The CMO and CIO’s Action Plan for Marketing Data Security
December 8, 2021
As first-party data moves front and center, CMOs are looking to make maximum use of the first-party data the company has available, and the CIO is eager to help. The two share a common goal of using data to properly engage customers and prospects, while also protecting all sensitive data.
Collaboration is key to moving forward with a new data strategy, and a new data strategy is a must for future growth. Deloitte notes that "61 percent of high-growth companies are shifting to a first-party data strategy compared to only 40 percent of negative-growth companies."
For years, marketers used third party data for their audience targeting, while the data security team was busy locking first-party data away safely. Now that marketers need access to first party data, they need a comprehensive plan to access it securely.
While the marketer's goal is to create a cohesive 360-degree view of the customer, the CIO has been focused on keeping data fragmented and secure to adhere to regulations and minimize risk. Luckily, with the right approach, both executives can get what they need.
Create a Shared Roadmap
Marketers may never directly access highly sensitive data (due to securities concerns, for instance), and that's ok. The first step isn't about gaining access to data, but rather, gaining access to insights that help create a 360-degree view of the customer. CMOs and CIOs should work together to map out what data marketers want, what data CIOs can provide access to, and what data is very sensitive and may only inform the customer view through secure technology.
The team needs to map out the different security concerns of all the different components of the data supply chain. In addition to flagging sensitive data, this includes identifying the multiple places data is stored and where the data has come from.
Just as important, it includes the reality that not all permissioned data is the same; for instance, a customer might permission the use of first party data differently than second party data or might be comfortable sharing information with one brand or product line but not with another division under the same parent company umbrella.
The next step is to determine the best "work around" for the data that is important but not directly accessible. One option is to use a replacement approach where alternative data sources can serve as a proxy for more sensitive data.
For instance, behavioral histories built off loyalty data may be a non-starter, but strategically placed first party cookies may provide plenty of similar insights. It's also possible to create a new identifier built off the sensitive identifier, such as an encrypted identifier tied to loyalty data that keeps it safe.
Another option for gaining insight from hard-to-use data is to design layers of encryption, employing various forms including multi-party computation, hardware enclaves, hashing, and salting. Financial services companies will often store highly sensitive data using multiple forms or layers of encryption that allows for the data to be accessed and used across different parts of the organization in ways that do not compromise the security of sensitive info like someone's financial status or their social security number. The same approach can be used for marketing.
Marketers and CIOs can also use identity resolution to safely marry encoded users between internal systems and external ones for marketing use, similar to the way banks allow access to information for things like verification and transactions. Technology such as data clean rooms can keep sensitive data secure, while allowing the important insights to combine with other data sets to build segments for targeting, personalization and attribution.
With encoded or encrypted data, there are a few other important points to note. Executives need to also consider secure activation. Some sensitive data like health care and financial services data requires "on-premise" activation, meaning the data cannot leave or be shared. It's also important to consider how data will be flagged when it's collected so that it can adhere to on-premise requirements throughout its lifespan.
Finally, CMOs and CIOs need to think in terms of long-term flexibility and agility to accommodate shifts like changes to the major IDs that matter — and changes to what first party data needs to be accessed and by whom — as partnerships and targeting tactics start to emerge as critical to future success. CIOs may want to create new layers of encryption and internal keys to allow for safe data sharing or decide they need a new platform that manages custom ID data — or both.
Partners Inside and Outside the Company
With a plan in place, it's time to connect with the rest of the executives, particularly the privacy and legal team, who can review and revise accordingly. They'll likely scrutinize the plan based on regulations including CCPA and GDPR, as well as the company's own privacy policies and customer terms and conditions.
CIOs should be prepared to address questions about technical issues or future changes in regulation and how that affects the company's ability to keep data safe. For example, the team should think through how easy it is to reverse engineer encrypted identifiers and how vulnerable the company is to data leakage and work to minimize those risks in the final execution.
With these inputs in place, the team is ready to look for a technical solution to their data needs. From identity resolution to clean rooms, every company will have different needs with varying levels of complexity and data sensitivity.
An off-the-shelf solution from a current partner that has designed identity resolution and activation products may work for a company with relatively simple data collection and use. For larger or more sophisticated companies, however, they'll likely need a more custom approach.
In their search for the right solution, CMOs and CIOs need to think in terms of long-term flexibility and agility to accommodate shifts like changes to the major IDs that matter, and changes to what first party data needs to be accessed and by whom, as partnerships and targeting tactics start to emerge as critical to future success.
CIOs may want to create new layers of encryption and internal keys to allow for safe data sharing or decide they need a new platform that manages custom ID data, or a mix of both. The goal should be for both continued security and continued marketing success.
Nancy Marzouk is the CEO at MediaWallah.
The views and opinions expressed in Marketing Maestros are solely those of the contributor and do not necessarily reflect the official position of the ANA or imply endorsement from the ANA.