The challenge for multi-nationals when addressing privacy choices
Across international operations, different stakeholders and personal data and communication privacy laws around the world, multinational organizations are increasingly challenged with addressing choice.
This is especially true now that some privacy laws require organizations publish information on their website about the number of choices they receive, if they denied or complied with the choices and the average amount of time needed to fully address the choices specified.
From incorporating flags or building out existing systems, standing up ticketing systems to facilitate internal choice requests and enterprise-class preference centers, organizations have more solutions available today than ever before.
Yet, what is good for one organization might not be the right solution for another. In our experience, the right solution is effective, lean and nimble.
The following offers insight into how an organization might gather the information about their choice management efforts needed to prepare for change, address inefficiency or evaluate different strategies and solutions.
What choice means, how it applies and who is responsible
At the heart of the matter, “choice” is central tenant of privacy, marketing and communication laws all over the world. Organizations must understand what choice means in relation to their business; especially across internal stakeholders, processing activities, systems and business partners.
Choice may be relevant to whether an organization can process personal data lawfully or use it in support of a specific business purpose.
For example, some processing activities require the organization to establish a legal basis before processing can begin; which may be dependent upon offering and capturing “valid” choices.
Choice can also apply to how personal data is processed; such as whether an organization can leverage automated decision making or profiling techniques; or even if personal data can be transmitted or made accessible to an internal stakeholder located in another country.
Choice may relate to addressing mandatory privacy rights; such as data access, portability or deletion requests. Choice can even apply in the context of communicating with individuals in support of relational, transactional and marketing needs and objectives and across the organization’s different communication channels.
To fully appreciate the impact of choice, organizations must first catalog the applicable choices and the stakeholders responsible for addressing choice.
Organizations can often rely upon existing information to facilitate these review efforts; such as lists of processing activities, processing dataflows, and personal data inventories often maintained by privacy departments.
Additionally, getting a list of systems from IT, and a list of business partners from accounting can also help speed up and qualify the scope of the choice review.
It is also useful to build a coalition of relevant stakeholders from research and development, marketing, operations and legal to help fully inform or qualify the “choice” within the organization.
Understanding the impact of choice
With the list discrete choices defined, work with the relevant stakeholders to define or validate the impact of fully addressing each choice.
Start by having each responsible stakeholder help define the flow of the choice from expression to completion. Be sure to include all systems, other stakeholders and business partners relevant to the choice as it progresses along the dataflow.
Additionally, take note to define where choice is addressed using automated or manual procedures. After completely mapping out the dataflow, take the time needed to define or affirm the total labor (or cost) and duration required to fully address each choice.
Consider the following tips when working through this exercise.
- Choices expressing an objection to the processing of personal data for legitimate interest or direct marketing purposes typically override the organization’s ability to lawfully process such data.
- Choices related to preventing automated decision making, profiling and “do not sell” may need to be addressed a deletion choice to the extent the organization has no meaningful way honoring the choice as specified.
- Choices can be addressed as a flag in a customer database, create a record in a suppression file or require the summary deletion of the personal data involved.
- The impact of choice relates to what the choice expressed represents, and the total effort and time required to fully address choice.
- Automated choice processes, such as automatically updating a flag or creating a suppression record, are most often associated with communication choices.
- Processing choices typically have a greater impact; requiring more time, resources and systems to help the organization authenticate identity, compile data from across different source, prepare and delivering copies of information.
- Time and duration measurements should begin when the choice is first expressed and end when all requisite actions are complete across all the relevant processing activities, stakeholders and systems.
Cataloging and affirming the management of choice across the enterprise helps organizations in several ways. First, this exercise helps the organization focus upon the complexity and risk profile associated with addressing choice.
This exercise can also be used to document and affirmatively demonstrate the organization is reasonably managing compliance obligations.
By completing this exercise, organizations are better able to identify inefficiency associated with where choice management efforts might be duplicated, risks are present or where additional focus may be required to address identified risks.
Additionally, we strongly advise organizations complete this exercise in advance of making any fundamental change to their choice management efforts; especially related to implementing choice management solutions.
The resulting insight can be easily be translated into RFPs, used to create development requirements and evaluate how closely third-party solutions align to the organization’s needs.
Chris Field, Corporate Privacy Director at Harte Hanks, November 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.