How to Win Over Your IT Team
Making Privacy a Strategic Advantage
The necessity of organization-wide collaboration to affect privacy by design is agreed by all privacy professionals. And while privacy by design may currently remain “aspirational” for many, even baseline compliance – dependent upon sound data governance – demands breaking down silos.
Consequently, regardless of where the organization sits on the privacy maturity scale, an effective collaboration with IT is paramount. Both at a baseline compliance level and helping privacy to mature to a position of strategic advantage.
To celebrate privacy week, WireWheel invited Forrester Principal Analyst, Sara Watson to discuss “Making Privacy a Strategic Advantage: How to Win Over the Tech Executive.” Sara met with Steven Jacobs, WireWheel’s Director of Product Marketing & Partnerships to provide valuable insights into the common ground challenges shared by privacy and IT that can form the basis of the CPO, CIO, and CTO relationship.
The following is excerpted from Watson’s presentation which was followed by an extensive Q&A.¹ And well worth a listen.
Privacy and IT: A similar transformational path
As privacy becomes increasingly strategic my interest is in how these two functions can actually learn from each other’s transformation to having closer ties to the business and becoming more customer obsessed. Something at Forrester that we are obsessed with as well.
—Sara Watson, Forrester
We know that the privacy function is traditionally seen as a cost center focused on mitigating risk and ensuring compliance. And in some ways, this parallels how the IT function used to be positioned within most large enterprises: as an infrastructure provider.
But that model has been completely disrupted as technology, of course, becomes essential to all business transformation. And so, we think that future fit CIOs and CTOs are now partnering more closely with the business,
This means that they’re measured not just in terms of cost or uptime, but also in terms of business outcomes.
From cost center to strategic business partner
Sara walked through the importance of moving beyond the compliance-as-backend-cost-center approach to privacy in the enterprise, as we move towards privacy as a strategic partner in generating business value.
She shared, “there are key levers elevating the importance of privacy for basically all stakeholders right now…which are catching up to the reality of our data economy and shifting emphasis to first-party relationships rather than optout consent models. Ultimately driving the idea of giving users more power over their data.
Of course, this is going to drive the compliance function, but that’s really just the floor. It is not the ceiling of where the spirit of these changes are leading us.
Values-based customers are demanding more privacy from platforms and brands.”
That 45% of US consumers have said that they’re willing to pay for products in lieu of having companies collect, share, or sell their data (consumer reports survey) is an indicator that there is a market for privacy.
Consumer norms and expectations are changing as we become more digitally mature consumers. This means that trust is becoming imperative to all of these business relationships and yet at the same time, trust in technology as an industry is actually down.
According to Forrester’s 2021 “Consumer Technographics Benchmark Survey,” 20% of US online adults don’t trust any company to keep their personal information secure. Trust is really becoming a core issue.
—Sara Watson, Forrester
The shift towards digital experiences demands the integration of privacy considerations into the entire [customer] experience. It’s not just talking about checkboxes and opt-outs, but rather thinking about what is the privacy experience throughout the entire ecosystem, throughout the entire experience.
This means thinking more holistically about how these design choices can actually shape that experience.
From data protection to data as the currency of trust
These forces are also changing the nature of what privacy actually means to consumers. It is moving away from a strict legal definition of privacy towards the way privacy shows up in consumer experiences – consumer choice and enabling agency – and starting to speak to consumer values in those experiences.
In that effort, data is becoming the currency of trust and future-fit privacy functions will need to figure out how to support those emerging customer interactions and expectations as a means of partnering with the business in more involved ways.
—Sara Watson, Forrester
The Forrester Ladder of Privacy Competitive Advantage model is about how you can start to think about building towards higher levels of strategic positioning – a journey that parallels how tech organizations have evolved towards more future-fit strategies: how the tech exec is actually thinking about making privacy technology function more adaptive, creative, and resilient and becoming more strategic to the business as well.
The Forrester “ladder” of maturity posits 5 rungs:
- Regulatory compliance
- Operational efficiency
- Sustained compliance
- Business strategic enablement, and ultimately
- Customer and employee trust
Many IT organizations are on the path towards modernizing from a back-office infrastructure provider to a more strategic partner and enabler. Forrester research shows that:
- 59% of organizations are still in the traditional IT model. These are very large enterprises and, as we know, big ships take a lot of effort to move in a new direction.
- 33% have developed modern IT practices and have closer ties to the business, more adaptive setups, and infrastructure that’s cloud-based, and more agile.
- Only the top 8% of firms demonstrate the characteristics of what we call future-fit: truly building an adaptive, creative, and resilient IT practice with very close ties to the business. And shared accountability for business outcomes.
Not just enabling business but tied to revenue targets or customer-focused metrics.
Partners in data stakes and goals
Privacy professionals and tech execs both hold stakes in the firm’s data. It is the key driver of both practitioners. This presents a huge opportunity to find partners on this maturity path to strategic business relevance.
The future-fit tech execs will inevitably need to partner more with privacy professionals to achieve some of their customer and business goals as privacy becomes more essential to the experience.
—Sara Watson, Forrester
Privacy naturally falls into the technology executive’s priority bucket of embedding privacy and security to increase business continuity and mitigate risks. But I would argue that that positioning is still very much in a compliance and security mitigation risk posture rather than a competitive advantage. Therefore, I argue that privacy professionals have a role to play in each of these categories.
This presents opportunities to start talking about how privacy fits into the organizational structure. To start to talk about change management and embedding privacy protection principles in the engineering organization or in the case of emerging technology, how you provide privacy-focused input on emerging tech pilot programs from the start.
Ultimately, privacy has to make its way across all of these priorities. That’s going to be the next level of maturity.
How to make privacy a tech exec first priority
Most importantly, privacy needs to be part of the tech exec’s top priorities; which is to plan, govern, and communicate the business value of technology: everything from implementation planning, budgeting, measurement, communication, and governance capabilities. All of which tie business targets and customer value to the technology enablers.
Forrester 2021 survey: 29% of global purchase influencers say that aligning performance metrics to business outcomes would be a high or critical priority in the next 12 months
This is the greatest area that privacy professionals can learn from the IT organization’s journey and become a strategic partner in focusing on those ways of communicating value.
So how do you practically do that?
Privacy professionals can future-fit their approach to privacy metrics through the development of KPIs that look at key outcomes beyond compliance and focus on things like business enablement and customer engagement. (Tech execs have gone through this transformation.) Now we are starting to see that tech execs will be targeted against revenue goals, and that’s a huge shift.
In the realm of privacy, we are very familiar with KPIs focusing on the number and frequency of incidents, the number of customer inquiries you’ve received, or the number of requests handled. According to ISCA data 58% of firms measure incidents response and 57% use data protection and privacy impact assessments. But none of those communicate business value or measure tangible outcomes to the business.
The same survey found that only 11% of firms are measuring customer or brand impact of privacy efforts.
What I propose are future-fit metrics that can help privacy professionals develop these closer ties to the business and to customer experiences. Some are technology driven, but some in many ways are organizationally driven.
The metrics of business outcomes and customer experience
[From a business outcomes perspective] the questions become: how do you start to find the right stakeholders to support these data-driven initiatives? And how do you collaborate with the business on new projects and keep track of that?
[From a brand trust or customer experience perspective the questions become:] how do you increase the trustworthiness of your brand? What are the metrics that can tie to that? How do you positively influence the customer experience and contribute to creating the brand reputation?
Some of that does have to do with thinking about the number of transparency reports or the number of customers opting in versus opting out. Those are indicators of brand health.
Here are some of the metrics we’ve considered as we continue to think about how privacy can become more mature and more strategic to the business:
How do we use technology to change behavior that’s deeply embedded, not only in the organization, but as a marketer, or the way we think about and use data?
Always meeting that first-order demand, which is making sure that as the privacy officer you are meeting your compliance requirements – meeting those first-order metrics – but second, how technology can be used to gain credibility.
—Steven Jacobs, WireWheel
It starts with that customer-centric shift. The next step is to find those shared metrics, shared governance models, and shared frameworks for how privacy is going to fit into those processes.
There’s an argument to be made to meet people where they are.
¹ Quotation marks have been omitted and comments lightly edited for readability.