— AtlantaIMA (@AtlantaIMA) September 10, 2015
Panelists (above, right to left):
James Koons – Chief Privacy Officer, dotmailer
Joseph Sikes – Lead Customer Safety Engineer, Cox Communications
Sarika Davis – Director of Risk Assurance, PwC
Jodi Daniels – Independent Consultant
Lael Bellamy – Chief Privacy Officer, The Weather Channel
As you can see above, the panel consisted of five experts plus one moderator who also happens to be an expert. Combined, this group has amassed all of the various CIPM, CIPT, CIPP/US, CIPP/G information privacy management certifications, and then some. A really knowledgeable group, no doubt subject matter experts passionate about their field. Now let’s get in to what data security and privacy is all about.
Chris posed the question to get us started. (PII being Personally Identifiable Information.) Lael jumped in immediately stating that by definition an email address itself is the simplest form of PII. An email address can then be used to search the net and compile more data-breadcrumbs to hack or steal your identity, for example. She recommended getting in touch with the IAPP (International Association of Privacy Professionals) if you have any questions, need any support, or are interested in learning more.
James was the first to jump in, explaining dotmailer as a multi-national organization based in London. Data localization, not just on a physical level, is an important aspect of their work. It’s important to set up a “privacy by design” model, and it’s truly at the center of everything they do. As you’ll soon realize, privacy by design is a trend across the map that should be practiced and implemented by all. James also discussed the importance of accessibility. Who has access to your most secure docs? It’s crucial to document your paper trails and only give access to those in need of access.
Sarika took this opportunity to explain to us the difference in privacy versus security:
Takeaway: as marketers, it’s important to understand what data you have, where it is, and whose it is.
Jodi stressed the importance of using secure File Transfer Protocols (FTP) in transferring between employees. DO NOT just use public sharing methods. Not everyone should use (or see) the data even if it’s a big data dump bucket.
Lael added that this is a great time and place to practice being proactive. Tell your customers/clients what you’ll be doing with their email addresses. Also – you should ONLY do what you’ve said you’ll do with their emails. If it’s a quarterly newsletter subscription, do not add to that under any circumstances. Talk to your communications folks, and run it by legal if you have any issues or questions.
“Yahoo has become an industry leader” here, by figuring out where the value is in the data, and how it can relate to you, the end user. Customize and personalize users into small buckets, so it’s mutually beneficial. i.e. we’re happy to give our data away if it means our lives will be easier. Think Waze = better traffic updates = more time with friends and family.
James hopped back in: “Be a good steward of the data you collect.” We now live in an Ashley Madison-era, where one person can open the floodgates to your entire operation. So, in part, it’s an HR play, too. You must oversee and manage your internal employees first and foremost.
“Your users and subscribers are trusting you!” said Joseph. Being as simple as an email address these days, various forms of PII can be used to find out tons of personal information about you. The laws are shaped by what consumers expect and want, and more breaches are sure to come. Give your users a reason to trust you, and stay true to that.
Sarika chuckled over the amount of laws in place, referencing the FCC Section 5, and advised us to let the lawyers handle this. Lael added that these started as advertising plays, to keep everyone safe on the ad-related side of data, but now it’s important to talk to your engineers and set up a privacy by design model. Also, let consumers exercise choice! There’s a certain creepiness factor involved in how we collect data, use it, and overall transparency. If consumers opt-in (which was discussed several times as a confusing term), even going as far as sharing their calendars, how far can and should we go? Lael discussed the Weather Channel’s rain update, triggering a notification to any day-to-day user who was on their way to a tennis match, instead offering them a free movie coupon because their tennis will be rained out. Is this harmful? What constitutes harm? It’s very subjective and, as Lael mentioned, Spotify is now under fire for recent updates.
Lael: It’s important to ask non-marketers what’s creepy. “Hey Mom! Is the phrase Your Weather Personalized too much?” As marketers, we should take a step back every once in a while to reconsider our terminology and thought process. Very valuable lesson that should be applied to all aspects of marketing!
Jodi went back to Lael’s earlier comment on data-usage policies. If you update your policy to collect, let’s say, the Moon, you don’t have to do so. Be smart about what you take because now you’re responsible for it, and end users will be mad at you. Protect your brand perception. Users will remember where they first dropped their email, but then have no idea how they’ve been hooked into a handful of new email subscriptions and junk mail. Think about the business need! Update and inform your users on what you’re doing whether it be just emails, or adding cookie-integration, and so forth.
Panelists were very interested in seeing the audience response, which was mostly hesitant. The panelists talked about the fact that they would personally never give it up themselves, but others do for a simple sticker for example. James explained this concept, quid pro quo. How good does the offer have to be for you? I know I’ll be second guessing myself from here on out!
James: Notify users what you’re collecting, doing with it, and who else has it. (James built a Trust Center at dotmailer to build client success and trust. That’s what SASS platforms and companies should strive for, and offer to less-informed customers. What can third parties, like Google, do with your information? Be more invested in the relationship than transactions! This statement led to James’ second title being, Chief Revenue Killer. Take care of your people; especially those who will give their email address and personal lives away for a small vinyl sticker.
Joseph: Encryption, encryption, encryption. Opt-in, and, “are you sure you want to opt-in” messages. Be transparent, don’t give hundreds of pages of small-print in your policies and contracts. It’s overwhelming, and ultimately written by lawyers for lawyers.
Sarika: Four things. 1) Transparency – get it right. 2) Governance [of data]. 3) Data Quality – have I.T. involved if needed. 4) Culture – set an internal and external privacy by design culture.
Jodi: Privacy equals trust with end users. Be forward thinking, use data so it’s mutually beneficial. Have a positive relationship that will enhance your brand. Lastly, this is NOT just for B2C. Think in terms of both B2B and B2C, and treat them the same.
Lael: Data is the new bacon. Data is the new oil. Data is now a commodity and should be treated as such. Are you trustworthy? What are you using people’s data for? What’s the consumer benefit? Love this quote referenced by Lael: Pigs get fat, hogs get slaughtered. Lael also noted how AOL has a nice and digestible policy contract which is something to strives for. She added – the BBB is starting to come after people (began Sept. 1) on DAA Compliance. Watch those cross-device activities, people! Consider yourself warned. 🙂
We then ended with a few questions from the audience, and handshaking with the panelists. Great to catch up with fellow AIMA’ers, and meet some new members as well. Now, think twice about the reasons you’re collecting users data, and what you do with it day-to-day. Act responsibly.
Let’s build something exceptional together.