How to Meaningfully Engage C-Suite Executives on Privacy?
Here is a scene most likely replayed in various board rooms around the world. Someone is standing before a group of senior executives and/or board of directors (“C-Suite Execs”) about to give a presentation about the GDPR or CCPA. This someone is usually a high-level person within the company’s legal or compliance department, but will not usually be the General Counsel or Lead Compliance Head because they are too smart to do this themselves. Before this someone begins to discuss the rights of data subjects under the GDPR (typically the first topics addressed in slide 1) like Section 18 of the GDPR (the part that talks about the data subject having the right to limit the processing of his/her data), most C-Suite Execs will have begun to think, at best, of how they will meet quarterly revenue goals when their eyes hit slide 1 and begin to mentally drift away into lala land.
Outside consultants and external law firms are very good in using the GDPR’s 4% penalty to help sell their services by “scaring” the C-Suite Execs into hiring them. But internal legal and compliance teams should know not to do this themselves when they are speaking with C-Suite Execs about privacy. Using the conventional “scare tactic” of repeating the admonition that the GDPR may impose up to 4% of global annual revenue will likely back-fire because C-Suite Execs for public companies nowadays are threatened by so many laws or legal obligations that impose even more “massive” criminal and civil penalties (anything from insider trading, FCPA, anti-money laundering, treble patent infringement damages, IP infringement injunctions that interrupt entire business segments, third party trade secrets misappropriations and export control violations as examples) that their minds have likely become too numbed and “de-sensitized” to let another law that imposes “a lot of penalties” scare or move them at all. They will instead likely see privacy as another nuisance item to be added to the “to do” list, usually towards the bottom of corporate priorities.
So, how can C-Suite Execs be aligned toward privacy goals? They need to be engaged on the right level. C-Suite Execs care about compliance but need to be engaged appropriately in a way that align their key concern (revenue generation) with privacy compliance. The best way to do this is to speak in terms of their language: how to make money. Data is increasingly a big way for them to do so.
Big Data is one of the key drivers of the 21st century economy. Data is most often a neglected asset in most corporations. Most people see United Airlines as an airline company. I see United Airlines as a data company sitting on a treasure trove of first party deterministic consumer data with an army of loyal customers’ information stored in its reward programs.
Therefore privacy professionals need to engage C-Suite Execs on the level they care about: by helping them think of new revenue streams or expand existing ones. To do so requires privacy professionals to show C-Suite Execs how much corporate data is worth, how such data can be measured, managed and monetized. This is the first challenge of any seasoned privacy professional: envisioning ways for the company to make money from its pre-existing data (and ways to collect more) in a creative business-minded manner. (I will not give this magic sauce away for free here as my wife often admonishes, but you get the drift.)
Before the existence of any privacy law regimes like the GDPR, larger companies used to be able to exploit data, especially consumer data, relatively un-checked. Those were the proverbial “good old days” which are long gone. In order to generate revenue from a well-designed data monetization plan (something that I enjoy doing) in the 21st century, corporate leaders need to be mindful of privacy principles. In other words, privacy compliance enables data monetization. The second challenge of any seasoned privacy professional is crafting commercially-friendly and comprehensive solutions that enable data monetization defensible under the letter and spirit of privacy law while driving corporate objectives. A veteran privacy professional should be able to create commercial incentives that allow for consumers opting into data collection practices without playing legal word games on “consent”, extracting “lessons learned” from key class action lawsuit cases to fashion best practices to guide data monetization and lobbying regulators on setting industry standards (see here on my “comply but advocate” principle).
For example, merely citing Section 18 of the GDPR will only fall on deaf C-Suite ears. But creating commercial incentives for the consumer not to exercise his/her data subject rights under Section 18 will lead to more fruitful discussions with C-Suite over lunch and wine.
Any good data monetization plan, however well-envisioned and defended, needs to be executed. Hence the third challenge facing a seasoned privacy expert: executing the privacy-friendly solutions in a manner that is amendable to scaling over time via strategic partnerships and/or on proprietary or third party platforms. I have presented many keynote speeches about a personal data currency or a data monetization exchange that could facilitate executions of data monetization plans.
Many of my lawyer friends (I have many) ask me why am I spending at least 2 hours each day reading up on the latest privacy developments of which there are many. Why can’t I be like them and practice an area of the law that is relatively calm like marine insurance or real estate law. Passion is why. I believe that the future driver of revenue for any company is the ability to guide the convergence of hardware, software, platform and content so as to develop emerging products and services for the 21st century. Whoever can master data, its collection and monetization, will be in pole position to win new/expand clients, market shares, revenue streams or land that dream job. Fun times to be practicing privacy law now. But this is also the time for experienced privacy professionals to rise to the challenge and prove themselves. They need to manage privacy risks and engage C-Suite Execs at the strategic level and execute a well-designed privacy program in a business-friendly manner at the tactical level and efficiently resolve day-to-day issues arising from this program on the “nitty-gritty” level.