The Weakest Link Series

ADMA’s “Am I the weakest link: Privacy edition” explores the idea that the privacy data chain is made up of six main parties – the marketer, the consumer, the platform, the agency, the government, and the board – all with the potential to be ‘the weakest link’. However, each of these parties contribute in different ways to the standard of data practices in Australia’s economy. Can we really point the finger at any one party?

In this article series, we will deep dive into each of the links in the chain, assess the areas for improvement and how marketers can help strengthen the chain overall.

The Marketer

As we look into the data privacy chain and assess the weak spots, the role that ‘the marketer’ plays, given their direct handling of consumer data, is a valid starting point. After all, there is no denying the importance of data in the marketing world. It is essential for business growth and nurturing existing customer relationships. However, the changing regulatory landscape in the governance of data practices will soon start to scrutinise and substantially penalise non-compliant behaviour. That’s why it is essential for marketers to understand their weaknesses when it comes to collecting and using data. By pinpointing these areas for improvement, marketers can work toward rectifying any sub-par data processes and strengthening their contribution to the privacy data chain.

In this article, we will explore three key weaknesses marketers have when it comes to data practices. That is, collecting excess data, not obtaining the correct consent, and limited formal compliance training. Each of these weaknesses has ramifications for both data privacy and for organisations, so we will discuss how to best remedy these areas for improvement.

Data overload

The combination of increased reliance on data across the economy and as a society, as well as new and evolving marketing practices in response, has led to concerns that marketers may be collecting more data than they need. However, collecting data beyond the needs of marketing activity risks a position of data overload and this is a serious weakness for marketers in their contribution to the data privacy chain. For data that amounts to ‘personal information’ under the Privacy Act, this puts businesses at risk of being in breach of Australian Privacy Principal (APP) 3, which requires businesses to only collect personal information that is "reasonably necessary" for its functions or activities; as well as APP 11 which requires a businesses to take reasonable steps to destroy or de‑identify personal information that is no longer needed.

In addition, holding excess data may increase the risk of exposure to a data privacy breach resulting in substantial financial penalties and reputational damage. Serious or repeated data privacy breaches can result in three potential financial penalties, the third of which is of particular concern for organisations that have been storing data for an extensive period of time. Business can be fined up to amounts as high as 30% of the entity’s adjusted turnover during the relevant (breach) period. That means being penalised 30% of the entity’s adjusted turnover from when the data was first collected.

For some businesses ’the relevant period’ could be decades. Most organisations would not be able to withstand a penalty of this size. That’s why holding onto both excess and historical data will put an organisation at increased risk of a breach and resultant penalties incurred.

The most straightforward way to address this marketing weakness is to purge all unnecessary data, with a particular focus on data that amounts to ‘personal information’ under the Privacy Act. Examine the data you have and then look at your marketing activity to determine what data you actually need. Anything above and beyond your business needs should be deleted. Be sure to also assess your data practices to avoid continuing to obtain unnecessary data. The less data you have, the less chance of a privacy breach. Instead, collecting and using quality data such as rich first-party data, over quantity data like easily accessible and endless third-party data, should be the aim.

Not obtaining the right consents

The importance of obtaining the correct consent should not be overlooked. When marketers lack a firm understanding of the different types of consent required for different scenarios, they will not seek the correct consent from their customers. This is another serious weakness that could result in both financial penalties for legislative breaches and a loss of consumer trust. Whether it has previously been missed through consent bundling, incorrect wording, or not seeking consent whatsoever, organisations cannot afford inadequate consent practices from here on. Instead, obtaining the correct consent for the circumstances and rigorously documenting this should be the standard procedure by marketers.

To raise the bar from compliance to best practice and being a responsible marketer, moving forward marketers should consider the likely implementation of the ‘fair and reasonable test’ in tranche two of privacy reforms. The fair and reasonable test will ask the question, “is the collection of this data fair and reasonable in the circumstances?” If as an individual you would not want your own data collected and used in those circumstances, then it is safe to say as a marketer that your customers wouldn’t either.

If it would be fair and reasonable to collect and use personal customer data in the circumstances, then obtaining explicit consent and documenting that consent will further minimise risks to your business of any unintentional breach and consequent penalisation. It is worth noting though that, while this approach will minimise risk to the business, the fair and reasonable test will mean that businesses can no longer ‘consent their way to compliance’. So even with the correct consent obtained, using the fair and reasonable test in consent practices will likely be required in future under proposed amendments to the Privacy Act, and starting to apply the test now will best position marketers and their organisations for swift compliance to new laws.

Lack of training and education

Marketers can no longer solely rely on legal and compliance stakeholders when it comes to the regulatory space. The role of a marketer has evolved and to be a true commercial marketer moving forward, a thorough understanding of all aspects of the role, including the relevant privacy and adjacent legislation governing marketing practices, is essential. However, the training and education

on privacy and compliance needed by marketers to achieve this is often deprioritised. Failing to remain upskilled in this critical area is a definite weakness for marketers.

When time and budget are scarce, deprioritising training and education is a common strategy. However, the long-term benefit of this investment should be considered. Upskilling in privacy and compliance will minimise business risk and drive business growth from increased customer trust and loyalty. Training and education also do not need to be lengthy or cumbersome. Online single day or self-guided courses are available which is an attractive option for individuals. Or if a larger team is in need, in-house bespoke style training will streamline skill sets within a team and business. With the options that are available and the criticality of this skill for marketers, training and education in the regulatory space should be a priority for all marketing teams.

As with any link in the data privacy chain, marketers have contributing weaknesses. Data overload, incorrect (or lack of) consent, and limited regulatory training and education all impact the integrity of the chain. However, as with the other parties in the chain, these weaknesses are completely understandable in the context through which they have been derived. While these weaknesses risk non-compliance and impact consumer trust and loyalty, they can be rectified. Taking the time to assess and adjust processes and procedures, conducting data-cleansing projects and investing in upskilling yourself and your marketing teams are all necessary steps toward improving these weaknesses. In doing so, the marketer is directly strengthening both their role in and the overall data privacy chain.

Next month in the Weakest Link series, we’ll delve into the consumer and what weak points they are contributing as an active party in the data privacy chain and provide solutions as to how these weaknesses can also be remedied.