We’ve seen an awful lot written in recent months about this May’s General Data Protection Regulations (GDPR) – the legislation that replaces an existing data protection directive, rewrites the rules for collecting and managing consumer data, and deals data privacy one of its biggest shake-ups in two decades. There has been lots of worry as businesses prepare for the law, bolstering their efforts at compliance ahead of the deadline.
But we’ve yet to really address one of GDPR’s most important and wide-reaching mandates: the necessity for a new executive role, the Data Protection Officer (DPO), responsible for ensuring compliance is enforced and shouldering corporate accountability.
DPOs need to be appointed if an organisation is either a public authority or doing large-scale systematic monitoring or processing of sensitive personal data. Within these companies, how can Chief Marketing Officers and DPOs work together to create a brand strategy that will ensure compliance with GDPR?
What Is expected Of DPOs?
The GDPR has a very precise definition of personal data: any information that can be used, alone or together with other data, to identify an individual. The DPO’s job is to see to it that businesses adhere to this definition, particularly ones that regularly process and monitor data on a larger scale, such as public authorities or big multinationals. In addition, DPOs are expected to be experts in IT management, data security (including managing cyberattacks), and other important business continuity issues; in a similar way to Chief Privacy Officers and Chief Information Officers.
However, the role is different in one key way: DPOs only answer to outside regulators. They are not beholden to corporate boards of directors or accountable to other business leaders, but are in essence free agents who operate and regulate independently, protected from corporate sanction. All this makes the need for alignment at the C-level even more important.
It is imperative for Chief Marketing Officers especially – who oversee the brand, drive demand, and have overall ownership of the larger customer experience – to work closely with their company’s DPO so that any corporate initiatives line up with compliance demands. Not only is this type of cooperation good business sense, given the exorbitant fines that could be brought down on companies who are found non-compliant with the GDPR (amounts into the millions), it’s also common sense. In today’s landscape, an investment in compliance often equals an investment in the brand, showing buyers that your organisation is one worth taking seriously and doing business with.
But what does a CMO-DPO partnership entail?
The partnership between CMO and DPO will not look identical in every company, but it will at a minimum require improved cooperation and communication across the broader C-suite. This means that the support and buy-in of all executives is fundamental, no matter the hierarchy or reporting structure in place. Shared practices for the usage and management of technology will have to be agreed upon, notably in regards to more contentious technologies such as cookies – where they may have to just agree to disagree. Transparency must also be made into a habit, and executives will need to meet with the DPO regularly in order to cross-reference their activities – for example, a big digital campaign – against the DPO’s compliance checklist.
CMOs need to re-evaluate their understanding of policy and processes and make sure it aligns with the priorities of the Data Protection Officer. They should then come to an agreement between them around how to drive and support innovation and revenue, ensuring the DPO is included in the product development process (privacy by design) from the very beginning. This will certify that he or she stays in the loop throughout and can intervene or interject when needed – a check and balance.
Most importantly, CMOs should recognise and take advantage of the strategic brand advantages that a CMO-DPO partnership offers. DPOs will be thought leaders in their fields, with domain expertise and a plethora of knowledge, all of which CMOs can harness. Close collaboration between the CMO and DPO may serve as a big brand differentiator, solidifying a company’s commitment to compliance and privacy and assuring customers of its good intent – not just proof of credibility but kind of a credential on its own. It is almost like a GDPR certification in itself, something that all organisations will require further down the road.
One thing is clear, and that is that the GDPR is resetting the stage for C-level communication. The regulation has opened up the compliance conversation and has created a dialogue of cooperation and not one of independence, which can only be a good thing.