There’s been an awful lot of ink spilled in recent months over next May’s General Data Protection Regulation (GDPR). Lots of hand-wringing and concern as businesses ready themselves for the legislation, which rewrites the rules for collecting and managing consumer data, and steel themselves for one of the largest shake-ups to data privacy in a decade.
However, one of the lesser discussed areas of GDPR is one of the more crucial mandates in the legislation: the creation of a new executive role, the Data Protection Officer (DPO), in place to enforce compliance and ensure broader corporate accountability.
DPOs must be appointed in the case of an organisation being either a public authority, or engaging in large scale systematic monitoring or processing of sensitive personal data. In these organisations, how can CMOs work with DPOs to build a brand strategy that ensures compliance with GDPR?
What is expected of DPOs?
The GDPR enforces a strict definition of personal data: information that could be used, on its own or in conjunction with other data, to identify an individual. The DPO’s responsibility is to ensure organisations adhere to this definition, especially organisations (for example, public authorities or big multinationals) that regularly process and monitor data on a large scale. In addition to this kind of oversight, DPOs are expected to be proficient in IT management, data security (including managing cyberattacks), and other business critical continuity issues; not unlike the Chief Privacy Officers and Chief Information Officers of today.
But the role departs from others in one crucial way: where other executives might be beholden to a corporate board of directors and accountable to their fellow business leaders, DPOs only answer to outside regulators. They’re free agents, in essence, operating independently, regulating independently, protected against corporate sanction – all of which makes alignment with the C-suite all the more important.
It’s on other executives, and chief marketing officers especially – as keepers of the brand, drivers of demand, and stewards of the larger customer experience – to work closely with the DPO to ensure corporate initiatives align with compliance obligations. This kind of collaboration isn’t just good business sense, given the fines companies could face for non-compliance under GDPR, it’s common sense. In this era – especially as an investment in compliance is often an investment in the brand – it’s also signalling to consumers that yours is a company worth taking seriously, and ultimately worth purchasing from.
What does a CMO-DPO partnership entail?
At a minimum, it will require enhanced cooperation and communication across the broader C-suite – the support and buy-in of all executives, regardless of the reporting structure in place. CMOs and their fellow business partners will also need to agree on shared practices for technology usage and management, especially where more contentious technologies are concerned; cookies, for instance (where they may need to agree to disagree). Marketers will also need to make transparency a habit, meeting regularly with the DPO to forecast planned programs or initiatives – a wide-reaching digital campaign, for example – against the DPO’s own compliance driven checklist.
CMOs in particular should also make sure their own understanding of policy and process maps back to the DPO’s priorities. They should arrive at a consensus on how to drive and support innovation and revenue, and be sure to include the DPO in the product development process, so that they stay apprised and have a way to intervene or interject as needed; a check and balance.
Most importantly, CMOs should recognise (and be quick to capitalise on) the strategic brand advantages of the CMO-DPO partnership. What is the DPO, after all, if not another thought leader the CMO can harness? They are ultimately someone whose domain expertise and breadth of knowledge only solidifies the brand’s commitment to compliance and privacy, and assures buyers of a business’ good intent. Close collaboration between the CMO and DPO can well prove a big brand differentiator; not just a source of credibility, but its own kind of credential which is no different than to the certifications – a GDPR certification, pan European GDPR acceptance – that organisations will require further down the road.
Fowler, D. (2017) The Rise and Reign of Data Protection Officers, CIM Exchange
Available at: http://www.exchange.cim.co.uk/blog [Accessed 13 Apr 2018]
Booking consultant now if you need some advice!