A Mindset for Data Privacy and Ethical Compliance

There is a simple mindset shift that ensures you are on the right side of compliance. Remember that the data you are using belongs to the data subject and not to you. This is a true shift in thinking for most organizations. From the days of mailing lists and rolodex, your list of customers and contacts was an asset that you owned. You could even rent it out to others without any consideration for the people who were actually on the list.

Over time, we've collected more and more data about our customers and we use it for more and more things. You collect an address to ship an item, but then you also add it to your direct mail list. You might also use it to purchase demographic and psychographic data on the household or even the individual. You add the information to your CRM, your email platform, your CDP. You push it through Meta and Google, buying ads to target them and others similar to them. You analyze purchase history and create personalized content and recommendations based on what they've purchased from you in the past. You may even predict what they are likely to buy next, when and even where. Maybe you deliver a coupon intended to incentivize them to return to your store after your data tells you they are a few weeks (or even days) past when they would normally have purchased next. And all of these things became common practice under the idea that your customer data was yours.

Your responsibility was one of security and protection - making sure no malicious actors got access or visibility to it.

The way to think about being compliant (without going through every single component of each law) is to understand the core concept behind this type of legislation.

You no longer own the data. Not in the eyes of these laws. You can still use it and profit from it - but under the conditions each piece of legislation spells out.

Each individual record within your various systems is owned by the person who is described by the data. That's the data subject.

Privacy is a legal term and it refers to the rights we all have to basically live off the grid if we wanted to. Your home up in the mountains that serves as your retreat is a personal sanctuary that is protected as such through privacy laws.

Through this lens, it is easier to understand the new responsibilities placed on any organization or enterprise that maintains data about their customers. To state it as simply as possible, you must disclose everything that is done with the data, get permission for it, give visibility to it if the data subject requests, and if they want you to forget about them, you have to delete everything.

I think the mindset shift is the most important first step because otherwise each individual component feels disjointed and gets confusing.

From a development standpoint - it is most important that you have an appreciation for the complexity in getting this component correct. Because even newer legislation is now being added to govern the ethical nature of AI and algorithms. Consider the task at hand to be able to systematically or at least repeatably perform each of the above tasks on a record by record basis. It's a heavy lift to say the least.

The risk side is also large but is just now being realized. Most data privacy laws, especially in the US, are newly in their enforcement period. The last 5 years have been the grace period to allow businesses to get processes in order. Because even judges understand that this stuff is hard to get right.

The obvious solution is to lean into partners and platforms that specialize in this work. And I have recommendations for the platform side. We also recommend an add-on consult to legal engagement with every single client. Regulators have been loud and clear that having a third-party platform solution is not enough to escape fines and scrutiny. There is expectation that you will not only understand the actions being taken but will be responsible for any gaps in compliance, even if they are a result of a lapse in these tools.

Our Consult to Legal service is modeled after the work we've done in industry since the earliest days of GDPR. There is a communication layer that has to be strong between data and legal. We work alongside your legal team going providing any details they require to ensure all documentation, processes and procedures are adequate to comply. We have found that the most important element to keeping this activity effective and efficient is strong communication between legal and the project. Similar to other engagements, we will provide an executive level overview of risk profile and will work with project teams to incorporate roadmap items into development timelines.

Contact Us to talk about how we can help.