The communication disconnect between marketing and legal when it comes to data


As the role of data grows with the rising demand of personalised digital experiences and advancement of technology, most companies have come up with their own set of data protection guidelines and regulations. But consumers are still victims of personal data misuse with the likes of Twitter, in August, admitting to sharing user data with measurement and ad partners without their permission. A month later, Apple also apologised for allowing its contractors to listen in on Siri’s audio recordings in order to test its reliability.

In Malaysia, data breach issues have also been prevalent with a string of recent data breaches by Malaysian firms such as Malindo Air and Astro. This begs the question of what are the gaps to be addressed.

Partner at Malaysian law firm SKRINE, Jillian Chia, who represents social media, IT, telecoms and tech companies, said one of the areas is the "disconnect" in communication between the marketing and legal teams currently. While most companies have a privacy policy, Chia noted that many are still not communicating to their legal teams about their marketing activities and how they plan to use the data. Speaking at A+M's Digital Marketing Asia, she said:

A privacy policy is useless if it does not reflect the actual practices on the ground.

And, marketers should be worried. "Everyone talks about building a business, but nobody thinks about the company is actually compliant with the law. One data breach and the years where you’ve taken to build up the brand's reputation go down the drain almost immediately," she explained.

One of the bad practices when it comes to data collection, according to Chia, is the lack of transparency. This includes hiding privacy policies or opt-out button behind confusing layouts, significantly more clicks, or fine prints. With pre-selected settings, users are also frequently sharing by data by default, unaware of the implications.

Meanwhile, by disallowing users to move forward or download apps if they do not give consent or accept terms and conditions, companies are effectively providing an "illusion of choice". Choices should be clear and readily available, said Chia, even if that means proactively prompting users to read the fine prints. She also encouraged companies to avoid unnecessary and confusing wording.

Asset or liability?

Agreeing with Chia on transparency in data collection at the event is Deutsche Bank VP Sha Nawaz, who cited how very few people know about how Facebook can track activities after users have logged out, and elaborated that there needs to be more education about things that are being done without the knowledge of the user in "plain English".

[A+M's PR Asia will come to Malaysia this November, gathering together some of the finest minds in industry to explore the exciting and developing world of digital PR. Join us for a series of exclusive case studies, interactive and thought-provoking discussions at PR Asia on 20 November in Kuala Lumpur, Malaysia. Register now.]

Most of the customers today believe their data is in safe hands and along with that trust, comes responsibility, he said. But data protection has proven to be a handful, spilling even beyond the deep pockets of several tech titans. Over the years, the landmark data breaches by companies such as Facebook, Twitter, Google, Yahoo, JPMorgan Chase and Uber have been making headlines. Nawaz said:

If large companies are suffering data breaches, then the small ones need to do a lot more.

The "best way" to safeguard data, according to Nawaz, is to have it untouched, but that is not possible if marketers want to analyse it and cover its true value.

With hackers that sometimes target companies, Nawaz said it is not only important to protect data from external bad actors, but internal ones as well. "Have a clear differentiation of roles, or what I call the maker and the checker. Do not let anybody have the full control. Always get someone else to validate and verify," he added.

Deutsche Bank implements two-factor authentication for both customers and employees to ensure authorised access. It has also put in place a policy to remove all necessary access when an employee leaves the organisation. These rules, are sometimes lacking, and it is therefore, essential for companies to create a role solely dedicated to data security, said Nawaz.

Every half a year, Deutsche Bank engages third party experts in hacking systems to conduct "penetration testing" and detect vulnerabilities. It also regularly organises hackathons. Nawaz explained:

Bad actors are always one step ahead. It is impractical to think that we will never be breached.

Additionally, he suggested that organisations have a clear differentiation between sensitive and non-sensitive data, and apply a level of security appropriate for the classification. Stored sensitive data, for instance, should be encrypted. Nawaz further encouraged firms to collect minimal data, limiting it to only what is necessary, and put in place a contingency plan for data breaches. Building a company culture that underscores the importance of cyber-security is also critical, he added.

[Digital Marketing Asia Conference is returning for a fourth year in Jakarta this October! Join us on 22-23 October as we hear from the greatest minds on how you can ably navigate the ever-changing digital marketing landscape and stay ahead of the game. Secure your seats today.]