Businessman holding virtual world with connection and human icon showing privacy by design

Embracing Privacy by Design as a Corporate Responsibility

What is the biggest stumbling block on the way to a privacy-centric future?

Uncertainty.

While policy makers might make headlines, they are generally lagging behind in terms of the advancement being made in the technology space, and the result is that regulatory measures often only take effect years after technological advancements.

On the consumer level, uncertainty also exists. Consumers are becoming increasingly aware of their data, and desire for more privacy online.

Tech companies, however, seem the most certain of all. They are increasingly looking to standardize privacy technology, especially in the online and mobile marketing ecosystem where these same companies are forced to balance technological advances with (self)-regulation. They have jumped into the vacuum head-first.

Advertising companies and their technology partners are increasingly recognising the value of a paradigm shift from data protection as a burdensome obligation to a framework of “privacy by design.” For companies that are taking this route, they see three big results: less costs to adapt to new legislation, growth in consumer confidence and trust, and it runs less risks for a business in case of inevitable mishaps. And the first step to taking this route all stands with the prominence of data.

Who owns data protection

While data is universal, data protection within companies still needs an owner, and the question remains whether that owner should be in the product, security or legal team. If you look at what a successful data protection team should look like, on the one hand there are many tasks that need to be solved by the product department and on the other hand there are those that have to do with security. There are data protection counsels, the DPO and the CPO, data protection compliance managers, data protection engineers, and product managers, to name a few. Because data protection is not just a legal area, it is also a technical area and should be viewed as such. So the entire company should care about data protection, from the CEO to the CMO and to the last QA engineer. Product and legal departments bring different aspects and perspectives to the table, but ultimately the responsibility lies with each individual employee.

Data protection as a cost factor

In the last 10 to 15 years, there has been an enormous development on the Internet that has brought data protection into focus for both consumers and companies. Internet users are becoming increasingly aware that their online activities are globally visible. Marketers work in an ecosystem where we have to balance, almost constantly, between the incredibly fast technological advances, market needs and a high level of (self-)regulation. In most cases, these rapid advances have resulted in policymakers lagging behind the technology and enforcement of safeguards happening years after the technology is developed.

This, in turn, affects the way data protection is perceived and regulated. On the one hand, it presents companies with an important decision: can they wait for legislators to act or should privacy by design principles be considered preemptively? On the other hand, it puts the authorities in a position to impose sometimes large fines to compensate for violations that have been committed on a large scale and over many years. The fines are therefore so high in order to encourage companies to opt for Privacy by Design as a matter of principle. Unfortunately, this also puts data protection in a negative light, because high fines hinder business operations and data protection is accordingly seen as a cost factor.

From necessary obligation to the value of Privacy by Design

In the last two years, however, we have seen a change: Companies are increasingly realizing the immense importance of a paradigm shift towards Privacy by Design. This is because this approach significantly reduces the cost of adapting to new legislation, builds consumer trust, and carries fewer risks. Data protection is here to stay, and this is a realization that everyone – from companies to legislators to consumers – is becoming more and more aware of and acting upon. The important thing now is to approach data protection more proactively – and to make it a general corporate responsibility.

Data protection rights are also human rights! So far, the advertising industry has viewed data protection as a drag, but this perception will have to change as we move through2023. After all, data protection is no longer a limitation, but a selling point. As a result, industry players are beginning to view it as a worthwhile investment rather than a cost. Companies are doing this proactively because they want to stay competitive and keep their brand privacy-centric, and to ensure that customers continue to trust them. After all, once policies are in place and a general data protection program is created, the value that maintaining these standards brings, becomes apparent as well. However, it has to be reiterated that leadership support is critical to internalizing data privacy throughout the organization.

Data protection must be linked to business goals for success

As a mere edict coming from “the law,” Privacy by Design will never become an integral part of the corporate culture. However, when executives and senior management link the value of privacy with the company’s values and business goals, the picture is very different.

Whether it’s a product manager or a decision maker in another role, every person in the company needs to understand how data protection, compliance with data protection standards, and adherence to new data protection regulations will help them achieve their specific goals. Therefore, the better the company succeeds in linking data protection regulations, restrictions and obligations to corporate values, product quality and value creation, the more employees will accept and internalize this.

The best way for data protection officers to work with the product team is to create a top-down and bottom-up approach to embed Privacy by Design. That is, executive drive and pressure help product teams feel supported while diminishing concerns about whether privacy-focused product development is on target, for example, because it takes up extra time. It must be very clear that data protection is both fully supported and explicitly desired by the company.

Changes in the data protection landscape

The advertising space is currently undergoing a lot of changes, from Web3 and various blockchain developments, Google’s Privacy Sandbox coming to Android, and the final end of third-party cookies being in sight. A new e-privacy regulation is also being explored in the EU. It’s all part of a larger discourse and narrative, and we’ll see more countries and industries embrace the idea that privacy can be managed positively, not restrictively. This is the phase that every technology goes through at some point.

The Internet itself is the best example of this evolution: in the beginning, there was a certain “anything is possible” mentality – all players tried to be the fastest and outdo each other. At some point, however, the technology reached a point where it needed to be unified and clear rules were introduced that applied to everyone. That is why the second half of 2023 will be all about the imperative standardization of data protection technology, where data protection is no longer seen as a limitation, but as a foundation and selling point for forward-looking companies.