Get Instant Access
to This Blueprint

Security icon

Privacy by Design for Digital Marketing

Mitigating data protection risks while enabling your business growth.

Organizations are facing increasing stringent and ever-changing legal obligations to protect customer rights with respect to marketing activities.

Data subjects’ privacy online is more important than ever; marketers have a responsibility to uphold their rights to it.

While there are great rewards to being privacy-first, the consequences of getting it wrong are correspondingly troubling. Brands who don’t give privacy the attention it deserves risk losing the trust and respect of their customers.

Our Advice

Critical Insight

Design your digital marketing operations to be privacy-centric. In the consumer world, transparency, trust, and control of personal data is key to expand your customer base. Embed privacy by design principles into the digital marketing lifecycle and processes to enable business growth while managing data protection risks.

Impact and Result

  • Embed privacy by design principles into the digital marketing lifecycle and processes to enable business growth while managing data protection risks.
  • Operationalize data protection practices for marketing processes such as being transparent, providing meaningful choice and consent, purpose limitation, data minimization, etc.

Privacy by Design for Digital Marketing Research & Tools

1. Privacy by Design for Digital Marketing – A brief deck that helps organizations to embed privacy by design principles into the digital marketing lifecycle and processes to enable business growth while managing data protection risks.

This project will help you embed privacy by design principles into the digital marketing lifecycle and processes, operationalize data protection practices for marketing processes, and implement privacy controls that strike the best balance between meeting regulatory obligations and minimizing operational disruption.

2. Privacy Readiness Assessment Tool– A tool to assess your digital marketing privacy readiness and identify gaps and mitigating controls.

This tool uses a structured method with actionable checkpoints to assess your digital marketing privacy program’s readiness level.


Privacy by Design for Digital Marketing

Mitigating data protection risks while enabling your business growth

Executive summary

Your Challenge

Common Obstacles

Info-Tech’s Approach

  • Organizations are facing increasingly stringent and ever-changing legal obligations regarding the protection of customer rights with respect to marketing activities.
  • Data subjects’ privacy online is more important than ever, and marketers have a responsibility to respect this.
  • While there are great rewards to being privacy-first, the consequences of getting it wrong are correspondingly troubling. Brands who don’t give privacy the attention it deserves risk losing the trust and respect of their customers.
  • Marketers have substantial ROI business pressure to collect as much information as they can; they are also under legal obligations to justify that data usage in delivering value to the customer. Ethical marketing involves not losing or selling customer data, only collecting the necessary information for a given purpose, and giving people control over their data sharing
  • Marketers need to intelligently respond to the various contexts or moments in the customer journey.
  • Embed privacy-by-design principles into the digital marketing lifecycle and processes to enable business growth while managing data protection risks.
  • Operationalize data protection practices for marketing processes such as being transparent, providing meaningful choice and consent, purpose limitation, minimizing data, etc.
  • Design and implement privacy controls that strike the best balance between meeting regulatory obligations and minimizing operational disruption.

Info-Tech Insight

Design your digital marketing operations to be privacy-centric. In the consumer world, transparency, trust, and control of personal data is key to expand your customer base. Embed privacy-by-design principles into the digital marketing lifecycle and processes to enable business growth while managing data protection risks.

Executive Summary

Customers’ feeling of control over data is key for the success of marketing operations.

The emerging regulatory landscapes and changing tech platform policies have significant impact.

Embed privacy-by-design principles into the digital marketing lifecycle to enable business growth while managing data protection risks.

  1. Customers’ data privacy concern
  2. The “Ipsos Global Trends ” online survey shows that 73% of internet users aged 16-74 globally are concerned [1] about how the information collected about them when they go online is used. When customers feel in control over use of their personal data online, they consider the advertising 2 times more relevant, and they take 3 times more positive reactions.

  3. Emerging data protection landscapes
  4. Organizations are facing increasing stringent and ever-changing legal obligations with respect to marketing activities, such as US CAN-SPAM, Canada CASL, EU GDPR, ePrivacy, CCPA/CPRA, Colorado CPA, etc.

    More than 130 + countries have put in place legislation to secure the protection of data and privacy.

  5. Privacy-by-design principles
  6. The future of marketing is shifting to the collection of first-party data that a company owns and controls.

    As more marketing channels and services emerge, marketers need to intelligently respond to the various contexts by embedding privacy-by-design principles into marketing processes to enable business growth while managing data protection risks.

[1] Google, Ipsos. Privacy by design: exceeding customer expectations. 2020.
[2]Rafael Garcia. How Apple’s Privacy Move Could Affect Your Wallet. 2022.

Embed privacy by design into digital marketing practices

Strangers

Attract

Social Publishing

Keywords

Websites/Blog

Visitors

Convert

Forms

Calls-to-Action

Landing pages

Leads

Close

CRM

Email

Telemarketing

Customers

Delight

Surveys

Smart Content

Social Monitoring

Promoters

Most Applicable Privacy-by-Design (PbD) Principles

1. Data hygiene for sharing: Only share minimum necessary data with vendors. Anonymize, pseudonymize, or aggregate data whenever you can.

2. Vendor risks mgmt.: Mitigate vendor risks during pre-contract, contract signing, post-contract phases.

3. Be transparent: Be clear and meaningful about which data your company collects and processes to deliver its experiences.

4. User choice and consent: Give people control and options (i.e. opt-in, opt-out) for their data sharing.

5. Data/Storage minimization: Only collect necessary data for a given purpose and store the data for the period that is necessary for operations.

6. Purpose limitation: Only use data for the purposes declared in the notices or permitted by laws.

7. Data security: Design and implement solutions to assure the confidentiality, integrity, and availability of the data collected.

8. Data subject request: Be responsive to data subject requests within the required timeframe.

Examples of Best Practices

  • De-identify personal data before sharing with marketing vendors.
    • For example, only share hash value of personal data with social/content platforms.
  • Sign data processing agreements (DPAs) with marketing vendors to mitigate the privacy-related risks.
  • Provide concise, transparent, intelligible, and easily-accessible privacy notices.
  • Collect valid consent (opt-in or opt-out).
  • Properly configure settings for essential, functional, performance, and targeting cookies.
  • Establish and maintain a data inventory with lawful basis and purposes defined.
  • Establish and execute a data retention schedule.
  • Always provide opt-out options while communicating by email.
  • Implement appropriate security measures.
  • Establish a consistent process to handle the data subject requests; be ready to delete or anonymize data when needed.
  • Ensure marketing list is up-to-date and reflects a data subject's preferences.

Info-Tech Insight

Design your marketing operations to be privacy-centric. In the consumer world, transparency, trust, and control of personal data is key to expanding your customer base. Embed privacy-by-design principles into the digital marketing lifecycle and processes to enable business growth while managing data protection risks.

Digital marketing landscape

Digital marketing is a broad category of channels, technologies, services, and practices. The main concepts are listed below.

Digital marketing technology adoption has exploded and may impose substantial privacy risks

The image contains a screenshot that lists the main concepts of Digital Marketing. The main concepts include but are not limited to: Mobile, Social Media, Email, Marketing, Web Presence. The image contains a screenshot of a pie chart that demonstrates the Marketing Technology Solutions.

New technologies such as AI, marketing automation, and predictive analytics are being introduced into the marketing space. The data from IAPP Global Privacy Summit 2022 shows that there are more 8000 solutions available in the marketing technology space; categories are broken down in the chart above.

Info-Tech Insight

Technologies used in online advertising, and the way they are deployed, have the potential to be highly privacy intrusive. A privacy impact assessment should be conducted to identify and mitigate privacy-related risks.

Privacy implications and tech initiatives

Privacy implications to consumers

Tech platform privacy initiatives

Privacy implications*

Description

Browser privacy enhancement

  • Apple Safari Intelligent Tracking Prevention (ITP)
  • Mozilla Firefox incorporates several tracking protections such as Enhanced Tracking Protection (ETP), Total Cookie Protection (TCP) and Enhanced Cookie Clearing (ECC)
  • Brave browser automatically blocks online adverts and tracking by default
  • Microsoft Edge tracking prevention
  • DuckDuckGo browser extension

Advertising identifiers

  • Apple’s Identifier for Advertising (IDFA)
  • Google Advertising ID(GAID)

Cross-Site/App tracking restriction

  • Apple App Tracking Transparency (ATT) framework
    • Opt-in rate is 37% in US, 46% globally (as of April 2022, IAPP Global Summit 2022)
  • Google Privacy Sandbox (GPS)

Lack of autonomy and loss of control

Where individuals are aware of tracking, they may not like it but feel powerless to stop it. This reduces their ability to choose freely without external influence and deprives them of meaningful control over the processing of their data.

Power and information asymmetry

The opacity of online tracking creates both power and information asymmetry. Organizations may process significant amounts of personal data. They may undertake profiling and draw inferences in ways individuals would not reasonably expect.

Manipulation and influence

Extensive processing about people’s behavior, preferences, and attitudes may enable manipulation and influence.

Misuse

Data collected for one purpose is re-used or misused for other purposes that are not compatible with the original purposes of collection.

Lack of confidentiality

Significant security risks may arise due to the volume and extent of personal data processing, the number of different organizations involved, and reliance on contractual controls as control measures.

Reduce trust and confidence

Individuals may avoid using digital services which may then result in unrealized benefits across the economy. The availability of personal data may drop, leading to collection of more of it in covert ways to compensate.

*UK ICO. November 25, 2021.

Info-Tech Insight

Consumers are more comfortable sharing their data when they understand what’s in it for them. When people trust the ethics of a company, and have positive and enduring relationships, they are more comfortable sharing data.

The current landscape of privacy laws

The image contains a screenshot of a world map, and it has labels scattered across it to point out the different countries and their privacy laws. They countries are: Canada, US, Argentina, EU, UK, Egypt, Brazil, South Africa, China, Japan, South Korea, Malaysia, Australia, and New Zealand.

More than 130 + countries have legislation to secure the protection of data and privacy

Info-Tech Insight

As more social and economic activities take place online, the importance of privacy and data protection is increasingly recognized. Equally of concern is the collection, use, and disclosure of personal information to third parties without prior notice or consent from consumers.

PbD Principle 1 - Data hygiene for sharing

Technology

How it works

Advantage

Disadvantage

Masking

Replaces some characters in the attribute value with fixed special characters; e.g. an asterisk (*). Dynamic masking rewrites data on the fly, typically using a proxy mechanism.

Keeps some attribute information and the length of messages.

The information could be identified; data cannot be restored, and much of the attribute information is lost.

Truncation

Abandons the last several characters in the attribute value to ensure data fuzziness.

Keeps some attribute information.

The information could be identified; data cannot be restored, and much of the attribute information is lost.

Noise addition

Abandons the last several characters in the attribute value to ensure data fuzziness.

Keeps some attribute information.

The information could be identified; data cannot be restored, and much of the attribute information is lost.

Date offset for rounding

Offsets and rounds the data, abandoning accuracy for security of the original data.

Ensures data density in time layout.

If a record is known, it is easy to deduct approximate values of other records.

Shuffling (or mixing)

Shuffles data randomly recorded in a field of a table. Complete shuffling or replacement must be ensured, with all data fields in all data sets processed in this way.

Cannot restore data after random shuffling.

Cannot be used alone; identifiers must be deleted jointly.

Hash

Converts data using such hash functions as salts and keys.

The data length is fixed, computing is fast, and data cannot be restored.

Prone to brute force cracking.

Tokenization

Replaces the card ID using encryption, an index function, or a random number-generation algorithm.

The data is not lost and can be restored.

A conversion relationship between an ID and token needs to be established and stored in a secure section.

Info-Tech Insight

De-identification (i.e. pseudonymization and anonymization) methods and processes must be documented, ensuring that the methods being used are being implemented correctly and can be verified.

PbD Principle 2 - Vendor risks management

End-to-end third-party privacy risk management

Core components of a DPA

  1. Pre-Contract
    • Due diligence check
  2. Signing of Contract
    • Data processing agreement
  3. Post-Contract
    • Continuous monitoring
    • Regular check or audit
  4. Termination of Contract
    • Data deletion
    • Access deprovisioning
  • Defined data processing roles
  • Security controls
  • Compliance demonstration
  • Defined contract processing
  • Data breach notification and handling
  • Cross-border transfer
  • Processing instructions
  • Data secrecy and staff awareness and training
  • Termination of Service
  • Sub-processor
  • Data subject request
  • Liability and indemnity

According to the Ponemon Institute (2018): 61% of organizations experienced a data breach caused by their supply chain in 2018. Only 29% of organizations believe a third-party vendor would notify them of a data breach. Only 28% of organizations believe they will be notified when a third-party shares data with an Nth party.

PbD Principle 3 - Be transparent

Case Study

Key Components of a Privacy Notice

Info-Tech Insight

The CNIL imposed a financial penalty of 50 million euros against Google LLC

“On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 million euros against the company Google LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ad’s personalization.[…]

  • First, the restricted committee notices that the information provided by Google is not easily accessible for users.
  • Moreover, the restricted committee observes that some information is not always clear nor comprehensive.”
  1. The identity of the organization
  2. What personal data you collect
  3. Why you collect this personal data
  4. How you collect personal data
  5. How you use personal data
  6. How you share personal data with third parties
  7. How you store personal data
  8. Personal data cross-border transfers
  9. How you protect data
  10. How you treat children’s personal data
  11. Your data subjects' rights
  12. Contact details

Your privacy notice explains your commitment to the data subject. Make sure it’s accessible at the beginning of all data collection activities.

Source: CNIL, 2019

PbD Principle 4 - Direct marketing user choice and control

The image contains a screenshot example of the Direct Marketing user choice and control.

Case Study

Greece HDPA v. OTE, Cosmote, Wind and Vodafone, 2018

HDPA fined OTE, Cosmote, Wind and Vodafone €150,000 each for unsolicited communications in October 2018.

The HDPA noted that it had received a large number of complaints by individuals who had been contacted for direct marketing purposes, despite being included in the opt-out registers. Furthermore, the HDPA highlighted that upon receipt of the complaints, it had conducted investigations and issued warnings to cease such communications, which were not complied with. This led to the imposition of the fines, in accordance with Article 10 of Law 2472/1997 on the Protection of Individuals with Regard to the Processing of Personal Data, and Article 11 of Law 3471/2006 on the Protection of Personal Data and Privacy in the Electronic Telecommunications Sector.

Info-Tech Insight

The consent for direct marketing and data processing should be obvious, prominent, and not bundled with other terms and conditions. You must have separate tick boxes for accepting terms and conditions.

PbD Principle 4 - Cookie settings

Data protection regulators have issued over 90 enforcement orders relating to cookie compliance. Large fines for cookie non-compliance have been issued against Google (€150m) and Facebook (€60m).

Cookie Types

Essential cookies

Essential cookies or strictly necessary cookies, required cookies

Non-Essential cookies

Functional or personalization cookies

Performance cookies

Targeting cookies, or advertising cookies, marketing cookies

noyb.eu filed 422 complaints with ten EU data protection authorities in Aug. 2021. The biggest issue was making revocation of consent as easy as giving consent. Only 18% of the companies added such an option (a “reject” button) to their website.

Cookie Setting Practices

★☆☆☆☆

Implied Consent

No choice of consent or rejection or both

not recommended

★★☆☆☆

Global Consent Only

Choice only available for “Accept All” or “Reject All”

Insufficient in certain jurisdictions (i.e. France, UK, Spain and Germany, etc.)

★★★☆☆

Granular and Layered Consent Option 1

All cookies enabled by default

Should be vetted in certain jurisdictions

★★★★☆

Granular and Layered Consent Option 2

Some cookies disabled and some cookies enabled by default

Generally acceptable practice

★★★★★

Granular and Layered Consent Option 3

All cookies disabled by default except essential cookies

Most consumer-friendly practice

PbD Principle 4 - Email campaign

Different jurisdictions have different requirements. The diagram illustrates the steps an organization can follow to design its email campaign strategy and operations.

Case Study

Email Marketing Privacy Considerations

UK ICO vs. Everything DM Ltd, 2018

The ICO fined Everything DM Ltd £60.000 for sending 1.42 million emails without the correct consent on Sept 6, 2018. Everything DM, direct marketing specialists based in the UK, acquired lists of email addresses and sent emails on behalf of its clients for a fee.

The ICO found that while some data subjects had consented to receiving emails from unspecified "partners" and/or "Third-Party companies," those consents weren't valid because neither Everything DM nor the third-party clients on whose behalf Everything DM was sending emails had been specifically named in those consents. In addition, the emails gave the impression they were sent by the clients directly, but Everything DM actually sent the emails.

Steve Eckersley, ICO director of investigations, said, "Firms providing marketing services to other organizations need to double-check whether they have valid consent from people to send marketing emails to them. Generic third-party consent is not enough, and companies will be fined if they break the law."

The image contains a screenshot example of the Email Marketing Privacy Considerations.

Info-Tech Insight

Understanding your audience (i.e. consumers or organizations) and the current business relationship is critical for conducting an Email campaign and complying with privacy and data protection laws and regulations.

PbD Principle 5 - Data retention

Some business leaders will perceive indefinite retention as a benefit for business intelligence reasons (there’s always another potential use for data). However useful it may be, unnecessary personal data will cause additional headaches in the event of a breach.

  1. Requirements
  2. Privacy laws and regulations

    Business needs

    Security protection such as data classification

  3. Governance
  4. Data retention policy

    Data retention schedule

    Cross-functional collaboration (i.e. IT, Business, Legal, etc.)

  5. Enforcement
  6. Data deletion or de-identification

    Monitoring and audit

Case Study

The German DPA v. Deutsche Wohnen, 2021

The German DPA fined Deutsche Wohnen (a housing rental company renting out ~160,000 apartments) for 14.5 million EURO for GDPR violation in August 2021. The fine was an equivalent to about 1% of the company’s annual revenue.

The DPA found that Deutsche Wohnen did not have a sufficient data deletion concept and did not comply with GDPR data deletion requirements.

Info-Tech Insight

Establish a single source of truth for your data. This will allow you to go to the source and delete the first instance of the data (as per your retention schedule), and then plan to regularly purge the secondary, tertiary, etc.

PbD Principle 6 - Purpose limitation

Throughout the marketing processes, personal data must only be used for the purposes specified in the privacy notice provided to the data subjects.

If the collected data needs to be used for purposes not listed in the privacy notice, the controller either needs to conduct a purpose-compatibility test to ensure the new purposes are compatible with the informed purposes in the privacy notice, or reobtain user consent before using data for new purposes and in new scenarios.

Purpose Compatibility Test Considerations

Reasonable expectation

Any link between the purposes for which the personal data have been collected and the purposes of the intended further processing.

The way data is processed

The context in which the personal data has been collected, in particular regarding the relationship between data subjects and the controller.

The impact

The possible consequences of the intended further processing for data subjects.

Safeguards

The existence of appropriate safeguards, which may include encryption or pseudonymization.

Nature of data

The nature of the personal data, in particular whether sensitive personal data is processed.

Info-Tech Insight

Organizations should only collect adequate, relevant, and limited personal information that is necessary for business purposes.

PbD Principle 7 - Security protection

In general, organizations are required or expected to implement appropriate risk-based technical and organizational measures to ensure the ongoing confidentiality, integrity, and availability of personal data.

The controller and the processor shall provide

✓ Appropriate technical and organizational measures

To ensure

✓ A level of security appropriate to the risk

Taking into account

✓ The state of the art

✓ Costs of implementation

✓ The nature, scope, context, purposes of processing

The image contains a screenshot example of an organization with focus on security protection.

Info-Tech Insight

A best-of-breed approach ensures holistic coverage of your information security program while maturing from reactive to strategic information security management.

PbD Principle 8 – DSAR handling

A Data Subject Access Request (DSAR) is a written or electronic request for personal information made by a data subject to an organization that currently stores information about the individual. In the EU, 110 cases have been filed so far due to insufficient fulfilment of data subject rights. (source: enforcementtracker.com)

Data Subject Rights Comparison

Key Considerations

The image contains a screenshot of a table that demonstrates a data subject rights comparison. The image contains a screenshot of the High-Level DSAR Process.
  • Data subjects have the right to access and ask questions about their personal information. However, organizations have the right to withhold personal data if the disclosure would “adversely affect the rights and freedoms of others.”
  • Requests must be responded to without undue delay. For instance, under the GDPR, your organization needs to respond to the DSARs within 30 days with possible two-month extension.
  • DSARs do not have to be fulfilled by the organization if they are justifiably unfounded or excessive. If a request is refused, the organization must inform the requester within one month of the request’s issue date.
  • No fee must be charged for a DSAR unless it can be justified based on administrative costs. Typically, fees are reasonably charged for requests that are repetitive or excessive.

Info-Tech Insight

How often the organization can successfully fulfill DSARs or how quickly the organization can expect to respond are soon to become key differentiators.

Document your readiness assessment and identify mitigating controls

Us a structured method with actionable checkpoints to assess your digital marketing privacy program’s readiness level.

Privacy Considerations

Description

Readiness Assessment

Privacy notice

At the time of or before collecting personal data through marketing activities, an organization must reasonably endeavor to notify data subjects the way their data is processed and to help them understand what data is being collected, why, how it’s being used, etc.

The image contains a screenshot of a three-quarter filled circle.

Privacy impact assessment

DPIA is a methodology to holistically identify and mitigate privacy risks for marketing processes and projects.

The image contains a screenshot of a one-quarter filled circle.

Data retention and de-identification

Marketing-related personal data should be stored only for the period of time that fulfils business purposes. Personal data should be deleted or de-identified when it is no longer needed.

The image contains a screenshot of a three-quarter filled circle.

Third party privacy management

An organization should only engage with marketing vendors who provide substantially the same protection of the personal information.

The image contains a screenshot of a one-quarter filled circle.

Security protection

An organization should protect the confidentially, integrality and availability of the data collected throughout the marketing activities.

The image contains a screenshot of a one-quarter filled circle.

Cross-border transfer mechanism

If the marketing activities transfers personal data across different jurisdictions, the organization should establish a proper cross-border data transfer mechanism.

The image contains a screenshot of a three-quarter filled circle.

DSAR handling

An organizations should establish a formal DSAR procedure to handle the requests within required timeframe. The image contains a screenshot of a one-quarter filled circle.

Data breach handling

Organizations should establish a consistent and repeatable security incident management process and integrate data breach reporting requirements into this process.

The image contains a screenshot of a one-quarter filled circle.

Activity

Privacy Readiness Assessment Tool

Leverage best-practice privacy tactics to assess your digital marketing privacy readiness and identify gaps and mitigating controls.

Research Contributors and Experts

The image contains a picture of Fritz Y. Jean Louis.

Fritz Y. Jean Louis

CISO

The Globe and Mail

The image contains a picture of Julianne Garry.

Julianne Garry

Chief Marketing Officer

Info-Tech Research Group

The image contains a picture of Derek A. Lackey.

Derek A. Lackey, CIPM

Chairman

Response Marketing Association

Managing Director

Newport Thomson

The image contains a picture of Peter Kosmala.

Peter Kosmala

Founder and Principal

PRIVĀT, LLC

The image contains a picture of Noa Kahalon.

Noa Kahalon

Knowledge & Marketing Manager

PrivacyTeam

The image contains a picture of Dawn Hoffman.

Dawn Hoffman, MBA

Marketing & Business Consultant / Marketing Management

Digital Dawn Hoffman

Bibliography

Asia-Pacific Economic Cooperation. What is the Cross-Border Privacy Rules System. October 2021.
Alina Feustel. Senate Chancellery formally warned against using “Zoom”. August 16, 2021.
Canada OPC. PIPEDA Report of Findings #2019-001. April 9, 2019.
Carol Cruzan Morton and Hakon Heimer. INTERVIEW: Health Research Stymied by Legal Barriers to Safe and Effective Data Sharing. October 2021.
Court of Justice of the European Union. Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. July 16, 2020.
Datenschutzkonferenz (DSK).100th Conference the independent data protection supervisory authorities of the federal and state governments Video conference on November 25th and 26th, 2020. January 14, 2021.
David Reinsel,John Gantz, John Rydning. The Digitization of the World From Edge to Core. November 2018.
Dutch DPA. National Credit Register (BKR) fined for personal data access charge. July 6, 2020.
EDPB. Spanish Data Protection Authority (AEPD) imposes fine on company for not complying with advertisement exclusion. August 18, 2020.
EDPB. The Danish Data Protection Agency proposes a DKK 1,2 million fine for Danish taxi company. March 25, 2019.
EDRM.NET. EDRM Model. January 2020.
Federal Trade Commission. Equifx Data Breach Settlement. July 11, 2019.
FTC. Q&A for Telemarketers & Sellers About DNC Provisions in TSR. May 18, 2022.
Google, Ipsos. Privacy by design: exceeding customer expectations. 2020.
Ipsos, U.K., Germany, France, the Netherlands, Data Ethics Study: Data Ethics and Effectiveness, Part 1 — Ethics (n=6,000). 2021.
Ipsos, the Netherlands, Data Privacy Study: Consumer Model of Data Privacy. 2020.
Ipsos, Global, Global Trends 2020. 2020.
Ipsos, U.K., Responsible Marketing Deep Dive. 2020.
National Conference of State Legislatures. Data Disposal Laws. August 21, 2021.
Rafael Garcia. How Apple’s Privacy Move Could Affect Your Wallet. Apple Podcasts. 2022.
Singapore PDPC. Breach of Protection Obligation by Flight Raja Travels. June 11, 2018.
UK ICO. ICO fines British Airways £20m for data breach affecting more than 400,000 customers. October 16, 2020.
UK ICO. ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure. October 30, 2020.
US DoE Privacy Technical Assistance Center. Data Security Checklist. July 2015.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Alan Tang

Contributors

Garry, Julianne - Chief Marketing Officer, Info-Tech Research Group

Jean Louis, Fritz. Y - CISO, The Globe and Mail

Kahalon, Noa - Knowledge & Marketing Manager, PrivacyTeam

Kosmala, Peter - Founder and Principal, PRIVĀT, LLC

Lackey, Derek A. - CIPM, Chairman, Response Marketing Association & Managing Director, Newport Thomson



Dawn Hoffman, MBA, Marketing & Business Consultant / Marketing Management, Digital Dawn Hoffman

4 anonymous contributors

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019