You need a privacy-centric organisation. Here’s how to build it

Customers want brands to take their privacy seriously. Most marketers know this — but getting privacy right requires buy-in from colleagues outside the marketing department.

We asked experts what it takes to build a privacy-centric organisation; their answers were both thought-provoking and varied.

Of course, we heard that a strong privacy-centric culture starts at the top. But we also learned some practical strategies to improve corporate governance, break down silos, build trust, and improve the customer experience.

Change takes work, but it’s work that pays off. Our experts were clear that businesses see improved performance from their marketing efforts by putting privacy first. Here’s how to get started:

“We need privacy storytellers”

“We need privacy storytellers within organisations. We need people who can make this subject a little bit more human. It’s not just about data or a privacy notice on a website. It’s about the way we deal with people and their dignity. Some leaders will warn teams about the threat of fines if they get anything wrong. But the best leaders are storytellers, articulating what the organisation can gain by embracing a privacy-first approach.”

“To get my team aligned, I’ll sometimes talk to them about recent privacy stories in the news. We talk through the issues, dilemmas, and potential solutions, and this case study brainstorming gets everyone on the same page. In my team, I have people from all different backgrounds: security, legal, data management, and more. Effective storytelling is crucial to get everyone working together and speaking the same language.”

“At the moment, there’s too much of a silo culture, where you have lawyers speaking about privacy in a way that engineers don’t understand, and vice versa. The teams may be speaking to one another, but there’s still miscommunication. To break down these silos, it’s important to develop a common language that everyone understands across the organisation. This requires leaders to introduce new initiatives, such as creating a broad discussion forum or launching upskilling opportunities for employees in new disciplines. (For example, engineers should know about the law.) Having these cross-over skills helps people connect, learn, and develop that common language. And that’s when the magic happens.”

‘Privacy ambassadors are accountable for local implementation’

“Building a privacy-first organisation begins by placing accountability on the wider team. Each team, in each country, needs to ensure they are accountable. This isn’t just the job of one person at the top. This approach has helped Nestlé implement privacy standards across a global organisation of more than 270,000 employees.”

“My direct privacy team is accountable for global policy, standards, and governance, and then at a market level, a network of privacy ambassadors is accountable for local implementation. Our ambassadors are often from IT security, who understand the needs associated with data protection. Ambassadors come from legal, too. These ambassadors have a dotted line to me, ensuring they aren’t siloed from their local teams. We provide the support and tools they need to be successful, and we keep everyone connected through regular discussions.”

“When it comes to privacy at Nestlé, we have three separate lines of defense. The first line is every employee and executive who processes data. The second line is our privacy community, which I just mentioned. Our third line is internal auditors. Having auditors sends a message that we take this seriously. Auditors working at both a global and market-level – whether in Bangladesh or Italy – use the same, consistent framework to check and quickly identify any red flags so we can activate as necessary.”

“Three years earlier, privacy was not so high on the agenda in the industry. As I look ahead, privacy is here to stay. Governments aren't just introducing laws, they’re also investing in regulators. This, I believe, is quite telling of where we are heading. Companies have to be ready for upcoming changes.”

‘Create the right culture by introducing smart processes’

“Nobody expects everyone in the C-suite to understand the minutiae of privacy legislation. But you still need senior leadership to champion privacy. If the CEO does not care, why should anyone else? It’s about creating a culture where people feel comfortable raising concerns. Think about whistleblowers in the news — these individuals didn’t feel their concerns were heard.”

“You create the right culture by introducing smart processes. At Omnicom Media Group U.K., we have a clear process to deal with any data mishaps. For example, if a client mistakenly sends us data, there are reporting mechanisms in place for team members. Plus, if a team is starting a new project, we’ve introduced a planning process to help them think about overlapping considerations related to privacy and marketing metrics. We get people to think about privacy, risk, and data at the start.”

“At Omnicom Media Group U.K., we also hold ourselves to account through a data ethics board that includes lawyers, privacy specialists, and clients too. This range of perspectives helps us more confidently make decisions on privacy issues and be deeply respectful in our approach.”

“Privacy-centric companies perform better than the rest”

“I’ve run the numbers and seen that privacy-centric companies perform better than the rest. In fact, our privacy-first partners have 20-30% lower cost per acquisition, by putting privacy first. They are respecting users, and it leads to a virtuous cycle. You don’t need to sacrifice performance for privacy.”

“If you want to build a privacy-centric organisation, my number one piece of advice is to be proactive, not reactive, in getting the right team in place. You should start by finding a legal representative with the right mindset. You need someone who can set a positive tone, be business-oriented, and be able to work with a range of stakeholders.”

“Next, bring in a proactive marketing team. Companies where marketing just follows what legal says are not privacy-first, they are legal-first, and there is a big difference. When legal and marketing work together collaboratively, your organisation will be set up for growth.”

“On top of that, you need a technical team that can clearly outline what is possible and what is not. You need this trio of legal, marketing, and technical teams to respect user privacy — and then get going.”

“Adapt, don’t hack”

“Privacy has been the main talking point in the industry for two years. There’s not a day that goes by without a conversation about privacy, in some capacity. The industry initially tried to identify quick fixes 一 or ‘hacks’ 一 to bypass privacy issues. Fortunately, the conversation has now progressed and companies are focusing on adaptations to embed privacy practices into their operations. In 2022, the motto is: ‘Adapt, don’t hack’.”

“Corporate leaders can set the right tone by having a chief data officer, a chief compliance officer, or both. They should have an understanding of legal regulations across geographies, which is important for cross-border work. These roles act as catalysts for change, and they bring all the teams together: legal, marketing, tech, analytics.”

“From there the teams should be thinking about the user and the user journey. Ask yourself: ‘If our customers knew what we were doing with their data, how would they feel?’ This helps teams determine if their actions are ethical.”

“Building a privacy-first organisation is not about gathering vast quantities of data but about building customer confidence and preserving data quality. Technology can help. Google Analytics 4 was built to be privacy-first. Clean rooms such as Google Ads Data Hub provide accurate, aggregated data to enable better marketing decisions. And with consumers seeking clearer privacy choices, Consent Mode allows us to respect the user’s opt-in preference and model the lost behavioural and conversion data.”