Data Privacy and Reputation: Protecting Your Business

TLDR: Data privacy regulations are evolving fast, and businesses in breach face harsh financial penalties and reputational damage. Bring RevOps, legal, sales, and marketing together every quarter to set the agenda for your data privacy strategy, review your processes, and plan around new compliance requirements. Hiring a data privacy officer and investing in cybersecurity are strong measures to properly process and protect customer data.

The data privacy landscape moves fast. As regulations emerge worldwide, businesses that collect, store, and use customer data face a complex web of compliance responsibilities.

Businesses that breach data privacy regulations, even unintentionally, face steep consequences. Regulators can place data handling restrictions on companies and issue sharp fines. To date, EU regulators have enforced over €1.5 billion in penalties to organizations in breach, with an average of €1.4 million per fine.

In a time when people are more conscious than ever about how businesses handle their data, falling foul of regulations is an easy way to shatter customer trust.

Now is the time to act. To stay compliant, your RevOps team needs to know how the interlocking data privacy regulations apply to the territories where you handle customer and prospect data. In this Tough Talks Made Easy, you’ll learn to identify where the challenges and blind spots lie within your company, and the processes you should implement to keep on top of your responsibilities.


Challenges with data privacy

Companies tend not to proactively review their data privacy policy, which causes them to fall behind the times and incur fines. Many major markets (EU, Japan, India, Australia, Brazil, and some US states) have regulations that place responsibility on the organizations operating in these territories or collecting data on their residents.

While data privacy is more complex for organizations operating internationally, multiple regulations can apply even when doing business in one local market.

As the regulatory landscape evolves, it’s important to stay in the loop with how these frameworks shape your legal obligations and data practices. It’s particularly crucial if your business is considering expanding into international markets.

Organizations typically focus on online practices when designing a data privacy strategy, sometimes, to the detriment of offline behavior. The age-old challenge of sales and marketing alignment becomes relevant to compliance here.

Important: As Sales Ops and MOPs send customer and prospect data between platforms, both teams should know how they’re allowed to use and store this data to avoid taking actions that violate the privacy rights of people in the dataset.


Measures to take

To set the agenda for data privacy strategy, RevOps should get together with legal, sales, and marketing every three to six months. Across teams, you want everyone to have a good grasp of their responsibilities and have an eye on the regulatory movements that could impact their work.  


First, answer these questions during an initial meeting:

  • How are privacy and cookie policies evolving?
  • What are our regulatory requirements for each market we do business in?
  • How might our usage of tools and the web need to shift to meet new requirements?
  • What gaps do we have in implementing compliance policies?


Next, review your data processes:

From there, review your data capture, storage, and deletion processes. When capturing data, timestamp the date and time people submit contact forms, why they’re contacting your business, and whether they’ve opted in to receive marketing communications. For logging and auditing purposes, this creates evidence that you’ve lawfully obtained the authorized data.

For sales ops and marketing ops, set up filters to segment the people in your dataset based on the communications they’ve opted in or out of receiving. Read our piece on data hygiene to learn more.

For prospects who’ve unsubscribed from your communications, check in with legal to decide when to delete their data entirely. And it helps to test regularly that your measures are working as planned. Are your filters and timestamps working correctly? Are you deleting data when required? Are you storing it in secure places that don’t violate compliance policies?


Finally, hire a data privacy officer:

Hiring a data privacy officer is a smart move. DPOs are experts in:

  • keeping up with regulatory evolution
  • guiding policies and processes, and
  • educating people on the risks of non-compliance is a smart move to advocate.

If the budget to hire for such a role is a concern, it’s worth mentioning the penalties that regulators can apply. E.U. authorities, for instance, can enforce the GDPR with fines of up to €20 million, or up to 4% of a company’s global annual turnover.

For similar reasons, cybersecurity training and tools are worth pushing for. Data breaches decrease customer confidence and brand strength while making fines and legal action all the more likely—so by investing in data protection, you invest in protecting your customers and your reputation.


Create trust

People want to do business with organizations they trust.

By making a cultural and financial investment in data privacy, you get to:

  • keep your business from appearing under the limelight for the wrong reasons
  • avoid fines and restrictions on how your RevOps team uses data, and
  • better understand the processes to implement if you’re expanding into new markets.

Want to learn more about the actions you can take to remain GDPR compliant? Get in touch with us.

Will the EU’s Ban on Google Analytics Affect Your Company?

TLDR: To date, France, Italy, Denmark and Austria have banned Google Analytics—a trend that could continue throughout the EU. If your business depends significantly on Google Analytics or EU markets, your analytics practices and revenue could be at stake. Wherever the ROI makes sense, focus on using owned data for the countries affected by the ban, explore alternative tools that are GDPR-compliant, and invest in the education of a Data Privacy Officer to adapt to new and emerging regulatory developments.

Several key EU markets recently moved to ban Google Analytics. Data protection authorities in Italy, France, and Austria have deemed the practice of transferring user web activity and IP data to the US a violation of data protection laws. The bodies found the US lacks adequate safeguards to preserve personal data anonymity.

Businesses whose products, services, operations, and infrastructure rely significantly on Google Analytics would do well to explore alternative strategies and software, planning around the likely consequences of the ban and potential developments in regulation. This also applies if your business takes significant revenue from EU countries.

A potential move away from Google Analytics could make your data less accurate and accessible. It would also require setting up alternative web optimization and tracking mechanisms. Therefore, your CMO and CTO are chief among the people who should know the score.

In this Tough Talks Made Easy, we’ll help you talk them through the impact and outlook of the ban, along with some solutions to consider. The better educated your leaders are, the better prepared you’ll be to weather any disruption.


The impact of the ban

The gravity of the situation depends on how much Google Analytics drives your business. If your MOPs and RevOps teams use it greatly, your data collection, reporting, and forecasting powers are at stake.

No longer able to track web activity and IP data created from top-of-funnel initiatives, MOPs and RevOps will need to refocus analytical practices exclusively onto data they already own (e.g., captured leads living inside their system with consent expressed in compliance with the GDPR).

For now, the Google Analytics ban applies only to France, Italy, Denmark and Austria. To keep doing business in these countries, you’ll need to adapt your website and introduce new processes and tools as necessary to comply with both the GDPR and any local requirements. If your business is based outside of these countries, the ban equally affects your ability to use Google Analytics to process data from users in France, Italy, Denmark and Austria.

The key thing to remember: to stay compliant with the GDPR, you cannot transfer web and IP data from these citizens and countries to the US.

Actionable takeaways

Your CMO and IT will need to investigate the changes required to your website, subdomains, and data analytics processes to stop the tracking and transference of website data for these countries and their citizens.

Your CTO should consider the ROI of tools that offer similar capabilities to Google Analytics. Examples include:

Any new tool you consider should allow you to process data from France, Italy, Denmark and Austria in compliance with the GDPR and any country-specific regulations. Your Data Protection Officer (or a consultant with GDPR expertise) is also a good source of counsel on potential changes to your tech stack and infrastructure.

Of course, these changes take time, effort, and resources. If your CMO and CTO need a hand assessing the ROI of making adjustments and implementing more advanced processes, look at how much revenue your business sees from the countries impacted. If less than 5% of gross revenue comes from France, Italy, Denmark and Austria (and their citizens in other countries), it might make sense to rely solely on the data you own.


Future EU bans?

While the ban currently applies to just three countries, it’s sensible for leadership to think about how the regulatory landscape might evolve.

EU countries could increasingly move to ban Google Analytics and restrict the transfer of user data from the EU to the US, potentially leading to an EU-wide ban to streamline regulations in the bloc.

A sweeping EU-wide ban would take considerable time to enforce, though it would be a massive blow to companies whose data storage infrastructure is based in the US.

As a means of ensuring GDPR compliance, US companies wouldn’t see much success from storing their user data in the EU.

Companies exempting themselves from transferring data back to the US would ultimately violate the CLOUD Act, which asserts that US businesses must, at request, provide authorities in the US with data stored in their servers, regardless of where those servers are stored.

One emerging piece of legislation to watch is the American Innovation and Choice Online Act. If codified, the bill would ban large tech companies such as Google from using non-public data generated by business users to benefit the covered platform’s own products. The enforcement of new antitrust practices in the US could result in data transfers to the US being deemed acceptable in accordance with the GDPR.

Amidst it all, businesses that prioritize EU markets or have a significant EU presence may increasingly turn away from Google Analytics and adopt tools that guarantee GDPR compliance. A resulting rise in demand and availability of solutions that ensure GDPR compliance can help your CTO identify an alternative that allows you to keep doing business in the EU in the most optimal way.


The bottom line

The Google Analytics ban in various European countries is likely not an existential threat to your business—but if your services, operations, and infrastructure relies on the software or you get a significant portion of your revenue from the EU, it’s a situation that demands building resilience.

Wherever the ROI makes sense, turn your focus towards owned data for the countries affected by the ban, explore GDPR-compliant alternatives to Google Analytics, and invest in the education of a Data Privacy Officer to adapt appropriately to new and emerging challenges with data regulation.

Get in touch for more guidance on navigating your RevOps team through the data privacy landscape.