Privacy Technology Implementations: Lessons Learned
Stephen is WireWheel’s Director of Product Implementation and he was joined by StockX Director of Compliance Monica Gaffney and Project Manager and Consultant to AFLAC, Doug Rentz to talk about Privacy Technology Implementation: Lessons Learned. It was an insightful conversation in which both Mr. Rentz and Ms. Gaffney spoke candidly about their challenges, what they would do differently given the benefit of hindsight, and the value of partnering to implement a thoughtful and measured approach to data privacy.
The StockX fundamental thought processes has always been can we build it versus buying it…. As we were evaluating what was going on, I don’t think we truly had a full appreciation for the scope of work that would come with the implementation of these privacy laws – whether it was GDPR see CCPA – and the number of requests and the number of customers who would actually leverage the legislation to [exercise their rights]. There was just a lot of analysis required.
Do You Know What’s Coming Your Way?
“Once we stood up [our own] program thinking ‘OK, we can do this,’ reality hit,” says Monica. And we “recognized very quickly that just the quantity of work…was just more than we could manage.” Monica detailed that the number of DSAR requests quickly reached thousands of requests per month. It was “just more than we could handle.”
The StockX experience is not unique in this regard. Many, if not all organizations that attempted to build their own systems and utilize existing staff in manual processes to manage DSAR requests, were completely overwhelmed: both by the volume of requests and the response time constraints imposed by the CCPA (i.e., 30 days.)
The workflow to respond to a DSAR (which requires extensive data mapping as prerequisite), absent automated platforms designed to execute them, are challenging at best. In a short timeframe and irrespective of data volumes or the volumes of requests, a company must execute:
- Requestor identity authentication.
- Internal communication flows (including escalations to customer relations or legal if necessary); and external communication flow (to maintain positive customer relations).
- Assessment and collection of both structured and unstructured data.
- Processing data and formatting results into a report that is in a readily useable format. And,
- Audit trails and reporting to document compliance.
“There was a lot of back and forth on do we try to build or do we buy something,” notes Monica. Eventually we went down the path of ‘let’s not try to build. This isn’t our bailiwick. Let’s just see what we’ve got out there.’ It was just too much to manage the way we were doing it.”
It wasn’t about DSAR volume at AFLAC, it was more about the time crunch. “We didn’t really have the time to consider building an application. We…kicked off the project in October 2019 so we only had a few months to put in our processes to comply with the CCPA regulations” which were set to come into effect January 1, 2020.
“We did look at another tool, had a trial with them and determined that they weren’t quite ready to handle what we thought our use cases we’re going to be. We needed something that could intake requests, administer them, and then respond to the requesters: a platform that that has end-to-end capability and able to integrate with our reporting databases or other business systems as needed.”
Both StockX and AFLAC chose WireWheel for their third-party solution.
Start Privacy Simply
Operationalizing privacy is a complex endeavor. As StockX discovered, the complexity and needed privacy technology and workflow expertise will readily settle the build vs buy debate. The benefits of enlisting a solution provider who has the requisite core competencies and platforms purpose-built for privacy are manifold.
As illustrated by the different challenges and unique requirements facing StockX and AFLAC, the platforms chosen also need to be flexible. Privacy is definitely not a one size fits all ecosystem. That said, one commonality across companies seeking to comply with the GDPR, CCPA, and other privacy regimes is the immediate need to ensure compliance. The privacy journey starts with compliance.
And it is a “journey” as publishers and brands move from compliance to privacy by design and ethical marketing, and ultimately, privacy as competitive advantage. The platform a company chooses should necessarily support this growth. Arguably, the best way to start is to start simply. Mastering the ever-evolving complexities of compliance: this new and important consumer touchpoint.
From a technology standpoint I don’t know that we had too many problems because we started pretty simply. And that’s what I’d recommend…have a tool that [you] can grow with…more than just putting in a platform to manage intake, administer the request, [but includes] looking at enhancements to privacy policies, online privacy notifications, and so forth.
A Phased Approach
Gaffney’s experience at StockX was very different than Doug’s. “We had already put in place a number of things from a GDPRA perspective so CCPA wasn’t having as much impact for us,” relates Monica.
We started out with a very manual process so as we launched the implementation into WireWheel the initial experience was really positive. We didn’t see a lot of challenges: the setup was fairly easy. I think the biggest challenge for us was getting our website set up working with our marketing team to get that piece in place.
Monica touches on another aspect of the dynamic complexity of privacy, even when instantiating basic compliance. It is not just about the platform or your technology stack.
Data privacy requires strategic decision making that involves IT, InfoSec, marketing, product development, web-design and UX, HR, business strategy, and legal. As discussed, here, regardless of your particular approach, a successful privacy program requires collaboration from the board down as well as across the business.
A well-proven way to manage and simplify complexity is to implement the solution in phases.
We instituted “a phased approach, which I think helped us a lot,” says Monica. “We slowly migrated requests into WireWheel, and we did a phased redirection of people into WireWheel…versus just basically opening the floodgates which helped us learn a lot of things and tweak our workflows.”
Candidly, Monica notes that StockX “missed some things along the way that we needed to do to help us keep track of what batch of requests was processed or just different workflows that we needed. (And we do have integrations that flow out to other teams in the company to perform reviews before we process a delete request)” adding to the complexity. That said:
Out of the gate it was pretty good. Fingers crossed, within the next couple of weeks we’ll get to the point where we are fairly touchless from a customer service management perspective as far as managing the [DSAR] requests. And then the follow-on automation phase is going to be to actually automate the actions that go along with the request: whether it’s automating those delete calls or automating the access calls.”
If she had to do it all over Monica says “I definitely would have done automation right from the get-go. We should have known better. Knowing the volume of data that we had (we can be 800 to 1200 DSARs in a three-week cycle), we should have – just right out of the gate – gone for automation and linked into our system versus trying to use customer service agents to manage the queue.”
DSAR and Third-Party Representation
“Late last year we started receiving a few requests via email…” says Doug. “I think there was some internet site that was advising people on their privacy rights” and email was coming in “directly to the privacy team not through our normal intake process.”
I think that’s a use case we’re going to have to look at, because I do believe, as knowledge about the privacy regulation [grows]…we’re going to start to see more [DSAR] requests either coming through our standard intake process or directly to the privacy team. And these were requests from people that are not in California.
To this Monica notes that StockX has seen a slight increase in third parties acting on behalf of somebody. So, we actually had to tweak our process. [in these cases] we’ve got to go back to the customer and say, ‘Hey, did you ask that person to do that for you?’ before we just act.”
Under the CCPA, consumers can enlist authorized agents to make requests on their behalf. “Because consumers interact with hundreds, if not thousands of companies – for example, there are over 400 data brokers on the California data broker registry alone – it could practically be a full-time job to adequately protect one’s privacy” (Maureen Mahoney, et al., 2021). Additionally, as this Consumers Report study details, “consumers experience significant difficulty exercising their rights…Many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out.”
This “light weight” Consumer Reports study, which made requests on behalf of 124 consumers to 21 companies, found a significant number of issues ranging from poor communications, to the use of “dark patterns,” to broken and circular processes, all making requests onerous “if not impossible.”
Given this, the appearance of authorized agent DSARs in the CPO’s inbox or privacy management platform may become an increasing trend.
Privacy Technology Predictions
In fact, during the December 2020 WireWheel SPOKES Privacy Technology Conference closing keynote, data privacy advocate Alistair Mactaggart opined:
You know, I think there’s going to be business facing companies that are going to explode because of the demand for privacy on the business side. And, they’re going to be consumer facing companies that are going to also cater to my desire for privacy.
And these agents – one of the constructs that I like most about both CCPA and CPRA is we ensure that another person can act for you — can intervene for you because it’s too complicated if you have to do this all yourself.
Closing out what was a far-ranging conversation of which the above was only a small sample, AFLAC’s Doug Rentz and StockX’ Monica Gaffney offer their own privacy technology predictions.
“A lot more automation and particularly integration with your systems for handling access and delete requests, ” says Doug. He also sees increased ability for “capturing and storing opt out requests [to] ensure, that if people do opt out, their data is not…provided if there’s some new marketing initiatives…. It’ll just continue to ramp up.”
“As far as technology’s Role? 100%,” asserts Monica. “Technology is going to be the key to managing these different laws, right. Whether as Doug pointed out, [it is] making sure that our opt in and opt out requests are managed; really understanding where our data is, how we’re using that data, where it’s flowing to, where it’s flowing from; and tagging things in a way that helps us understand a lot more quickly.
Suggested Blog Posts
A marketer has to balance all of the tools that they're going to deploy and utilize all of the data at their...
Written by Rick Buck, Chief Privacy Officer, WireWheelAlmost from the beginning of the internet’s transition to an...
January 28 marked the annual Data Privacy Day. In recognition, WireWheel CEO Justin Antonipillai brought together a...