CMSWire Connect Q&A: Privacy by Design, Data Compliance and Engaging User Experiences

In anticipation of the upcoming CMSWire Connect conference in Austin, Texas, CMSWire recently interviewed data privacy expert Kristina Podnar. During the discussion, Podnar touched upon on the most significant privacy regulations and trends that organizations need to be aware of in 2023, along with the importance of privacy by design.

She will be leading a session, [Breakout] Welcome to the Privacy Party - Having Your Cake & Compliance Too, at the CMSWire conference. You can also check out our CX Decoded Podcast discussion with her on privacy, marketing and customer experience.

Our conversation today with Podnar delved into real-world examples of companies that have successfully achieved the delicate balance between privacy compliance and user-friendly experiences, strategies to ensure supply chain partners adhere to privacy regulations, and how organizations can proactively adapt their strategies to stay ahead in the ever-evolving privacy landscape.

Data Privacy in 2023: What's Next?

CMSWire: Can you give us an overview of the most significant privacy regulations and trends in 2023 that businesses need to be aware of and comply with?

Kristina Podnar: I think that the most significant data privacy trend for 2023 will be “more of the same." Firstly, you will see a growth in the privacy tapestry. With the first quarter of the year under our belt, we’ve already added Iowa’s new Consumer Data Protection Act (ICDPA) to the board, and more states will come online with their own data privacy laws.

It doesn’t necessarily mean they will come into effect this year; Iowa’s law won’t take effect until January 1, 2025, but the law is just one more piece on the chessboard to which marketers and the digital operations team will need to pay attention.

Secondly, you will see more organizations becoming transparent about their data privacy practices and giving individuals increased control over their personal data. This includes allowing individuals to access, correct or delete their personal information and opt-out of certain types of data collection.

Related Article: Balancing Customer Data Privacy and Usefulness

Privacy by Design: Becoming the Standard for Customer Data

CMSWire: How can organizations effectively implement privacy-by-design principles to minimize compliance risks while still maintaining a dynamic and engaging digital environment for their users?

Podnar: Privacy by design is becoming a simple principle of how we do our work. On Feb. 8, the concept was even adopted by the International Organization for Standardization (ISO) as the 31700 standard, which allows organizations to be certified for compliance after passing a review by auditing firms like Deloitte, KPMG, and PwC.

I’ve said this for years about digital policies, and privacy by design is one of them: when you define a framework and give it to your workforce, you allow freedom and creativity to flourish. You free up individuals from always having to come and ask, “May I…” and instead allow them to maintain an engaging digital environment for users without going outside of the bounds of that framework or principle. The organizations I work with see this approach as helpful, and their consumers are the direct beneficiaries. I’ve seen it work repeatedly.

For example, I am working with a financial services company that used to present its data privacy policy on screen six, the final screen, and after a consumer filled out all personal information. The experience mimicked the paper form experience, and nobody complained. The organization adopted privacy by design principles, and, as part of this initiative, redesigned its mobile application consumer flow. Not only did they minimize the amount of data collected to the bare minimum, but they ensured that the user consented to the use of data in the screen flow and was educated about the request for data and how the personally identifiable data would be used by the company. Usability testing demonstrated a higher consumer satisfaction with the privacy by design principles. It’s a win!

CMSWire: Can you share some real-world examples of companies that have successfully managed to strike a balance between privacy compliance and creating a fun, user-friendly experience?

Podnar: I think Under Armour took one on the chin after its 2018 data breach and went all in on security and data privacy by design. It now does an amazing job of clearly outlining consumer choices around privacy and stepping through cookie choices, including how you can opt out of them. It may not be flashy, but it does build trust and it is a heck of a user-friendly experience.

Apple is obviously an industry standard for a reason. I think its privacy by design concepts are embedded into everything the company does, including its marketing spin. I’ve also gotten to see firsthand the work that Diageo, Mastercard, Shell, Ikea and Unilever are up to, and they all deserve kudos for stepping up to a privacy-first model.

Related Article: Fallout from Meta GDPR Ruling Limited — for Now

Third-Party Data Privacy Compliance Matters

CMSWire: As businesses work with various partners and vendors in their supply chain, what strategies can they employ to ensure that all parties involved are adhering to privacy regulations and mitigating compliance risks?

Podnar: The number one issue that every single person in the industry is talking about is data passport or data provenance. Collectively, we all need to understand where the data we are using is coming from, who is giving it to us, do we have consent to use it, and is it fresh. That only happens when you have a passport for that data that travels with it and it can tell you where it’s been and whether you should trust the data or not.

Unfortunately, contracts and handshakes just don’t work. And compliance to promised practices of data laws and regulations simply don’t work for partners and vendors. Everyone has the best intentions, but in daily operations, when people are focused on keeping the lights on, data privacy regulations and mitigating compliance risks are often the first casualties of pragmatic prioritization.

CMSWire: How can organizations stay ahead of the ever-evolving privacy landscape and proactively adapt their strategies to ensure they remain compliant while fostering a lively and engaging digital experience for their customers?

Podnar: I think that for any organization, if you adopt safety and privacy by design, you just can’t go wrong. Every law and regulation we see anywhere around the world has the same core concepts embedded. The nuances are different and don’t get me wrong, that matter. But if you can get 80% of the way there by adopting these two principles, then the rest is a cakewalk.

And I have to say, the more organizations I work with, the more I am surprised that five years post GDPR and 10 years after we started truly paying attention to privacy in the digital space, we have marginally improved our practices. In the Global 2000s space I still see the inability to identify sensitive data seeping into the enterprise from third parties, or the export to an Excel spreadsheet from a database that contains Personally Identifiable Information (PII).

Those to me are signs of basic good governance. And if you can’t get those right, I don’t understand how you can move on to more sophisticated technology concepts such as AI and get those right.

The Privacy-Personalization Conundrum

Podnar will be one of many speakers at the May 10–May 12 CMSWire Connect conference. You can take a peek at her speaking engagement to learn more: [Breakout] Welcome to the Privacy Party - Having Your Cake & Compliance Too.

Want more details on the conference? Visit the CMSWire Connect site. Check out the full list of CMSWire Connect panel topics, and don't miss the full list of CMSWire Connect speakers.