The ‘privacy experience’ is fast becoming a key component of the customer experience for leading customer-centric organizations.


Building an operationally efficient privacy experience that also aligns with business objectives, customer expectations, and legal regulations requires the business to consider several different factors, because the entire ecosystem around consent, privacy, and preference is still developing.


Here are five emerging factors that are both challenges and opportunities for enterprise-scale companies to consider as they build a privacy strategy designed to sustain even in the face of constant change. 






Elevating CX with the privacy experience


Investing in the ‘privacy experience’ as a competitive differentiator is a strategy that many customer-centric companies are taking seriously in 2023. While the bar was set way back in 2014 by Apple, which put the privacy experience at the center of the iPhone’s product experience, companies such as Slack and DuckDuckGo have also carefully positioned themselves as champions of customer privacy since. 


Creating a winning privacy experience today requires brands to better understand customer preferences and expectations around privacy; leverage technology to execute the privacy experience seamlessly and efficiently; promise transparency and accountability to build trust; and ensure a better user experience despite the increased layers of security, privacy, consent, and preference — all while still adhering to work-in-progress legal regulations that vary by geography and industry.


In this context, brands that evaluate and act on these five emerging privacy challenges can turn them into opportunities that can sustain their privacy advantage well into the future.


Top 5 Enterprise data privacy challenges in 2023


27 - Privacy challenges - Body 1


1 - Privacy as a function

For the last few years, companies have invested a considerable amount of time, resources, and effort in becoming privacy-compliant. However, ownership of the initiatives has been changing hands and still remains rather fuzzy. What started with legal teams was passed over to data security and IT teams, and now, increasingly, is making its way to marketing and sales teams, which happen to be the primary generators and users of customer data. 


While data breaches and security violations are only one part of possible customer data privacy violations, many functions are also at risk of inadvertently violating data privacy laws in the way they collect, manage, process, store, share, use and dispose of data. 


While it's obvious that all internal stakeholders need to align and work together to build a privacy-first organization, approaching data privacy as an independent function can dramatically improve the chances of alignment, and help achieve privacy goals such as operational excellence, legal compliance, and customer trust.


The scope of a privacy function could include: 


  • Building a privacy strategy based on privacy-by-design principles and stewardship of the privacy experience across all touchpoints 
  • Data governance: defining processes for the collection, storage, usage, sharing, and disposal of customer, employee, vendor, and partner data, as well as handling DSAR requests
  • Liaisoning with legal, IT, data (CISO), marketing, sales, and other business functions to build an optimal privacy tech stack, including choosing the right vendors.


Where to begin:

Committing to set-up a privacy function will require clarity and concrete action on aspects such as:


  • Organizational structure: will this role be full-time or part of the business, tech, or legal team responsibilities? Who will the ‘chief of privacy’ report to? For example, the CISO, CMO, or CEO? What will their mandate include and how will decision-making be split between the functional owners and the privacy owner? Will each geography need its own privacy leader or will the function be centralized?

  • A talent acquisition strategy: finding privacy-oriented or privacy-trained professionals adds a layer of value above functional qualifications and may soon become a key hiring factor. A privacy leader can also institute a training strategy that goes beyond standard annual compliance training to create internal privacy experts across functions that use data to do their work.

  • Allocating a functional budget and defining the right KPIs and metrics to measure impact on and value created for the business.


2 - Creating a privacy roadmap

Operationalizing privacy is challenging. It involves multiple stakeholders that use data about external entities to do their job. For instance, product design and UX, engineering, data security, data science, marketing, sales, customer service, legal, HR, procurement, and finance teams.  


Aside from cross-functional collaboration, it also demands operational alignment with existing workflows, technical integration with multiple systems, and legal compliance with a myriad of ever-changing laws. 


A roadmap to design, plan and implement a successful privacy program should be robust enough to comply with current laws, and agile enough to evolve and scale with the changing needs of the business, industry, regulations, and customer expectations.


Where to begin:

Use a phased approach to create a privacy roadmap capable of handling the complexities of enterprise-scale organizations:


  • Discovery phase:  review existing internal and external data practices, policies, people, and technologies for a comprehensive privacy impact assessment. Identify gaps and risks in the current setup; and make a realistic evaluation of the current level of privacy maturity.
  • Designing the program: the privacy strategy should address current gaps and also align with the future product development roadmap, technology roadmap, and business priorities. This is the right time to think about privacy-by-design as the guiding framework to operationalize the privacy strategy, and garner buy-in for the privacy ‘mission and vision’.
  • Implementation: establish clear objectives, metrics, and timelines for achieving data privacy goals including early wins (first 6-12 months);  evangelize the benefits of privacy with concrete case studies of risk reduction, improved customer experience, or better operational efficiencies; and finally, put in place a training plan to create privacy champions across key functions. 


3 - Omnichannel data collection

As the era of third-party data comes to an end, marketing will need to be increasingly privacy-conscious. But the unrelenting data deluge, in terms of volume, frequency, and diversity from an ever-increasing set of data sources, channels, platforms, and devices means marketers struggle to control and streamline data management workflows across all touchpoints. 


Marketing leaders need new strategies to address realities such as endless data generation and collection; the shift to high-quality zero- and first-party data; or the need to reconcile customer data from various digital and physical sources for a seamless customer experience.


Where to begin:

While managing data from the privacy perspective can quickly become overwhelming, many enterprise-scale organizations are considering a “data minimization strategy” to help address the challenges and use their data more effectively. The concept begins with scrutinizing the data collected from individuals (customers, employees, partners, and vendors), and scaling it back to collect essential information only. 


The approach needs clarity on why the company is collecting any piece of data in the first place, what exactly they plan to do with it, and visibility and insights into outcomes from that data collection and use. Getting started could be as basic as setting up standard operating procedures to ensure any function collecting data has first defined the purpose, the nature of processing needed, storage duration, and a plan for safe disposal.


Customers want more relevant and timely marketing, but they also want to know their data is safe and their privacy is protected. Omnichannel marketers need to find the right balance between a need-based collection of preference data which evolves as the relationship with the customer deepens, and technology to mine insights from anonymized data without needing more customer PII. 


4  - Privacy and new tech 

Generative AI, blockchain, AR, VR, the Metaverse, edge computing - these are not the future, they are all already here. And unfortunately, many companies do not have clarity on how to process data collected or shared on these new technologies in a compliant manner.


AI is just one of the most obvious examples. For marketing and sales teams generating and using customer data, AI and tools using large learning models (LLMs) have become a double-edged sword. On one hand, AI has transformed intelligent automation, data anonymization for marketing use cases like segmentation and targeting, and the creation of look-alike identities without violating anyone's privacy. 


But it is also becoming increasingly clear that tools using large learning models (LLM) are most likely not GDPR compliant. This is because almost all LLM tools have been trained with publicly available information, including any that human customers may have shared on the internet. 


For example, it is possible generative AI may create content that includes the PII of a specific individual because the model was trained on it. Even though it was data already in the PII, it was not intended for this purpose and could be seen as a privacy violation of Article 5 of GDPR, which requires personal data processing to occur in the context of purpose limitation, data minimization, and accuracy. 


Where to begin:

When it comes to privacy preservation in the context of machine learning, marketers need to take ownership of how the model uses the data and control how it is shared in the public domain. 


Keeping track of evolving regulations in this regard is key. For instance, the EU is already working on the European Declaration on Digital Rights and Principles for the Digital Decade, and the US government is working on an AI Bill of Rights which could provide businesses more clarity. 


5 - Building a privacy tech stack 

The tools and technologies used to build, run and grow privacy-related initiatives, including compliance, consent, and preference collectively form the privacy tech stack. While many SaaS tools in functional stacks - for example, the martech stack, JHRtech, or fintech stack - would already have certain compliance features in place, privacy-first organizations are investing in building an independent privacy tech stack to enable a range of more advanced privacy use-cases.


Some key elements of an enterprise privacy tech stack could include:


Enterprise privacy program management platforms

Designed specifically for enterprise-scale privacy offices, these platforms help maintain and monitor the end-to-end privacy program and automate privacy-related workflows such as audits, reports, and notifications to ensure all data privacy obligations are being met without a gap.


DSAR handling infrastructure and fulfillment tools

As consumers increasingly become aware of their privacy rights and demand more control over their data, companies need to put watertight, responsive, and compliant DSAR infrastructure in place to respond to such requests as well as to take immediate action, including data deletion from all systems. Enterprise-scale organizations need to automate this workflow to ensure no gaps or manual errors of omission occur.


Consent management platforms

These platforms use banners, notices, pop-ups and forms to collect, track, demonstrate, and manage visitor and customer consent across web, mobile, and offline channels. However, while most brands have a consent management platform in place, the overall experience of asking for visitor consent varies depending on the platform's capability. 


Increasingly privacy-first brands prefer white-label solutions that are easy to embed and integrate with existing data and marketing platforms and are reflective of their brand values and voice. This ensures a seamless and safe experience for customers while ensuring compliance with all regulations.


Preference management platforms

These are increasingly a privacy tech stack staple, and help do two important things. First, it lets brands give their customers access to a dedicated space where they can manage their consent and preferences and control their data at any stage of their relationship with the brand. Second, it helps brands collect crucial zero-party data through the lifetime of the customer and derive insights about customer preferences to make more informed marketing and communications decisions.


Where to begin: 

Building a privacy tech stack is new for many organizations. Joining a brand-neutral community that helps understand what your peers are doing in similar industries across the world can be a great starting point to make the most informed decisions and invest in the right technologies. 


Addressing challenges for a sustainable privacy strategy


Privacy is an increasingly complex, interconnected, and evolving space. Customer-centric brands strive to elevate it from a mere compliance task to a strategic initiative built around privacy-by-design principles and a commitment to positive privacy experiences. 


business.didomi.iohubfsWhy marketers should care about ‘Privacy by Design’ in a downturn


Addressing these five challenges today with decisive action can help create a sustainable privacy strategy that can not only withstand constant changes but also help create a real competitive differentiator for a brand over the long term.


Talk to an expert