Privacy Technology Implementations: Lessons Learned
Everybody views data privacy through a different lens: through your general counsel; through your technology team; or even your technology stack. “What problems were you trying to address when picking a data privacy solution?” asks Stephen Buko.
Stephen is WireWheel’s Director of Product Implementation and he was joined by StockX Director of Compliance Monica Gaffney and Project Manager and Consultant to AFLAC, Doug Rentz to talk about Privacy Technology Implementation: Lessons Learned. It was an insightful conversation in which both Mr. Rentz and Ms. Gaffney spoke candidly about their challenges, what they would do differently given the benefit of hindsight and the value of partnering to implement a thoughtful and measured approach to data privacy.
The StockX fundamental thought process has always been can we build it versus buying it…. As we were evaluating what was going on, I don’t think we truly had a full appreciation for the scope of work that would come with the implementation of these privacy laws – whether it was GDPR or CCPA – and the number of requests and the number of customers who would actually leverage the legislation to [exercise their rights]. There was just a lot of analysis required.
Do You Know What’s Coming Your Way?
“Once we stood up [our own] program thinking ‘OK, we can do this,’ reality hit,” says Monica. And we “recognized very quickly that just the quantity of work…was just more than we could manage.” Monica detailed that the number of DSAR requests quickly reached thousands of requests per month. It was “just more than we could handle.”
The StockX experience is not unique in this regard. Many, if not all organizations that attempted to build their own systems and utilize existing staff in manual processes to manage DSAR requests, were completely overwhelmed: both by the volume of requests and the response time constraints imposed by the CCPA (i.e., 30 days.)
The workflow to respond to a DSAR (which requires extensive data mapping as prerequisite), absent automated platforms designed to execute them, are challenging at best. In a short timeframe and irrespective of data volumes or the volumes of requests, a company must execute:
- Requestor identity authentication.
- Internal communication flows (including escalations to customer relations or legal if necessary); and external communication flow (to maintain positive customer relations).
- Assessment and collection of both structured and unstructured data.
- Processing data and formatting results into a report that is in a readily useable format. And,
- Audit trails and reporting to document compliance.
“There was a lot of back and forth on do we try to build or do we buy something,” notes Monica. “Eventually we went down the path of ‘let’s not try to build. This isn’t our bailiwick. Let’s just see what we’ve got out there.’ It was just too much to manage the way we were doing it.”
It wasn’t about DSAR volume at AFLAC, it was more about the time crunch. “We didn’t really have the time to consider building an application. We…kicked off the project in October 2019 so we only had a few months to put in our processes to comply with the CCPA regulations” which were set to come into effect January 1, 2020.
Both StockX and AFLAC chose WireWheel’s Trust Access and Consent Center for their third-party solution.
Start Privacy Simply
Operationalizing privacy is a complex endeavor. As StockX discovered, the complexity and needed privacy technology and workflow expertise will readily settle the build vs buy debate. The benefits of enlisting a solution provider who has the requisite core competencies and platforms purpose-built for privacy are manifold.
As illustrated by the different challenges and unique requirements facing StockX and AFLAC, the platforms they chose also needed to be flexible. Privacy is not a one size fits all ecosystem. That said, one commonality across companies seeking to comply with the GDPR, CCPA, and other privacy regimes is the immediate need to ensure compliance. The privacy journey starts with compliance.
And it is a “journey” as publishers and brands move from compliance to privacy by design and ethical marketing, and ultimately, privacy as competitive advantage. The platform a company chooses should necessarily support this growth. Arguably, the best way to start is to start simply. Mastering the ever-evolving complexities of compliance: this new and important consumer touchpoint.
From a technology standpoint, I don’t know that we had too many problems because we started pretty simply. And that’s what I’d recommend…have a tool that [you] can grow with…more than just putting in a platform to manage intake, administer the request, [but includes] looking at enhancements to privacy policies, online privacy notifications, and so forth.
A Phased Approach
Gaffney’s experience at StockX was very different than Doug’s. “We had already put in place a number of things from a GDPR perspective so CCPA wasn’t having as much impact for us,” relates Monica.
We started out with a very manual process so as we launched the implementation into WireWheel the initial experience was really positive. We didn’t see a lot of challenges: the setup was fairly easy. I think the biggest challenge for us was getting our website set up working with our marketing team to get that piece in place.
Monica touches on another aspect of the dynamic complexity of privacy, even when instantiating basic compliance. It is not just about the platform or your technology stack.
Data privacy requires strategic decision-making that involves IT, InfoSec, marketing, product development, web-design and UX, HR, business strategy, and legal. As discussed, here, regardless of your particular approach, a successful privacy program requires collaboration from the board down as well as across the business.
A well-proven way to manage and simplify complexity is to implement the solution in phases.
We instituted “a phased approach, which I think helped us a lot,” says Monica. “We slowly migrated requests into WireWheel, and we did a phased redirection of people into WireWheel…versus just basically opening the floodgates which helped us learn a lot of things and tweak our workflows.”
Candidly, Monica notes that StockX “missed some things along the way that we needed to do to help us keep track of what batch of requests was processed or just different workflows that we needed. (And we do have integrations that flow out to other teams in the company to perform reviews before we process a delete request)” adding to the complexity. That said:
If she had to do it all over Monica says “I definitely would have done automation right from the get-go. We should have known better. Knowing the volume of data that we had (we can be 800 to 1200 DSARs in a three-week cycle), we should have – just right out of the gate – gone for automation and linked into our system versus trying to use customer service agents to manage the queue.”
DSAR and Third-Party Representation
“Late last year we started receiving a few requests via email…” says Doug. “I think there was some internet site that was advising people on their privacy rights” and email was coming in “directly to the privacy team not through our normal intake process.”
I think that’s a use case we’re going to have to look at, because I do believe, as knowledge about the privacy regulation [grows]…we’re going to start to see more [DSAR] requests either coming through our standard intake process or directly to the privacy team. And these were requests from people that are not in California.
To this Monica notes that StockX has seen a slight increase in third parties acting on behalf of somebody. “So, we actually had to tweak our process. [in these cases] we’ve got to go back to the customer and say, ‘Hey, did you ask that person to do that for you?’ before we just act.”
Privacy Technology Predictions
During the December 2020 WireWheel SPOKES Privacy Technology Conference closing keynote, data privacy advocate Alistair Mactaggart opined:
You know, I think there’s going to be business facing companies that are going to explode because of the demand for privacy on the business side. And, they’re going to be consumer facing companies that are going to also cater to my desire for privacy.
And these agents – one of the constructs that I like most about both CCPA and CPRA is we ensure that another person can act for you — can intervene for you because it’s too complicated if you have to do this all yourself.
Closing out what was a far-ranging conversation of which the above was only a small sample, AFLAC’s Doug Rentz and StockX’s Monica Gaffney offer their own privacy technology predictions.
“A lot more automation and particularly integration with your systems for handling access and deletion requests, ” says Doug. He also sees an increased ability for “capturing and storing opt out requests [to] ensure, that if people do opt out, their data is not…provided if there’s some new marketing initiatives…. It’ll just continue to ramp up.”
“As far as technology’s Role? 100%,” asserts Monica. “Technology is going to be the key to managing these different laws, right. Whether as Doug pointed out, [it is] making sure that our opt in and opt out requests are managed; really understanding where our data is, how we’re using that data, where it’s flowing to, where it’s flowing from; and tagging things in a way that helps us understand a lot more quickly.”