Making Privacy Public
Free FTC privacy workshop next Tuesday
As a longtime risk-management blogger, I cracked open the 2013 Essential Guide to Data-Driven Marketingsupplement to my January DMN issue ready to pounce.
I wanted to see how soon data privacy and security issues—a major enterprise risk concern—were addressed. My attitude shifted from smug to sanctimonious when, on first glance, I didn't see privacy featured as one of the “4 Data Issues Marketers Should Not Ignore” in the opening article. And, then, well: Not so fast, Bloggy.
The supplement's second article, “Navigating the Murky Boundaries of Privacy,” is devoted to the topic. Author Cindy Waxer cites an Edelman study I've been discussing with my chief risk officer (CRO), chief compliance officer (CCO), and chief audit executive (CAE) contacts.
In my haste to delve into privacy risks, I committed the same error that has hampered numerous corporate risk management programs: I defined (privacy) risk too narrowly. Chief marketing officers and their functions should side-step this common and costly pitfall as their own Sarbanes-Oxley compliance moment looms.
We're one or two major data security/privacy lapses away from a Dodd-Frank-esque regulatory response. Some U.S. regulators already have shown their cards when it comes to data privacy protection. While acknowledging that some advertisers support privacy safeguards, Federal Trade Commission Chairman Jon Leibowitz said in The New York Times late last year that “there is clearly a rogue element of advertising networks that wants to subvert the process.”
But rules tend to limit our focus when managing threats and opportunities. Rules and a rules-heavy mind-set foster other problems, including the following:
1. Rules neglect the “mushy middle” of the organization. During the SOX compliance scramble that cost (and continues to cost) publicly listed companies billions of dollars, a top ethics officer lamented that the best regulatory rules and compliance efforts fall short because they inevitably neglect the mushy middle of the organization. Yes, we need the right tone at the top—a CFO who hammers the importance of financial reporting controls or a CMO who exhorts the need for customer information to be collected and used in an ethical manner—but the middle of the company (and the marketing function) is where the rubber meets the road. The people in the daily trenches of business processes determine whether rules are followed, bent, or blatantly ignored. That behavior is governed more by culture and less by the rules themselves.
2. Rules do not address “should” and “should not.” Instead, argues LRN CEO Dov Seidman, an exclusive focus on policy and rules tells employees only what they can and cannot do. This is insufficient because no policy or regulation can cover all of the possible decisions, activities and behaviors related to financial reporting, managing data privacy, or any other business process. Seidman acknowledges that rules have their place, but he emphasizes that organizational cultures should focus heavily on what we should and should not do, for the good of all stakeholders.
3. Rules hamper constructive dialogue. Have you ever heard an engaging, thought-provoking chat about Sarbanes-Oxley Section 404 and its flood of internal control requirements? I sure didn't. The majority of these discussions devolved into “Compliance costs too much and hampers U.S. competitiveness” versus “We need this to prevent another Enron, Worldcom, etc.” debates. These unhelpful chats were soon followed by dangerous risk management practices that sparked a global financial crisis, and helped produce Dodd-Frank and even more debates about compliance costs and benefits.
Marketing functions shouldn't get sucked into this unproductive loop by, as Seidman suggests, “going beyond compliance.” Rather than waiting for new regulations, set internal data privacy and security standards and principles right now. Rather than focusing too heavily on what marketers can and cannot do, hold frequent and open discussions about what they should and should not do. Yes, CMOs should establish the right tone at the top regarding data-driven marketing, but they should also plunge into the mushy middle to understand how decisions are made in the thick of battle.
In fact, that is very much what Martha Spizziri suggests in the first article I mentioned above; one of the top-four data issues marketers should address includes the careful use of lists.
CMOs and marketers (and bloggers) should be just as careful in how they address their culture, decision-making, and behaviors as data-driven marketing activities, and related rules-making, intensify.