Privacy & Security Best Practices

    Recorded on: February 28, 2023

    In this webinar, we reviewed best practices to manage consent and privacy preferences – and why it’s so important in 2023.

    Bettina Lippisch, Vice President of Privacy & Data Governance at Omeda, shared tips for list maintenance, easy opt-outs and minimizing data collection and processing to drive your privacy strategy.

    Download Slides

    See full transcript

    Speaker 1 (00:02):
    All right. Looks like we’ve got a pretty good group of people here, so we’ll go ahead and get started now. Thanks everybody for joining us for today’s webinar on privacy and Security best practices. I’m joined today by Omeda’s Vice President of Privacy and Data Governance, Bettina Lippe, and we’ll be sharing tips to help you manage your consent and privacy preferences. Just a few housekeeping items before we get started. This webinar will be recorded and will be available later this week along with the slide deck, and our next webinar is scheduled for March 28th. We will be looking at Form Builder and sharing some tricks for Form Builder to help you guys maximize your experience there. So keep your eye out for an email so you can register. And I’m gonna go ahead and hand things over to Bettina now.

    Speaker 2 (00:52):
    Awesome. Well, thanks so much Katie and welcome everyone. Really excited to talk about privacy and data governance best practices something that’s very near and dear to my heart. And I’m pretty sure many of you who are in the business of data and working with customer data every day. And just to kind of get a little bit of a sense of where we are with things, we did a quick survey before we started off here with this webinar. And just to kind of gauge a little bit of how is privacy or how much is privacy in your organization represented? And what are some of the things that you’re doing already? And I was really excited to see that. Many, many of you already work with legal counsel, which is always my first disclaimer when I do these type of webinars or, or you know, sessions as I am not a lawyer, so I am not here to give legal advice.

    So please do consult your legal counsel if you have questions about how to interpret those privacy laws for you. But it sounds like the majority of you already have some sort of legal counsel involved, which is always recommended, always important. So keep that up, continue doing that. Many, many laws on the horizon. We’ll be touching on some of those here just kind of as an overview as it pertains to data governance and best practices. But really important lots of things happening in the privacy community. From a legal perspective, there’s news every day of new laws being passed being changed, being amended, so great to always have somebody on hand that can help you interpret and, and see what’s applying to your organization. Also great to see that the majority of, of those responding to the survey say that privacy and privacy culture at the organization is either very important or somewhat important, which we’ll be talking about it here in a little bit.

    Privacy is really very much a team sport and involves all levels of the organization, literally from the intern to the CEO anyone that touches data, which pretty much nowadays everyone does at an organization, plays a part in making sure that an organization has good privacy practices and also make sure that the data governance and, and the security, which we’ll be touching on as well is maintained and held in high regard. And also, it looks like we have a pretty good knowledge level on average here. The, it was almost three out of five. So there are a lot of you who have had hopefully done their research and understand the importance of privacy and some of those key concepts. Very encouraging to see. I think we have seen quite a bit of a jump over the last couple of years as privacy has become into, or has come more and more to the foreground with many things.

    The, the California law, we’re having a federal law on the horizon, so it is no longer something that is nice to consider. It is really a mandatory thing, and we’ll be talking about that as well. And also a large, a large group here that answered the survey already has a dedicated privacy program and practice in place which is also great to see because that means you’re taking it seriously and it has sponsorship from the top of the organization to support those privacy goals and best practices. What I wanted to touch on first is why privacy really matters more than ever.

    Speaker 1 (04:35):
    Real quick, we can’t see the slides and they’re not changing on the screen.

    Speaker 2 (04:40):
    . Sorry about that. There we’re,

    Speaker 1 (04:42):
    There we go.

    Speaker 2 (04:43):
    . let me then just circle back real quick just to make sure that just one second. I wanted to make sure that we have it in the recording. Our screen here for the survey results something technically there didn’t go well, but these are the stats I was talking about. So I wanna make sure that we’re having those here on the recording. Okay, then let me jump back here, hopefully to the right place. Did a change? Yes. Good. , why does privacy matter more than ever in 2023? I just wanted to touch on a couple of things that were in the news recently. Cyber, cyber incidents, cyber breaches, cyber attacks. I think there’s not a single day where we don’t see things that you know, either brought a company into the news for all the wrong reasons.

    And really it gets to the point where every data incident is also a security incident, and it’s not just the big guys anymore. It’s really less of a question of if it becomes more of a question of when. And any organization now has sensitive data. Specifically think of your HR data, think of your payroll data, anything along those lines. Even if you don’t store critical customer data there is a lot of data within every organization today that is sensitive and could potentially cause a big issue when it is breached or stolen or otherwise unauthorized or access without authorization.

    And then I wanted to touch on a couple of things that really show how important it is to have good practices here. A lot of you probably have heard about Cambridge Analytica. There are other class action lawsuits, settlements happening. These are big fines. We’re talking millions and millions of dollars that these companies are being fined because they are in violation of good privacy practices. And you clearly do not wanna be the company that is in the news on on those bad practices. It’s really becoming a more competitive advantage. A company that handles data, especially that interacts with the client or customer data. And many of you deal with data every day. So it’s, it’s, you know, any data you get from your customers, they trust you with that data. And it’s no longer that everybody gives you anything in the kitchen sink. Consumers become more and more aware of these breaches and are more conscientious about what is happening with their data. So as an organization, it really, really becomes important that you protect your brand, your revenue, by protecting your customer data.

    And looking at some of the things that are coming onto the horizon or are on the horizon already, or in, in in real life is the new privacy laws that came into effect. Just this year we got California Privacy Rights Act and the Virginia Consumer Data Protection Act here, which went into effect January 1st. We also have a couple of other laws coming into effect this year. Colorado, Connecticut Utah really squeezed themselves in because they wanted a 2023 law on December 31st. And it is really there, there are some common, like common denominators across all of these laws and regulations that drive a lot of the best practices we will be talking about here in a minute. Just a couple of things here that are, that are in each one of those laws. It’s, you know, the data, subject access requests, things like that, deletion, portability, right out of sales as well as also some, some, or most of these have now rules and regulations included to conduct risk assessment or limit the processing based on the purpose.

    So these privacy notice that we’ve seen in the past where it’s like, well, you’re accessing our services, you’re accessing our products we’ll do some stuff with your data. And it’s all very vague. We’re seeing this to start disappearing more and more in favor of really, really clearly written privacy notices and, and the requirement to disclose what we’re actually doing with the customer data. So the limitation on processing based on purpose takes away some of these blanket statements of like, you’re giving us your data and, and we can basically do with it as we see fit, including handing it off to other third party services. So looking at some of the breaches, looking at some of the violations and the fine and those laws on the horizon were already in effect. There are a couple of things that for, for us, our takeaways here.

    One is data retention practices and the, the concept of data minimization, which we’ll be touching on here a little bit more in a second. They’re really, really becoming critical prerequisites for all data companies, which today it’s pretty much every company here, no longer just gather data, get whatever you can, and then figure out later what to do with it. But really think about like, how are you going to use that data security no longer a nice to have absolutely mandatory for any organization that handles data that is either sensitive or does not originate with them or in general data. And then also you know, like I mentioned, those privacy and security principles that are the common denominators across all these regulations, and not just in the us they extend into the G D P R. And in some of the other laws we recently saw coming to effect Brazil, G D P R, of course, is, is the behemoth.

    China just passed their first security foundational law with a really expanded scope. So really important to make sure that all of those aspects are being covered by best practices. Speaking of, so let’s look at the best practices here. We’ll talk about each one of those in detail, but in general, it’s know your data, govern your data, maintain your data, and then champion privacy and security. And of course choose the right tech stack because everything you do with your data also requires a lot of data repository, a lot of technology to actually create value from the data you hold. So let’s talk about the first aspect here of knowing your data. Couple of things here to do to get to know your data, which it’s always interesting to me, even like within our own organization, it’s like asking around and say like, who has access?

    Who has, who has, or who knows where the data lives. It really becomes a project to figure out where all the data is is hosted or who has access to it. So one of the first things that I always recommend that’s really, really critical to any organization is to understand what data you have how sensitive it is, and how can it be protected. And this is anything from customer subscriber data, internal employee data, data you purchase through list brokers maybe, or, you know, anything that flows through a system that your organization or your, your, your people at work touch should be part of this. Discovery and audit and data audits are becoming more and more requirement in some instances on those rules and regulations as well. And often are also a very big requirement when you partnering with other companies or customers who will ask you to have good practices around data audits, to make sure that the data is protected and that the data is is, is captured in a way that can be, can be distributed across the organization and then analyzed to make sure that whatever happens there can be protected.

    And that also extends to the processing, not just knowing where the data lives or who has access to it. Also understanding like what is the processing activity that happens with the data. And processing is not just loading it or extracting it or exporting it. Processing also includes amending the data, changing the data. When somebody gives you their subscriber data and you run in a pen on it, you now alter that data that is part of processing. Have you gotten consent for that level of processing? Is this level of processing, for example, captured in notices and consent? So really as part of the data audit where does it live, who has access to it? And then how is it being processed will really, really help you create a roadmap. And then also to align that back with those privacy notices and making sure to work with your legal counsel to confirm that what you’re doing with the data and the way you’re processing the data has the right foundation in what you’re asking a consumer, for example, to consent to when they’re signing up.

    And that also extends to third party partners and vendors. Most companies nowadays work with, with third party technologies or tools that process data there are acquiring anything from your HR system all the way through a marketing platform, an email platform, a CDP, an analytics platform. You’re essentially sending data between those different platforms. So it’s always good to ask vendors certain question, you know, how do we track consent? How, how can I work with that third party tool to comply? If I get a data subject right request, somebody wants to delete their data, how do I make sure that this data can be deleted across all of that tax stack or all of the infrastructure? You know, same, same with opt-in and out out. Some of you might have heard dark patterns and things like that that come out of the California law where it really becomes more and more critical. Same with G D P R to ensure that the opt-outs are as easily done for a subscriber, for example, as the opt-in. And then back to data audits, making sure that you know, all the data can be tied back to a data subject if those requests come in.

    Okay. Let’s talk about the next best, best practice here of governing your data. We talked a little bit about the data audit and figuring out access control. Part of the audit should always be who has access? And there’s a principle of least privilege, which has become the gold standard that would be very important to look at in every organization as you identify the different parts of data or the different assets that you hold in terms of data, it’s like, who has access to it? And the gold standard here, and the best practice is really the principle of least privilege. It means only those that really need to access the data should have access to it. So the whole thing of like, everybody can have access to it and we’re relying on the end user, making sure that they don’t do anything bad with it or nothing gets lost, becomes a really, really big risk and a really big liability.

    So understanding how the access works and also restricting access where appropriate is definitely something that should be part of the audit and the follow up from the audit based on those insights. And then of course, data security, it’s things like employee onboarding and offboarding. People are still the biggest vector in any kind of cyber attack. So, you know, ensuring that access is being, you know, granted or cut off based on like, on and offboarding, but not just employee data. Also for consent management. When somebody gives you consent to use their data for marketing, for example, or to send them a specific type of email, make sure that whoever has access to the data and can use that data understands what purpose this data can be used for. It’s exciting to have like a nice email database of, of, you know, engaged users, but it’s not so much that somebody gets really excited about it and sends an email out that that group or that listed and consent to can cause all kinds of problems, complaints, things like that.

    So making sure that not just only the people handling the data, but also the people processing the data understand what they can use the data for. And then the concept of data minimization, which I touched on in the very beginning. It really becomes a buzzword and it’s, and very much important concept to start embracing. I know when I was on, on, on the media side, it was like the more data, the better. It was really kind of data hoarding up to a certain extent. But with today’s environment of security breaches and incidents as well as the stronger, stronger needs around privacy and security, it becomes more important for any organization to really think about, like, what do you, what do you collect in the data for and what do you need to keep in order to do business? And based on the consent given.

    So really looking at aligning privacy notices and terms with the data to collect. And then also you know, be okay with the factor letting data go when it’s no longer in use or when it’s outdated or, or no longer accurate, which we’ll talk about data hygiene here also in a second. Moving on to the best practice number three here. Maintaining your data, which is also a thing. So you collected it, you made sure that you get the data that you need in order to do what you wanna do with it. You got them the consent for it. But also now it becomes really important to understand what standards of data should apply across all of your data repositories. For example you know, you, you collect the demographic. Make sure that that demographic is the same across all the different systems that might either touch that customer record or might collect data to it.

    Because that really helps with you know, applying business rules, applying filters, you’re looking for somebody with a specific demographic. It’s much easier to find that person if that demographic, for example, is the same across all of the different repositories entry points or processing rules. Really establishing a set of brand guidelines for data labeling as highlighted here is a good exercise for anyone that is in charge of governing data at your organization. Second, is also verify data accuracy and the integrity of the data. This really should be done before it hits your data repository. In a perfect world, that before data comes in, have business rules that, that look at the data coming in through web forms through list loads, through anything where you get data that comes into your organization and, and put rules in place that clean up or reject the data if it doesn’t fully, you know, comply with those rules.

    Or if that’s not possible, clean it up after the fact having like a cadence of going through your database or running queries and look for these things like mentioned here you know, flagging names without vowels or, you know, are there any specific you know, data fields that are really not in a standardized format that should be standardized phone numbers, zip codes state, state abbreviation, things like that. Again, it will really help with data verification, good work workflows, but also it’ll help with auditing the data and identifying things that you wanna do with the data in terms of processing. And then of course I think duplication is for, for many still a big issue because data comes from the different places. Understanding and, and having processes in place that really looks for those duplicates and figure out how how could those records be reconciled to make sure that you’re not having duplication happening.

    Really important. For example, if you have data, data subject requests like, you know, forget me or, or, you know, I would like to see all the data you have on me. If that person is in five different version in your data sets, it makes it much harder to comply with those requests. And then last but not least if possible, I think many of you heard like the idea of data lakes versus data mesh where you have data in all different places and how do you bring ’em together? It’s not realistic anymore for any organization to have their data only in a single place. So it becomes more and more important to ensure that the data is reconciled under a single, let’s say, you know, ID or something along those lines, that even if it lives in other places, there are connectors between the data and you can, you can audit it across a whole different set of data assets.

    Let’s go onto number four here. We’re here just one second. Here we go. We talked a little bit about championing privacy and security. Now you audited your data, you made sure that everything is lined up, you have good business rules in place, the data is clean. Really, really great starting point. But part of that also is to understand, again, privacy as a team sport. There’s one weak link that somebody didn’t care that wrote their password on a sticky note or somebody’s credit card on a notepad and left it at their desk or things like that. You know, customer service call, somebody changed an address or provided a social security number, something over the phone, it didn’t get, get securely handled. It can be a simple little thing like that that can cause a privacy incident and, and really kind of trigger all these things we talked about in the beginning, like leading up to big fines or, or being in the news for all the wrong reasons.

    So privacy really has, has to be a cultural value within the organization. And anyone from, like I said, the intern to the CEO needs to understand that the data is a responsibility and is a risk for an organization as much as it is an asset and an opportunity to generate revenues. So a good way to do that, and that’s how we do it at Omeda, is like we’re creating champions within each part of the organization to educate a on the types of data that are flowing through the organization, but also establishing those best practices and really work with each one of the groups to make sure that they a trained well around handling data and also understand and, and internalize the idea that we have a responsibility as an organization to protect the data of our clients and customers as well as our fellow employees.

    And then of course prioritize security. Security should be a priority for every organization. We have training campaigns running a highly recommended to, to put in place a ongoing and sophisticated but also fun training program around security and privacy. We’re doing a lot of testing. We’re doing mock phishing and smushing attack, things like that to make sure that the training works. And also plan for worst case scenario, ha have a security incident and privacy incident team, do tabletop exercises, have good incidents, response plans. That includes all level of the organization, of course a big topic. We’re not gonna go into all those details, but there’s plenty of good information out there on incident response planning. I highly recommend if you’re in charge of your organization’s privacy and or security to really immerse yourself and come up with one of those plans if you haven’t already.

    And then last but not least here choosing the right tech stack. All the things we talked about in best practice practices. Only work when you have technologies and tools at hand that allow you to do that. Really important. We talked about access control and retention management making sure that the data is protected, making sure that you have tools to also follow those retention policies. Like if your retention policy is to purge all data of subscribers after 12 months of unengagement, you wanna have a tool that allows you to do that as automated and as as efficient as possible by building certain queries, looking at engagement flux, and then putting things in place to deactivate those customers or remove them all together, whatever your organizational policy is. And then also transparency around processing and, and what data is related to a specific customer or data subject.

    When those requests come in, they wanna have all the data you hold on them. It needs to be easy to have a tax stack that allows you to get information on all those different activities that a specific data subject has done, but also look into some of those areas where you hopefully identified in your data audit that there’s data on a person that has sensitive information or PII attached to them and you can reconcile it. And then last but not least, especially for things like email, for example, list management, strong opt-in and consent management features that cover both now opt-in and opt out, they have to be very similar. They can’t, one can’t be harder than the other. Finding good tools that allow you to manage that in a granular manner where also you have tools that directly are consumer facing or, or subscriber facing to manage their consent at any point in time in a very easy way.

    And since we’re almost at the end of this webinar, I wanted to give a quick summary of those five areas of best practices. We talked about understanding your data again, data audits making sure knowing where does it live, what is it, who has access to it, and how is it governed? Knowing the risk as well, which is a result of those data audits and requirements. And then fostering the accountability across the information, establish a culture of of privacy and security, as well as a good framework around processing and handling data. And then plan ahead. I think in today’s environment, again, it is no longer and if something happened, it is when something happened, putting all these best practices in place, plus a strong security and incident response will really help set up your organization to show like if something, or when something were to happen, that you’ve done all the right things and, and that you can quickly respond and react to those incidents, be a good data steward. That’s really in summary the recap of all the best practices here. And I think with that I wanted to check and see if we have any questions from the audience. And thank you everyone.

    Speaker 1 (29:02):
    Thank you, Bettina. That was amazing. There’s a lot of information there. So guys, go ahead and drop any questions you have in the question panel. It looks like we’ve got a few here, so let me look at that first one. So question, does C C P A, CR C P R A and the various other state laws require an explicit opt-in to shared data with third parties like G D P R, or can the consent to share data with third parties be implied as long as we disclose who those third parties are and offer the ability to opt out?

    Speaker 2 (29:41):
    Very great question. Very, very complex question as well. And as I mentioned I think the, the short answer is the best practice is always to disclose as much as possible where possible, because sometimes business practices are evolving. This is definitely one that I would run by legal counsel just to be safe because every organization has different requirements and, and some of these laws and, and regulations really fall under or, or put a company under certain requirements based on their size, their scope, the type of data to collect. So I think in general the answer is you know, disclose as much as you can to create transparency because that also single signals to a subscriber or data subject that you are a trustworthy company. But for the specifics of how deep you have to disclose, I would definitely consult with legal counsel.

    Speaker 1 (30:36):
    Great. And then what resources does Omeda offer to help make opt-in opt-outs an easy process?

    Speaker 2 (30:44):
    Great question. Definitely I think one of the things when I was on the client side that that i, I always loved and that also because is a really, really good feature for many of our clients is the opt-in and out out management tools that we have through our email builder for list management. Having done a lot of conversions from other from other email platforms, I feel like we have a very large and very granular way of managing consent that allow a subscriber to really go in and truly select like a variety of different things they wanna see and wanna receive, but also easily opt out in the same place. So I think definitely you know, taking advantage of those features within the email platform, but also again, to the single customer view consent triggers across all the different parts of the platforms like CDP, for example.

    And, and the behavioral things. So it allows, it allows one of our clients to really kind of look at the different opt-ins that, you know, they offer to their subscribers and let them do it in one place and then it propagates across all of the different tools within the OMI platform. So I think using, using as our audience builder to understand who is opted in and out, and then exclude people that have specifically expressed that they do not wanna be participate in a specific processing or specific email for example, will really help kind of ensure that there’s you know, hard lines between the opt-in and the opt-out and nobody accidentally get wrapped into one of those campaigns that don’t wanna be in or don’t wanna participate.

    Speaker 1 (32:28):
    Great. And then what do you recommend for a time period to remove data? I know you had talked about a little bit about data minimization and not keeping data for longer than you need. So is there a best practice for time period when it comes to that, or does it differ?

    Speaker 2 (32:44):
    I think it’s really . I, I think this is really unfortunately one of those, it depends based on the kind of laws and regulations you fall under. There’s certain industries, certain data types that have much stricter retention laws, like we’re going into financial data and, and some other things where there are set time periods for retention by the law or the laws that applies to that. In many instances it really depends on the organization or what they feel makes sense for them. We have clients that say, 12 months you haven’t engaged, you know, we’ll purge the record and we have clients that say, you know, we’re hoping that you eventually come back or we have something that we might rope you into. We’ll make it two years, three years. So again, this is I think something that depends on the business case and, and also the product and, and the type of engagement you’re looking. And when a doubt, again, I think it’s a good one to run by legal counsel as well just to make sure if there are any rules or regulations that apply to that specific scenario that you should be aware of.

    Speaker 1 (33:55):
    Excellent. I think that about does it for our time. I know we went a little bit over, so thank you everybody for sticking with us. Like I said, the slide deck and the recording will be available later this week. And just a quick plug too we’ve got OX6 coming up where I’m sure Bettina will be sharing even more about privacy. Yep. . And you’ll learn a lot more there. So please join us and thank you.

    Speaker 2 (34:19):
    Thanks everyone.

    Speaker 1 (34:20):
    All right. Bye everybody.

    Speaker 2 (34:22):