As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Rémy Claret, the CMO of Odaseva, shares some insights on the changing world of data privacy compliance, its effect on marketing teams, and how to navigate it.
Modern marketers depend on their customer and prospect data, so staying abreast of data privacy regulations to remain in compliance must be a high priority, especially if a marketing organization sells globally. But the sheer number of new laws coming into effect makes this increasingly difficult.
In addition to the most well-known regulations—the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and, most recently, China’s new Personal Information Protection Law (PIPL)—both Virginia and Colorado have enacted new privacy laws. At least six other states have data privacy bills that look likely to pass.
Globally, the situation is also changing fast. The EU is ramping up GDPR enforcement and has five new data privacy and protection laws pending. India is expected to enact its data protection law this year. There are also dozens of other countries either set to pass legislation soon or close to implementing enforcement for recently enacted laws.
The business risks of non-compliance can be staggering. WhatsApp, for example, paid $225 million in fines in 2021, and it was far from the only company liable for nine figures due to data privacy non-compliance. PIPL violations can carry penalties of as much as 5-percent of a company’s revenue and could result in a ban on doing business in China. If they want to remain competitive, Marketing enterprises must prioritize compliance.
Challenges with Compliance
Marketers face several key challenges when complying with data privacy laws globally and in the United States. Here are some of the most significant examples.
Many laws apply to data processing activities outside of the country
Companies must abide by GDPR and PIPL if they process personal information of persons residing in the EU and China, respectively, and use that data to analyze their behavior or market to people inside those territories. Additionally, a company doesn’t have to be physically present inside the EU or China for GDPR and PIPL to apply.
Gaining consumer consent
In nearly all of the privacy regulations, consumers must provide consent for a company to collect and use their data, and they can take back permission at any time. Typically, giving customer information to another company also requires customer consent. Making this process even more complex, sensitive personal information like financial or medical data requires special handling, and companies must specifically notify their customers to gain consent.
The stated purpose of the collection
Under GDPR and PIPL, businesses must inform customers about the purpose of collecting their data and explain how it will be used. Companies can’t collect data without reason and then determine its use later. Once the stated goal has been achieved, PIPL requires the company to delete the data. Additionally, if the consumer consents to their data being collected for the stated purpose, that consent must be traced across all systems interacting with the data.
Restricts automated decision-making
In most data privacy regulations, customers can opt out of using their data for automated decision-making. CCPA didn’t include this initially, but an enormous amendment to CCPA, the California Privacy Rights Act (CPRA), added this provision.
Many data privacy laws require that data collected on citizens be physically stored within the borders of these customers’ countries.
Constant updates and new laws
The data privacy landscape is not static. New laws are continually coming into effect, and existing regulations are regularly updated, making it challenging for an individual company to keep track of the data in their system, especially in real-time.
SaaS Challenges and Technology Solutions
Much of the marketing data that falls under these consumer data privacy regulations resides in SaaS CRM applications such as Salesforce. Most of these platforms employ a shared responsibility model. In this arrangement, the SaaS provider (in this example, Salesforce) ensures the platform is secure, stable, and available but takes no responsibility for managing or protecting the data. That’s the responsibility of the SaaS providers’ customers. This means that each country’s privacy regulations apply to the company or marketer collecting the data, as they will be held responsible for violations, not the SaaS provider.
Two emerging technology solutions offer a means to automate and simplify compliance. First, no-code platforms for data privacy management are emerging to empower employees who don’t know how to code but have critical subject matter expertise to apply their knowledge directly to a solution without involving IT.
Let’s take Salesforce as an example of how no-code solutions can help. It’s incredibly time-consuming and expensive for IT teams to build a solution to comply with data subject requests in Salesforce. With a no-code solution, non-technical employees who know the workflows, applications, and underlying regulations can build a solution themselves. This saves a great deal of time and produces a solution that will be much more likely to meet their needs than one created by a coder who has to interpret their requirements. As a result, the organization can shift scarce developer resources to other projects, and non-technical subject matter experts can bring powerful tools to ensure PII data in their applications is compliant.
The second emerging solution is Residency-as-a-Service (RaaS). With RaaS, a service provider stores and processes data that fall under regulatory restrictions locally. All other data is centralized to deliver a high-quality end-user experience for those who need to interact with it. These systems offer great flexibility, which comes in handy as regulations change. Some RaaS providers can also assist with updating business rules to adapt to changing regulations and help customers create and implement business rules to automate proper storage and the deletion of data.
It’s a new world for marketers and their relationship with data. Data privacy compliance regulations are changing and emerging so quickly that it sometimes feels as if rules are outpacing the ability of technology to keep up. However, by adopting flexible technologies like RaaS and no-code platforms, organizations can stay ahead of the curve and avoid facing the consequences of non-compliance.