Securing the Digital World

Unintended Consequences as Marketing and New Data Privacy Regulations Collide

May 24, 2018 | by Holly Rollo, CMO |

On the eve of the newest data privacy regulations, marketing teams are either fully entrenched or just scratching the surface of understanding the tactical requirements, as well as the potential near-term impact on the business of marketing. Traditionally, corporate compliance was off in the distance with little consequence to marketing teams otherwise focused on launching exciting new global programs and driving pipeline.

Marketing leaders must anticipate – and prepare for – unintended consequences of data privacy regulations. They may need to manage stakeholder expectations or adjust KPI’s, depending on the current state of an organizations’ privacy and security programs. This could require resource redirection for a few process changes in the current quarter, or it could be highly disruptive and potentially stall execution over several quarters.

The internal process burden these new regulations pose across teams cannot be overstated and may result in a lag or stall of current marketing activities. There are three major unintended consequences marketing must anticipate, and one call to action.

Halting or reevaluation of marketing activities in flight
New requirements for data privacy, breach readiness and continuous compliance cut across many groups with a potential for misalignment of requirements, as well as decision-making and governance that may take time to sort through. Due to the sudden inspection and activity across multiple functions (IT, security operations, compliance/privacy, marketing and sales), and different interpretations of the requirements by those functions, outbound marketing activities may be halted as many organizations scramble to understand, discuss and agree on what customer/prospect data is ‘safe’ to use.

Updating the privacy statement on the website and updating opt-ins are just the tip of the iceberg. Reevaluate your programs in flight for prospect nurture, lead qualification being conducted by outbound calling, sending invitations to field events where multiple list sources are used, and reevaluating lead flow operations inquiry-to-close. Many marketing teams are not strangers to working across multiple lists and data sources stored in shared folders or in the proverbial rolodexes of the sales teams. But existing approaches or manual workarounds of list management to make programs work are no longer tenable.

Reevaluation of customer/prospect data strategy
For organizations headquartered in the EU, those in highly regulated industries, or global, publicly traded companies with a mature privacy program, new changes are just extensions of best practices already in place. Then there is everyone else. The marketing organizations most impacted are those within a global company who do not yet have integrated operations with a centralized CRM system and data strategy across marketing, sales and customer support. The stall will be compounded as it’s more difficult to manage preferences and create visibility of those preferences across functions and regions without a central system of record. It will be difficult for marketing, sales and support teams to understand which contacts have permissions (and which don’t) – and a person’s address cannot be relied upon as the determining factor.

In some cases, it could create overly conservative behavior as people may not understand the changes and how they impact digital or direct email engagement with customers, prospects, journalists, analysts, vendors, third parties, and so on. The unintended consequence may result in risk avoidance and internal churn as people seek clarification.

Reevaluation of the marketing ecosystem and martech stack
In an effort to manage risk, there will be a new wave of privacy and security audits of the marketing ecosystem and third-parties marketing teams have grown to depend on. Findings from more intense security and third-party risk assessments could result in either turnover, new compliance requests to the ecosystem, code updates or contract renegotiations for agencies, martech tool vendors and potentially consultants delivering data analytics or technical services for the martech stack.

Additionally, in the marketing data supply chain, companies who previously provided, or brokered, lists or targeting services may change their business model or policies thus impacting media programs and workflow process. This may cause logjams in marketing operations, procurement and IT teams supporting marketing; putting programs on hold indefinitely.

Crisis communication event due to a real or perceived breach
Due to the number of high profile breaches in recent years, it’s difficult for the public and news organizations to understand the difference between a data privacy violation, a security incident or a significant data breach resulting in a lot of room for misinterpretation on the latest ‘hack’. In addition, with social media and the crowded nature of the security landscape, people rush to judge situations, contributing to a quickly escalating news cycle. The tendency of organizations is to not say anything until all facts are gathered and solid conclusions reached. When it comes to a breach (or a perceived breach), it can take months, or even years, to fully understand. Recently, we’ve seen this approach often compound the problem as the level of social churn and press coverage does not directly correlate to the severity or sensitivity of the situation.

It’s important for every company to have a breach communication plan in place. This  is very different from a traditional crisis plan. For more information, please refer to this article in Harvard Business Review, Your Company Needs a Communication Plan for Data Breaches.


The world of marketing digitally transformed. This race to modernization brings with it new pressures due to the increase of data security threats and regulatory risk. Organizations best prepared are those with a unified strategy and aligned process for managing both digital security and risk across the marketing ecosystem.

While complying to new data regulations may take some effort and distract from key business objectives in the short term, in the long run, it gives organizations a forcing function to improve their strategy to protect customer data and better engage with their customers, prospects and ecosystem. Ultimately, it means interacting with customers when and how they want to interact with us. At the end of the day, this central to what modern marketers aspire to do.