compliance, there are a lot of policies, and members reported feeling that it’s unlikely the average employee is clear on which components they need to comply with.
There are going to be quite a few requirements out of you either as a data analytics professional or as a privacy professional to educate people and to help them understand that what we used to think of as personal data is much broader than it used to be.
Rebecca Whitaker, Principal Financial Group
During the panel, Rebecca Whitaker, Assistant Director of Privacy and Data Protection Officer at Principal Financial Group, acknowledged what she called a legitimate issue in just helping people understand what personal data is.
“When I say personal data is something that we have to manage,” Rebecca said. “I’m sure everybody’s familiar with this sort of deer-in-the-headlights look that you get from some of your business partners.”
As a result, Rebecca suggested that both privacy and data strategy professionals have a duty to educate the business.
“I think it’s really important to approach it both from a cultural perspective and understanding that there are going to be quite a few requirements out of you either as a data analytics professional or as a privacy professional to educate people and to help them understand that what we used to think of as personal data is much broader than it used to be,” Rebecca said.
To foster better understanding and collaboration, it’s a good practice for privacy teams to regularly connect with different departments — governance, analytics, IT, marketing, etc. — to build relationships at a grassroots level.
During the panel, John Tucker, Director of Enterprise Data Governance at McDonald’s, shared that the company is in the process of a massive transformational journey around what it calls “security arches.”
Just making sure that we’re all integrated. We’re all communicating on various laws that come into play, what we’re doing about it, and making sure that all of our various technologies talk together.
John Tucker, McDonald’s
The security arches aim to establish an integrated network of privacy and data protection teams with data governance to ensure harmony, stronger communication, and synergy between their technologies.
“It’s a community of practice,” John said. “It’s really just making sure that we’re all integrated. We’re all communicating on various laws that come into play, what we’re doing about it, and making sure that all of our various technologies talk together.”
4. Using Stewards and Steering Committees to Integrate Privacy Policies into Your Data Strategy
Privately, Enterprise Data Strategy Board members reported a tension between the risk and reward of enabling more use cases or interpreting privacy regulation conservatively.
It’s often seen as a tradeoff and can result in decision paralysis, where projects are neither approved nor ended but left in limbo. Members said it’s difficult to build a structured method to calculate the value benefit versus potential risk exposure.
Most members said they rely on some form of a steering or governance committee, but they stressed the importance of building an open-door policy, being transparent with expectations, and consistently applying them.
Similarly, Zeenat said because their privacy office isn’t massive, they’ve structured councils for eight categories of data — consumer, work, asset, etc. — and given the privacy office a seat on each council. They meet monthly to benchmark ideas and discuss new topics.
I think that the primary challenge is how do you make it the responsibility not of a singular office, but the responsibility of the entire associate base?
Sarah Stalnecker, New Balance Athletics
A privacy steward or champion network can also serve as your boots on the ground in driving awareness, flagging potential issues, and mitigating risk.
Rebecca shared how they’ve employed a privacy champion network, where individuals in each federated business unit work in privacy as an adjacent role.
“We have found that by starting and backing into it that way, it gives us a little bit more visibility in terms of what’s happening with data on the ground,” Rebecca said.
Rebecca also shared how this steward network has aided in the effort to encourage each business unit to take ownership of how they use data. Ultimately, it’s the responsibility of anyone who deals with or processes data to adopt privacy principles.
“Anybody who works in privacy will tell you that it’s an incredibly difficult shift to get people to realize that they need to be a part of the solution as opposed to assuming that IT is going to fix all the problems,” Rebecca said.
Sarah echoed this idea and said, “I think that the primary challenge is how do you make it the responsibility not of a singular office, but the responsibility of the entire associate base?”