CMO Australia

Data privacy lessons marketers must take heed of in 2023

CMO Australia speaks to a host of technology and industry thought leaders, including our very own Glyn Geoghegan, to discuss what organisations must do to safeguard data and what technology will help or hinder their efforts.

Bigger penalties for customer data privacy breaches in Australia, along with retaining customer loyalty in the face of stronger concerns around data use and growing AI utilisation, are going to dominate the way organisations must handle personal data this year.

That’s the view of a host of data and technology thought leaders, who CMO reached out to as the world recognised annual Data Privacy Day on 28 January. The aim of the day is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. These ambitions are more critical than ever, as marketing teams and the organisations they work for balance growing desire to harness data for personalised engagement and business improvement with tougher rules around protecting customer data against nefarious activities and inadvertent breaches.

For senior director of international data science and analytics at Doordash, Kshira Saagar, increased penalties associated with serious breaches of the Australian Privacy Act 1988 will overshadow customer data privacy in 2023. As was confirmed last year, the OAIC now has increased powers with enhanced enforcement and information gathering and sharing capabilities. There’s also a proposal in the works to remove the constraint data must be stored in Australia for fines to apply.

For a long time, data privacy of customers has been an afterthought, with most marketing teams sharing Excel lists of customer emails, details and other information across their own teams and agencies, with lack of proper tools or lack of time as excuses,” Saagar tells CMO. “This needs to now be completely rethought and should give pause for reflection, given increased penalties.

There are better tools and technologies out there that allow for seamless data sharing at the click of a button, and teams need to invest in these tools.”

It’s a similar regulatory story globally, with the GDPR out of the EU, and increasing enforcement activities levying fines across the industry. The CCPA out of California and equivalent legislation in US states, while having more focus on opt-out than opt-in for individuals, are also key, says Devicie security and compliance director, Glyn Geoghegan. The vendor provides end-user device management as-a-service.

Of particular note to Porter Novelli Australia CEO, Rhys Ryan, is the Attorney General’s consideration of further changes around the ‘right to be forgotten’. This is expected to introduce complexity into all forms of digital marketing and e-commerce.

There may even be a fundamental challenge to a core element of the growth of the modern Web and social media platforms, such as the idea consumers must hand over their data to companies – for free – in order to interact with them,” he says. “I’ve always found it strange we, as consumers, compliantly go along with this demand, especially when we’re already giving these companies value in the form of cash in return for goods and services.

It’s possible this idea may finally begin to be challenged as this Government pushes further reforms.

Alongside this, Porter Novell is anticipating an evolution in ransomware attacks. While threat actors in live breaches are getting smarter, more targeted and more efficient, Ryan says new data shows fewer ransoms are being paid over the past 12 months. Whether to pay or not remains a debate this year.

As data privacy remains top of mind, we will see more catastrophic reputational damage for those organisations whose leaders didn’t anticipate the challenge of communicating simultaneously with hundreds of thousands of people, often in an environment where they can’t use the normal tools of communications because a threat actor has taken down the necessary systems,” Ryan says.

Companies with the best network security can be hacked. And in some cases, organisations find out they have had a data breach at the same time as everybody else, which is tough if you’re a listed or government entity holding the data of millions of customers.

There is no doubt recent data breaches, such as those experienced by Medibank and Optus, have seen data privacy and associated topics become mainstream news and driven customer expectations up.

When Kochie is speaking to my mum at 7am in the morning about the value and sensitivity of her data, we have now hit a different level of understanding,” The Lumery co-founder and CEO, Rajan Kumar, says. “This means forced action. Brands, law makers, individual practitioners and technology companies must move. Whether companies are ready for it or not, legislation is coming, and consumer privacy is firmly on the agenda for our Government.”

In a similar vein, OpenText VP A/NZ, George Harb, and his team are anticipating customer loyalty to be key in privacy program development in 2023. “In today’s era of consumer activism, individuals are making purchase decisions based on their perception of how committed an organisation is to managing and protecting their personal data,” he says.

Harb notes a global OpenText survey among consumers last year found 49 per cent of Australian respondents would no longer use or buy from a company they were previously loyal to if it failed to protect or leaked their personal data. Moreover, almost two-thirds of local consumers would be willing to pay more to use or buy from an organisation that was expressly committed to protecting personal data. And more than a third said they would no longer use or buy from a company they were previously loyal to if it failed to respond to a privacy access request under the Australian Privacy Act.

This Privacy Act includes the right of access, the right of rectification and the right of erasure and almost half indicating they would no longer use or buy from a company if it shared their personal data with third parties for anything other than its specified purpose,” Harb says. “It is crucial businesses ensure they prioritise protecting consumer data to safeguard consumers’ trust as we navigate through 2023.”

Technology advancements helping and hindering data privacy

So is there technology advancement or adoption curve acceleration with the power to positively versus negatively impact how organisations tackle data privacy this year?

On a practical level, especially with a marketing lens, we are seeing different questions being asked of technology vendors,” replies Kumar. “In the last five years, the primary focus has been on increased maturity of digital marketing. This year, that will be balanced out with questions about data security, privacy and consent management. This is a positive step and those brands that embrace this changing landscape will come out on top in the eyes of the consumer.”

The rise of centralised data stores and personal data syndication services is another interesting area to watch for Kumar.

In a positive sense, the idea critical first-party data [such as a driver’s license number or passport number] is only being held in a single repository that brands and services can securely access, brings a level of confidence to a consumer,” he says. “However, unless appropriately governed, certain companies could turn into monopolies which is extremely dangerous.

Then there’s increased use of machine learning and artificial intelligence (AI). By extension, these have huge potential for negative and positive consequences, says Geoghegan.

The large body of curated data typically required to get good results creates an environment which hugely incentivises broad acquisition of data beyond the core purposes it is initially collected,” he explains. “While the technology has the potential to greatly improve the quality of data processing, it raises new privacy concerns together with concerns about the biases that may be present in the data.”

More positively, Harb points to AI-powered data discovery tools, of which OpenText provides, enabling organisations to scan unmanaged or unclassified information to identify personal and sensitive data across content repositories in order to better manage it.

It seems no matter where I look, I see conversations about AI taking over,” Secure Code Warrior CMO, Junie Dinda, agrees. “One such area has been AI-generated code, and there has been a lot of discussion in the security community about the plethora of security issues its adoption could pose for a business. I have no doubt such technologies will be useful to help with a level of automation.

But for now, I would be very cautious about what you generate and use from both a marketing and security perspective. All it takes is one exploitable mistake for a threat actor to cause widespread reputational damage, and it’s simply not worth the artificial time saved.”

Kumar equally sounds a note of warning on AI and the data being used to drive it forward. “We’re seeing ChatGPT spreading like wildfire. AI technology that’s crawling over data sets and all information injected into it,” he says.

While the conversation is largely centred around the endless possibilities or detrimental impact on certain professions, very quickly we’re going to see conversations about privacy, accuracy, data completeness and the potential use of data to fuel the algorithm without appropriate consent. AI or algorithm ‘data-scope’ and management of that is going to be critical, very quickly.”

Elsewhere, Protegrity A/NZ managing director, Robert Beck, believes data governance departments are beginning to understand they cannot rely on perimeter protection alone for keeping data safe and secure. Saagar specifically notes increasing cyber security incidents, coupled with changes to Privacy Act, are driving large organisations to invest more in data masking and data cataloguing products, to get a better grip on their in-house data, and the associated commitments.

Many marketers are also increasingly preparing for the approaching removal of third-party cookies from Google at the end of this year. “Whether this will be positive or negative will depend largely on how companies address the management of their own first-party data,” n3 Hub business development director, Stephen Schwalger, says.

Organisations that develop a first-party data strategy with permissions-driven privacy and security-based model at its core can deliver positive privacy outcomes for their customers. Applications such as customer data platforms with the appropriate security, privacy and data encryption features will be important as will improved overall IT systems security.

For smaller and mid-tier companies, we see privacy of PI becoming a more critical issue as they often don’t have the IT and platform resources to manage these requirements.

According to Harb, struggles to meet prescribed deadlines is why automation and workflow management will become top data privacy technology capabilities.

Finally, with cybercrime presenting a formidable challenge to modern life and work and the potential to wreak havoc on our businesses, an organisation’s best defence against cyber threats is a cyber resilience framework including robust, multi-layered security and data protection,” he says.

Critical components of a holistic approach to cyber resilience include employee training; blocking threats before they can infiltrate a network by protecting endpoints; preventing email-borne threats such as ransomware, phishing and business email compromise; threat hunting with security analysts to detect and respond to breaches as quickly as possible; and recovering data by keeping critical systems online during a worst-case scenario.