KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Protecting user privacy has become much more complicated as of late. Organizations must optimize consent rates while ensuring compliance with ever-changing global regulations and frameworks. They must look critically at their own processes to identify gaps or failures to meet privacy regulations. And organizations must find ways to effectively manage consumer requests, meticulously document processing activities and data transfers, and stay on top of a rapidly evolving regulatory landscape. Challenging, yes. But absolutely necessary.
Protecting user privacy has become much more complicated as of late. Organizations must optimize consent rates while ensuring compliance with ever-changing global regulations and frameworks. They must look critically at their own processes to identify gaps or failures to meet privacy regulations. And organizations must find ways to effectively manage consumer requests, meticulously document processing activities and data transfers, and stay on top of a rapidly evolving regulatory landscape. Challenging, yes. But absolutely necessary.
A core requirement coming up with GDPR is that parties processing personally identifiable information need to ask the user for his/her consent to do so and let the user revoke that consent any time and as easy as it was given. Keeping an audit able trail of consent, scope of use and revocation during the whole customer identity life cycle is a significant requirement not covered by traditional Identity & Access Management (IAM) solutions. In this webinar, we have a look at what makes the difference between employee focused IAM and Customer focused IAM (CIAM) and what a CIAM solution needs to provide in order to help your organization mastering the GDPR (and PSD2) challenges.
Join privacy experts from KuppingerCole Analysts and OneTrust as they discuss the evolving privacy landscape and how businesses can navigate it successfully, as well as share guidance on how to evolve privacy programs to become embedded in corporate culture and technology.
Paul Fisher, Lead Analyst at KuppingerCole will explain why security awareness alone, is not enough, and how organizations can improve privacy in the cloud by using technologies such as PAM and CIEM. He will also discuss the importance of being aware all privacy and compliance laws, and the benefits of adopting a Zero Trust approach to security.
Sam Gillespie, Senior Solutions Engineer at OneTrust will explain how to build proactive privacy programs based on global best practices. He will also talk about integrating privacy and data governance initiatives, demonstrating transparency, and enabling trusted data use.
From May 2018 when the upcoming EU GDPR (General Data Protection Regulation) comes into force, the requirements for managing personal data will change. Companies collecting such information from their customers will have to adapt to fundamental changes both in the very definition of personal data and in technical requirements around its secure and privacy-enhanced processing, including topics like consent management, data portability and the right to be forgotten. The scope of this regulation is very broad and it affects all organizations, including global enterprises outside of the EU, that collect, hold or process personal data on EU residents. The requirements for maintaining consumers’ privacy are significantly more stringent through this new framework and the fines for compliance violations have been increased accordingly, reaching up to 4% of the company’s annual worldwide turnover. With less than 12 months to go, is your organization ready to comply with these requirements that demand better controls over how it uses and manages the personal data that it holds?
I today's digital world (post EU DMA, DSA, DGA regulation proposals (now tabled in EU Parliament for legislative approval by 2023), GAIAx birth in Europe and eprivacy new regulations adoption, the hard line separation between personal and non personal data is blurring and companies have yet understood what this means for them. While they thought that only personal data needed to be consented, now it's all the data that need the consent log prof for each digital identity they get associated to. Europeans have also created a new "notion" of cloud (GaiaX). A cloud where data can circulate freely, can be shared and mutualised (upon consent). This will have implications. Huge implications as GaiaX carries the option to "import/acquire" data also originated from other entities (including from outside Europe). The transfer mechanism will only be possible upon user express consent, voluntarily. User will need to be incentivised to agree to share. Since transfer can only be performed by users, and with consent, that will in fact open up to a secondary data market which sees the consent log representing a "transaction event'. Hence privacy will exit the framework compliance to enter the framework of "strategy and business development'. The contextual "data" hunt can begin (vs big data paradigm which fades aways). The de-monopolisation of consumer data, too.
Insights in how the new european digital policy opens to new business (data driven) opportunities;
Isabella de Michelis di Slonghello, CEO and founder, ErnieApp
GDPR is here to stay and the new ePrivacy regulation is on the horizon, but many organizations are still not yet in full state of compliance. A core requirement for compliance with GDPR is the concept of “consent,” which is fairly new for most data controllers. Now, with the GDPR regulation in force, parties processing personally identifiable information need to ask the user for his/her consent to do so and let the user revoke that consent any time and as easily as it was given.
"Privacy and Consent Management" is an exciting topic in a continuously changing market. Annie Bailey has just completed her latest Leadership Compass, which researches this market segment. To mark the release of this document, she joined Matthias for an Analyst Chat episode where she talks about the innovations and current developments.
In A Nutshell
In the episode 108 “Privacy & Consent Management” Matthias hosts Anne Bailey.
Q: “From a definition point of view, what do we need to think of when we talk about privacy and consent management?”
Anne: “Yeah. So this is one of those terms where you could spin it in a lot of different ways, you know, privacy is so much in the public discourse that it doesn't really have a concrete definition anymore. So I thought it might be useful to get us all on the same page before we talk any more about it. So the way at least I have defined privacy and consent management in this most recent report. It's, of course, considering organizations and it's their administrative and governance capabilities over data privacy within their organization and of course, the tools and the solutions that are there to make that happen. So you could think of it then in a simplified manner about the capabilities that such a tool or a solution would have to the first group of capabilities, would then to be able to manage any incoming signals about privacy and consent. So these are things like being able to manage cookies and trackers that are on websites, being able to accept and then implement those consent or preference choices that an end user would make. And that would be over the range of different channels. So on a smart TV, on a mobile device, on a website, over the phone, via email in person interactions as well, should be considered. So that's all about managing the incoming signals. But what's also very important as well is the organization's ability to take care of their own internal management of privacy. So being able to govern sensitive data, which is in the organization and private data, being able to document their steps towards compliance and something which is a buzzword in this most recent report is being able to operationalize privacy.”
Q: “Recently, you published an updated version of your Leadership Compass report, which compares providers and services. What are the changes in the market that you can observe that you want to share with us?”
Anne: “Yeah. So this is an especially dynamic market area. Things are always changing. And so we can see some pretty big market changes between the report which published 18 months ago or so and the one which just came out this week. And that's in the types of vendors that were interested in participating. So what we saw in the last report were a lot of vendors that really focused on being able to manage those incoming signals, so being very focused on cookie management, on being able to collect consents and preferences and make sure that those are all able to be implemented in the many different connected systems within an organization and all the downstream vendors that may impact. Very focused on this incoming flow of information from end users. And what we saw, which was different in this report, is that there were more vendors that are really focused on data governance and using that as a foundation for privacy. So being able to operationalize and take action within the organization to further their privacy goals. And so we could think of that as an example. So being able to identify a privacy weakness of some sort in a process and then from that same administrative screen, then be able to do something to address that weakness. I guess we could go into more concrete details on what that could be. So, you know, if there was a scan done on a database and that scan returns the notification that there is private information in this database, there would then be the chance to leverage automation to go and anonymize those sensitive fields. So you're then connecting information about the status of privacy in the organization with an action to then improve it. So that was something that we noticed among several of the vendors that they're moving more in this direction. And that also does connect back to the relationship between the end user and the organization. So there was a big focus on being able to provide support for data subject requests and being able to process those. So in the same way of operationalizing privacy, if a consumer then submits a data subject request, the administrator would then be able to scan and automatically compile a report containing their personal information rather than needing to do that manually.”
Q: “Vendors offer products and services globally. Do you think they can catch up with changing privacy and consent requirements?”
Anne: “Mm-Hmm. Yeah. And frankly, this is really hard to stay up to date with because given our very globalized presence on the internet and connection with consumers all around the world, many organizations do have to stay up to date with the regulations that are not just for their own jurisdiction and in the region where they reside, but they have to pay attention to where their customers are, where any of their downstream suppliers or, you know, MarTech partners may reside and where this data is moving. So they have to be aware of a much wider legal domain than they've been used to before. And as I mentioned before, this is a really dynamic space. And part of that is because there are many privacy regulations which are being released all around the world. So this is something that we've identified as a really key capability in privacy and consent management tools, is that having some basis, some support from legal experts in-house to be able to keep up with all of these changing regulations and be able to pass that knowledge down to their customers is a really valuable thing.”
Hello and welcome to today's webinar. My name is Annie Bailey. I'm joined today by Kabir Barday, who is CEO of OneTrust. I of course am an analyst with KuppingerCole and I'm really pleased to bring to you today's topic, which is privacy compliance and particularly privacy compliance that empowers instead of hinders. So I'm thrilled to have you here today. I have a few informational points to share with you before we get started. So the first is that I would love to invite you to another KClive event hosted via KuppingerCole.
So this will be happening next week, Tuesday and Wednesday, and there'll be a packed agenda full of interesting topics. I think you'll find yourself welcomed there as well regarding this webinar. I'd like to point out that you are muted and will remain muted throughout today's webinar. We are controlling this function. And so that takes all the pressure off of you.
So please enjoy you will receive the recording and the slide decks shortly after the webinar has concluded, and we do welcome your questions and we hope we have answers for you, but please, at any time during the webinar, submit your question via the go-to webinar panel. You should see a field pedaled questions, submit them there. Kuppinger and I will receive those and we'll handle them at the end of the webinar. I will begin today's webinar with a presentation.
I will take you through the current state of the privacy and consent management market, relying on the related results of the 2020 leadership compass. And also take you a step further and looking at the integrations between privacy and the relationship with IAM I'll then hand it over to Kabir. And he'll take you through the insight on recent regulation challenges and more in depth topics on this at the end, we'll accept your questions and deliver some answers. So with that, let's dive in.
So some of this background may already be familiar to you, but I'd like to lay a common groundwork so that we can move forward together. When you think of the privacy and consent management experience and the relationship between you and your end users, often the, the very physical picture of the cookie consent form comes up as your end user is navigating through a website. And so this of course is the reality for many different reasons, both sets the expectation is present for personalization, personalized services, marketing, all aspects of the customer and enterprise relationship.
But this also means that your end users are sometimes communicating mixed messages. There's a strong, strong public discourse considering the privacy of personal data, and that in some cases, personal data has been exploited in ways that end-users are not in agreement with.
And so, although there is the expectation that personalization is now the norm, there's a trust gap here in what end-users are willing to give in order to receive this personalization. So, as I mentioned, this is hopefully familiar to you, and this is only one facet of the privacy challenges and complications that enterprises are facing.
Now, moving to another aspect in response to this very strong public discourse in end users demanding more control over their privacy and data rights. There are a collection of regulations which have come out across the world. And some of these I know are familiar to you, such as the GDPR, the CCPA and others, such as the Canadian PIPEDA out of Singapore, Brazil, Japan, India, and Russia. Now all of these regulations are dealing with similar topics, of course, in defining who and what the data privacy rights are, how they should be treated, what obligations are associated with these.
But on the other hand, these regulations have some overlap, but it's not complete. There are still gray areas in the interpretation of one compared to the other or taken in combination. So this creates a complex regulatory environment.
And so this is the situation that many enterprises find themselves in, which is required to provide personalized services in an area where there is not a lot of trust between enterprise and end user, with which to deliver that personalization, as well as being under the pressure of multiple regulations at once that has given way to the privacy and consent management market space. This is a very dynamic market space with many different vendors, delivering solutions, which help mitigate these challenges in some different ways and interesting ways. So this is what I'd like to take you through.
Now, this slide is going to set up for Kabir, discussing this a little bit later, diving deeper into some of the different regulations, but there's a major questions that a business needs to ask, which is overlooking all of these regulations. So the first question is which jurisdiction do you fall under? Most of these regulations are focused on the individual data subject, individual citizen.
However, it is defined in that regulation. Now that means if you are an enterprise participating in the European union somewhere, but your customer base also happens to be in north America. That may mean that you fall under the GDPR, the Canadian pepita and the CCPA. So it's important to really identify which jurisdictions are applicable to you and your customer base next it's of course, important to identify which data is being targeted by these regulations that you've just identified need to know, of course, where is this data within your organization?
Perhaps question, if you need a data inventory tool and if so, are you using that to your best advantage and is all the delay, the data that you have really necessary, should it be minimized or perhaps removed? And finally, what processes are surrounding your data? How is it being transferred within your organization outside of your organization and even outside of the region that you operate in? So privacy and consent management solutions are emerging to address some of these challenges, but what do they actually include? Now?
This is based off of some of my recent research, a report published in August that really dives deep into the specific solutions and the vendors providing these solutions. And now what this slide summarizes is the eight major of capabilities that can, and sometimes should be offered by a privacy and consent management solution. I'll go through only a few of these, because I'd like to take the conversation beyond just looking at the capabilities, but some that you should be aware of cookie and tracker management.
This brings our conversation back to where we began with that very tangible experience of making a decision about your consent on a website, checking through the menu items of providing consent for certain group groupings of cookies or trackers for different purposes.
Now this grouping of cookie and tracker management encompasses capabilities such as being able to determine what exactly is present on your website, first party and third party and beyond cookies controlling when they fire particularly only after acceptable consent has been accepted and enforced all the way to how these consent signals are communicated to all the relevant parties. I'd like to draw your attention next to preference customization, and now consider again the title of this webinar, privacy compliance that empowers instead of hinders.
And so we're looking for solutions that don't only fulfill the compliance requirements, but does that and achieves business goals and add something of substantive worth to your organization that built it up in a positive way. Now, one very clear alignment that we've been able to see is between privacy and consent management and marketing, and being able to allow an end user to communicate their preferences for communication, for topic matter in a whole range of categories.
So facilitating that communication in a privacy sensitive way, I'd next like to draw your attention to consumer control on the far, right? This is foundational to privacy and consent management. Most legislation around privacy acquires that the individual is the one who is making decisions about their privacy and their private information. So that means a user centric conception of what privacy really is and how that should be facilitated within an organization.
So capabilities that we look for here are workflows that enable the end user to trigger and be, be, and play an active role in exercising their data rights. So, as I said, I could stay all day here talking about the capabilities, but I'd really like to take this concept of consumer control. And particularly the fact that as an individual, they are at the individual is at the center of the privacy experience and relationship.
So let's hold on to that idea and take this a step further and say, okay, we're looking for alignment with other departments in the organization to, to build this empowerment, using privacy, to, to better the organization we've established that marketing is a, is a great point for alignment, but what about identity? And in the context of identity and access management, I'll take you on a little journey here. We'll start at the far left with number one, privacy is a derivative of identity and you cannot have privacy without identity.
So I'd like for you to please imagine any piece of PII of personal information, whatever term you are most familiar and comfortable with. And I'd like you to imagine, or simply question, how was that piece of information that you just imagined? How is that connected to identity?
No, I hope I've said something that is completely clear and beyond obvious, but it's worth really considering you cannot separate privacy from identity. And so that leads us to a huge potential for alignment here, especially with the concept that we've just discussed, that privacy is a user centric phenomenon, and that is an active role. So let's take that idea, jump over to number two, there was an obligation of companies to protect data privacy. This is clearly stated in many of the regulations with different concepts, like the principle of data minimization.
And this also comes at the same time that it's so easy to collect much more data with much less effort. So despite being able to know more about individuals, organizations really need to be working with less. And so as the organization is retreating back and their active role here, the user can then step forward in their active role in determining their privacy comfort level. So thank goodness customer IAM Siam exists because this really needs to include privacy and consent management.
There was a huge mash and overlap in functionalities here, and this really should be processed appropriately in a, in a central location. And the identity and access management infrastructure can be a good place for that. And if done well, there are opportunities to use this information in different ways, such as in access management policies or to prevent fraudulent access. So there's some really interesting ways for overlap here when the privacy layer is strongly established.
And then finally that brings us to number four, which is that this information is precious and identity and access management is then responsible for protecting this data. And so that means the solution itself and the organization have to be in a strong position to protect this information through restrictive access management policies, privileged access management can be a good choice here. MFA has to be the bare minimum, but dynamic and step-up authentication could also serve well here. So I brought you this far and I've made the connection between identity and privacy.
And in fact that they're very, very closely linked. So what would this look like if privacy and consent management were a part of an IAM infrastructure?
Well, oh goodness. I have this very overwhelming slide for you. I'll break it down for you in a simple way, but there's plenty of information also available about this slide, which is the KuppingerCole. I am referenced architecture. This is a tool that we use to help organizations determine what they really need. And there I am infrastructure given their business use cases. Now you can see the business use cases along the top of this figure. You can see some very typical, I am use cases like employee life cycles, partner on and offboarding.
And there's one which is highlighted here called consent management. This is of course something which most organizations need to handle and address. And that's because there are pressures out there that you are already aware of. Take a look at the bottom of this figure of policies and regulations. There are privacy regulations, which are putting pressure and, and guiding the use of information here as well as data protection legislation.
And so these two influences on the center rectangle, which is your IAM infrastructure, and these are made up of building blocks of groupings, of capabilities that help you to fulfill the regulations and deliver the use cases. And you can see there in the center column, privacy and consent management is a grouping of capabilities here that, that passes through and meet these needs. That was a quick explanation. And I'd love to take you one step further in this. So if you'll indulge me, ask yourself a question, which is how in the world is this going to work?
Most privacy and consent management solutions are, you know, SAS and, you know, microservices and with APIs, and that's not going to fit with what I have in place for an identity and access management infrastructure. These are different capabilities that are not going to work well with each other.
And so I'd like to introduce and identity fabric as a concept, which is the, the thought that in order to work in today's environment, where you need to provide identities and manage all identities of all things in all places, you have to be able to toggle between your legacy and what you already have in place with the digital services that are required today. And so this identity fabric is, is the idea of weaving together.
These groupings of capabilities with connectors and APIs, able to travel in both directions did then combine these capabilities into services, able to meet the needs of a hybrid infrastructure. And as you can see, again, highlighted in orange in the capabilities rectangle center left is consent management can be used in combination with other capabilities to deliver some of these services. So I hope this gave you something to chew on that privacy compliance is a narrow look at what privacy can deliver for an organization.
And it's much, much more than simply checking the compliance box, although that is incredibly important. I'd love to leave you with a few thoughts. These are my opinions, feel free to argue with them, but they're my vision of what I expect to see coming from privacy and consent management solutions in the future.
So, number one, I expect to see more fine grained policy control. And that is because the legislation that we have now, there will only be more of them coming. And especially as the conversation in each country and each region, especially as the different states in the U S start to pick up momentum and passing their own data, privacy laws, the conversation will become much more nuanced and specific about what data rights are, who is obligated to do what in these relationships.
And as this becomes more specific, there will be less and less overlap between the legislation that's already out there. And with less overlap, there's more gray area, more need to be very, very specific. And the sorts of policies and enforcement that content management solutions are able to deliver.
Second, I think we'll hear, and we'll discuss privacy protected communications, much more, especially as a vehicle for individuals to communicate with organizations about their data rights and exercising those data rights. For example, requesting to know what information an organization has about you. That has to be a protected channel. Absolutely. Some are doing it all. We'll have to do it in the future.
Third, I do believe there is a role for emerging technologies here. AI is already present in many solutions. I see also an interesting avenue for blockchain and decentralized technologies, especially for generating auditable records and as a means of identity verification, especially in facilitating this exercise of data rights as an organization must identify the end user before they share their file of private information on them. And lastly is a bit of a pessimistic view, but with precedent, there will be future data misuse.
And now we can see this with the growing collection of human rights that we have slowly agreed upon throughout the last century, we have the benefit of hindsight where we in the present can always look back in history and say, oh, well, we maybe haven't treated this group of people with all of the human dignity that they deserve. That was a mistake. I can almost guarantee you that 3, 5, 10 years in the future, we will be doing that with data rights. And so solutions must be flexible enough to accommodate the rights that we define in the future with that. I thank you so much for your attention.
Please submit your questions if you have them, and I'm delighted to hand over to copier and he will take it from here. Thanks Annie, for that segue.
And yeah, I agree with a lot of your points and the criticality of identity as the core concept when identifying an individual and all the benefits that can have for an individual. And so I'm going to build on that concept, Andy and share with the audience, a broader concept in line with the topic today around how to have privacy compliance and empowers instead of hinders. And you kicked off, I know the presentation any by sharing some of the regulatory drivers and, you know, the baseline in the industry of privacy, which is compliance.
And the first thing the board wants to know, and they start a privacy program and invest in people and tools and processes, do we comply with the law or not, but there's a much broader picture there in terms of not just regulatory and frameworks and technology changes you need to keep up with, but really using privacy as an aspect of being a trusted company and how important it is to be a trusted and transparent company today in terms of how organizations compete and differentiate and, and how valuable that can be above and beyond just compliance.
And so, you know, if you think about different ways, companies have competed over the decades, you know, it used to be that price and quality was how companies competed. And then it started becoming not just pricing quality that that's still, it was equally as important, but on top of that was the experience and engagement. And those are still critical today, but trust and transparency are building blocks that are added on top of that.
And so companies have realized that by being more trusted, by being more transparent, the general literacy of a consumer today is much more aware and sophisticated on what privacy issues are and data misuse and all of these things that, that any talked about that companies are really starting to see how they differentiate in this space. And obviously there are many examples out there, and this is just one where companies have really harvested that message. There are also organizations out there that have done studies on the actual ROI of privacy and how that returns to the business.
But I would say despite all of that, we consistently see privacy professionals struggling to pivot and become more strategic to the organization and broaden their role from just being the compliance checkbox team, to really being the business value drivers. And one of the most critical parts of the organization that's driving the revenue, that's driving personalization, that's driving, you know, speed and agility for the business. And there's a huge opportunity here to have privacy professionals.
Once you've gotten to the point that you're comfortable in your compliance to not stop there, but to, to use that as a starting point, you've really earned the right once. You've gotten to a baseline of compliance to have a broader conversation around how has the privacy program strategic to the business part of the business and not a hindrance.
And so the common pitfall that most privacy programs usually get trapped into is when you're presenting to the board, you're presenting to your own team, you're presenting to other people in your organization about what a great job the privacy team is doing. You know, certainly you talk about your maturity against the privacy walls and the risk reduction, but a lot of privacy programs talk about capacity metrics.
So, you know, Andy talked about data, subject rights, a lot of privacy programs metric that by just on the volume of data, subject rights. So is that really showing the business, the value it's showing the business that you're busy and your people are busy, but how does that show that you're being valuable?
You know, a lot of privacy programs do what I call capacity or volume based metrics, and you can see these across different work streams. What we've seen in practice at OneTrust, do we have the benefit of working with over 7,000 different privacy programs and over 75% of the fortune 100, over 40% of the global 2000.
And what's really been exciting is over the past several years, when you go to these privacy conferences and you sit in groups with different privacy thought leaders, a lot of privacy professionals talk about creating a competitive advantage with privacy and trust driving business value. And in the last few years, it has moved from just being something the leading privacy people talk about as a utopian aspirational goal. And it's really turned into something real.
And that's so exciting to see that the companies and organizations are starting to really understand the value of privacy to their consumers and their customers, whether it's B2B or B2C, and that they're really starting to differentiate on it. And it's creating a whole new strategic opportunity for the privacy professional, but what's critical is being able to frame the metrics you're tracking as a privacy program when you're communicating your board and your, your, your team and internal organization in a way on how you're aligned to the business adding value. And that's one of the keys.
When we go back to the, the concept of phase, talk on how to move from just being a compliance based privacy program that sometimes might hinder the business or slow things down or scene in a, in a somewhat, you know, box type function to a strategic partner driving the growth. So let me, let me show you a few examples. How can we get the privacy program to go to the business and say, we've been able to increase our personalization, not decrease it. And we've been able to maximize the consent rates.
And because we know the value of a personalized communication to a client versus the non-personalized generic communication, we can actually tie that to dollars in revenue and conversion rates. So you can actually show how much revenue you've increased directly tied to the privacy team's ability to drive an increase in personalization by capturing more first-party data responsibly and in a trusted way. How do you show your business that you've increased your win rates by using privacy as a differentiator?
And talking about that message, I'll show you some examples on how that's being done in practice in real life. How do you show that you're speeding up sales cycles? How do you show that you're getting better customer satisfaction scores? How do you show that you're not slowing down the business with privacy approvals, but you're speeding it up and you're meeting your SLA and most projects, or almost all of them are getting approved. And then how do you benchmark against your, to show your business that we're doing so much better than everyone else?
And so these are the types of narratives that I would say, Andy raised a really good point on it is critical to first fail you're compliant. You have to almost earn the right to have this conversation with your business. What we've seen as privacy professionals, they get a bit overzealous and jump to the business value and trying to be strategic sometimes might fall flat because you've skipped steps. You need to prove to the business, you can get them to compliance, prove to the business you're managing your team properly.
And then you've earned the right to become a strategic advisor and start tracking a whole new set of metrics. Let me show you some of these examples and how I would break some of these down. So a great example is increased in personalization. This can be valuable for both B2B and B2C companies, and essentially what privacy professionals are starting to to show their board is, is really in line with what Annie was talking about with tying your privacy and consent initiatives to the identity.
And once you tie it to the identity, you can start getting really interesting insights showing individual consumers or customers, and what is the average consent rate and the things that they've consented to. And then you can establish a baseline. And then what you can start doing is building user journeys of consent to many privacy professionals and marketing people think about consent that the upfront one time checkbox, and it's not quite like that.
It needs to be thought of as, as you user journey, how are your users, consumers, and customers interacting with you as a brand, and what are the different opportunities to show that consumer or customer that the value you're returning to them in exchange for them giving your consent is so valuable. And so you can do things like contextually. If you detect somebody reading your blog on your website for more than two minutes, then you can inline dynamically display a consent for personalizing those types of articles. And just consenting to that specific thing.
If you're interacting with somebody in email, you can dynamically insert a footer for them to subscribe, to get more communication. There are all sorts of way of making this dynamic and contextual in earning the right to get consent.
Now, what you can start to do is partner with your marketing team to understand a user or a prospect that has personalized consented data versus a user who doesn't have personalized consented data. What is the difference in the conversion rates from them turning into a customer? And what's the difference in the average deal size is in contract value of those customers. And you can actually then start to really precisely measure.
The privacy team has partnered with the marketing team to improve our consent rates, collect more first party data that's resulted in X percentage, more personalized prospects, and that it has on average converted to X dollars for our company. You can actually show a dollar number that's so powerful.
And, and certainly, you know, this, this is a combination of people, process and tooling to get there for an organization. And what it could look like is what I, what I'm showing you here is a dynamic checkbox displayed on a blog or a page that contextual based on a set of really simple rules, like has the user not consented yet. And have they read this page for more than two minutes and any other characteristics that can be very basic.
Now, a lot of companies obsess over the cookie banner and the cookie banner is really not where you need to optimize the consent rate because the cookie banner shows up upfront immediately when somebody visits the page and it's a very aggressive thing. You haven't earned the right, you haven't, the user just came to your website and you're asking them to consent to all this stuff that they don't understand. And too many companies was obsess over maximizing consent in this cookie banners. The only way to do that is through dark patterns and that's not okay.
And so my, what we see our customers doing is yes, doing a good job with their cookie banner, but then trying to maximize consent through user journeys and then tying that to business metrics. And that can be so powerful to show the value and differentiation. And an example, if you look at the DHL blog, DHL is one of our customers at OneTrust.
And they, we used our AB testing capabilities and our consent products and our user journey product to be able to maximize their consent opt in rates relative to their peers and how it became such a powerful brand value for them. So another example is, if you can go to your board and go to your team to say, because of our privacy program, we've actually increased our win rates. And usually this applies more to B2B companies. And so this is something we do actually internally at OneTrust, and we do a really good job of it.
And we've shown that we significantly increased our win rates when we talk about privacy as a differentiator. So the baseline and the prereq to this is you have to build a great privacy program. So for example, at OneTrust, we invested and we were the first company in the world to get our ISO 27, 7 0 1 cert, which is a brand new certification or privacy. So we knew that because how we do a good job with data residency because of how we do a good job with encryption because of how we do a good job with our certifications, that we should use that as a differentiator in our sales cycles.
So what we actually did is started to metric our privacy team on how many pre-sales calls did they proactively get involved with to start to evangelize privacy as a key part of our brand and value. And so this encouraged our privacy team to get proactive. They started to put together a great data sheets and collateral and sales materials showcasing our privacy program. It encouraged our privacy team to train our sales teams on how important privacy is and how we do a good job of it.
And in encourage the privacy team to monitor some of our top deals and insert themselves in the process proactively. And our sales teams really appreciate that. I think where companies get this wrong is they expect the sales team to bring in the privacy team, but still teams don't know how or when to do that. If you flip the script and have the privacy from metric on getting involved, really interesting things start to happen.
And then we in our CRM mark, when a privacy person is involved in a, in a deal and we can actually show the increase in win rate, and it's really exciting metric for our team to see. And so there's a way you can measure this in your CRM and there's ways once you measure it, of course, there are lots of ways of improving and managing it. So it's a very exciting metric we've seen as well. That really adds direct value. A similar one is just increasing the speed of your sales cycles.
Again, this is more important in B2B. So usually when you want to close the deal in a B2B environment, you have to go through a vendor, third party, risk evaluation with privacy, being a big part of that. And so how do you start to measure the average time it takes to complete the privacy and security due diligence process. And then how do you also start to measure your contractual and legal negotiation time period, and any sales person will tell you time's boils all the deals. They want to close deals as fast as they can.
And if you can align a private key metric to showing how you're improving the time to close a deal, it is significant. It is so valuable for the company. It can show how you can continue to invest in privacy as a differentiator. The way to measure it is, is tools do a great job of this. I'm at one source, we have a vendor risk management tool that does two things that can help you. Number one, speed up that due diligence time by what we have, what's called the auto-complete tool. When you get an inbound questionnaire for privacy insecurity, we can auto complete it based on NLP and AI.
So it dramatically reduces the time. And then the more you invest in your security certifications and things like this, the easier to get to complete those questionnaires. And so you can actually start to measure that as well. Another great example here is how do you show your customer satisfaction scores? And so this is a, a really big, hidden problem that most privacy people tell me the data subject rights, the privacy rights process that Annie talked about is probably one of the first times the privacy professional has had a real external facing role.
You know, most privacy tasks historically have been internal doing PIs and data mapping and advising the business data subject right now, the privacy team is interacting with the customer for the first time. That's really important, and that's not something privacy people are always trained to do and know how to do. And just like when you have a one 800 help desk in customer support process, whether you're B2B or B to C the key metric, when you have a support, external facing team is the customer satisfaction score. And so if now you have a data subject rights process that's external facing.
And we know people that submit data, subject rights are not usually your happiest customers. They're not doing it as a way to say, thank you.
They're, they're doing it probably because they're annoyed or they're questioning something, not always, but, but that's what we see a lot of times. And so how do you use that as an opportunity to feed that into your customer satisfaction process? What are the types of customers that are sending these requests? Why are they sending those requests? And it's probably a leading indicator for a C-SAT score or an upset customer. And how do you use that as an opportunity to engage? We have a customer in the B2C space that really embraced this concept. And this is where I learned it from them.
And they're a coupon type company. And what they've done is they've taken the process of the data, subject rights, the legal and privacy teams stood up, but the response and the interactions, they actually carved out a team from their support team. And they brought a team called their ninja team, which had their best, most sophisticated support people. And only they're allowed to respond to data subject rights, because they want to really make it oh, opportunity to regain the trust of that customer. And really interesting.
And we have a data subject rights tool that can be integrated with, with net promoter score or C-SAT survey questions. So when you close out a data subject rights, just like you would get when you end your ride on Uber, or when you close a customer support ticket with the company, you get a thumbs up or thumbs down and you can very quickly get a simple score on, do you feel like we protected your privacy?
You know, yes or no, or any, you know, different ways of wording it, you know, one of the last couple of examples here, you know, the business will have a tendency naturally to say, oh, privacy is slowing us down. Oh, I got to go through all this extra process. And one of the really important things that privacy people are starting to show is how do you show that you're being more agile? You're actually helping the business move faster than your competitors by having a very mature and agile privacy review process.
And so you can start to measure out of the business initiatives that go through PIs. What percentage of those were approved? Most organizations will tell me nearly a hundred percent of projects are approved.
Yes, some require some modifications and some recommendations and additional controls, but they usually are all approved. The second thing is you can monitor your SLA. And if you can show the business, look, we've approved 90 to a hundred percent of your projects. And we've on average done that in the SLA that we agreed on. It can be a significant advantage to showing that you're being agile. Investing in tooling is also helpful here. OneTrust privacy impact assessment tool can measure these SLS and, and approval rates.
And by using tooling, you can start to build a library of pre-approved types of projects so that you don't have to do a full Pia on everything. Tooling can also help you do simple threshold assessments to avoid needing, to do a full Pia. And this really becomes a significant driver. And finally, we get asked a lot by customers on how do we compare to our competitors, because we want to be able to go to the board and say, we're doing a better job than anyone else, or we're not doing a better job and we need to invest more.
And so how do we get privacy people to start producing quarterly benchmarking reports to score yourselves? And there are lots of simple things you can compare yourself to again. So for example, you're scanning your own website for cookies. Why don't you scan all your competitors' websites and compare those?
Why don't you quarterly go look at your competitors, security and privacy page, and look at what data was last updated, what certifications do they have, what press releases or documents have they put out around about privacy and security and measure yourself and compare yourself in very simple ways. And we have a cookie scanning tool you can use to help with on that. But we also have a maturity and, and benchmarking tool with 500 companies pre-populated response that you can compare yourself against as well.
So it's really, I would say interesting ways you can start to flip that script and narrative, and these are real examples. We're seeing from some of the most brilliant and innovative privacy prep for professionals.
You know, again, once they've earned the right to have this conversation and they've shown their business, that they are, they have met a baseline of compliance. Now it's very exciting.
And, you know, again, as you start to think about how you measure a lot of these things, it ties back to Annie's concepts around the types of tooling in this space, that's available the importance of identity and how you actually operationalize and get value out of these programs and thinking about the market and the opportunity in privacy, much broader than just compliance. And certainly, you know, there, there are lots of different tools that can help you with this one.
Trust is just one of those, and this is always a people process and tooling all together discussion, but certainly we have a significant amount of experience and are the largest and most widely used tool in the world to accomplish these types of things as well. So with that, Annie, I think we can, I think you might have some thoughts and then we can go to questions. Yes. Could be. Thank you so much for that presentation and bringing us through, especially the different metrics here.
This is a really interesting take on how to measure the value of privacy in, in such a different way than we're used to. When we're looking at the compliance aspect, we have a couple of questions from the audience. I would pose those to you, if that's all right, let's do it. Okay. So the first one, where should brands get started with when using privacy as a competitive advantage, if they haven't been involved with their privacy compliance legal teams before, where should companies get started with this?
Yeah, I think it's a, it's a really interesting question that the journey that most organizations go through is really three phases. From what I've seen, the first phase is, is compliance. Like we talked about, it's establish a framework for what regulations you need to comply with and measure and, and, and, and track your maturity against those frameworks, to be able to say, you know, yes, we are generally compliant. Here's areas. We need to mature more because that's the first thing your board and team are gonna want to know before you get to step two.
So compliance is usually step one, step two is usually going from compliance to risk. And so how do you think about not just the academic check boxes in the regulation, but understanding what's your risk appetite and what you should, and shouldn't be doing because some things in privacy, you might not need to do a significant amount of, depending on, on, on your risk and your exposure and the data you have. And then finally you want to get into competitive advantage as a third phase. Usually when you get into competitive advantages, the two areas, I see companies focus on the most.
If you're a B to C company, most companies focus on personalization and consent optimization. If you're a B2B company, most companies invest in security, certifications, privacy certifications, and speeding up the vendor due diligence process. Yeah. That's a really interesting distinction to hear that you have between B2B and B2C situations here. So you mentioned that that it's really valuable of course, to speed the time to onboard third parties go through that, that third-party due diligence. Do you see any other key differentiators there between B2B and B2C situations?
Yeah, you really need to be companies, you know, are really trying to be both proactive in addressing privacy and security as a topic when they're interacting with prospects. And so B2B companies will invest very heavily in marketing collateral, like data sheets and, and press releases. And these types of things around privacy and security. We see these all the time. Those aren't as common in B to C companies. What B to C companies will do more of is actually build privacy controls into their consumer facing applications more directly. So you can see this in social media apps.
You can see this in the big search engines. Usually they're investing in, you know, it's less about collateral and, and, and, you know, evangelism and training and more about simplicity of accessing and tweaking your privacy controls. So it's much more embedded into the technology stack usually. Do you see similar things, Annie?
Yeah, it's, it's a really different relationship that I see being built here at least focused on, and also particularly the, the different channels. And so when you're in a, in a B2C context, you have so many different channels and devices and, and really the, the presence in an individual's life, wherever they want to take you. And so that just adds a different relationship here. Then when we're focusing on partner onboarding and doing the due diligence and, and establishing reliability and trust.
So yeah, that's, that's where I see that from, from my perspective, taking a look at another question from the audience, let's see here. So when you look at the impact to a business with infusing transparency into processes and building trust into marketing communications, what is the biggest impact to a business? So in short, what impact does transparency have on a business?
Yeah, I think, I think it can be quite significant when you look at the buying behaviors of the new generations, the millennials and younger, you know, I call it the gen zoom that, you know, that everyone had grew up using the zoom and WebEx and Cisco conferences. So the buying behaviors increasingly around trust and transparency and ethics, and you see this time and time again. And so the, the bottom line is usually there's a significant revenue impact.
And, you know, the, you know, even consumer reports has come out and shown the significance of the changes in buying behaviors and buying habits. This used to be something that people would talk about, but not really do in practice.
You know, people would say, there's always this funny dichotomy where in surveys, people would say they highly value their privacy, but then they're also the same people that will be the first one to sign up for a free service and give away all their data in exchange. It was always so funny, but now it's starting to actually impact and change those buying behaviors.
And so, you know, finding a way to tie in measure this to the companies, you know, bottom line revenue is usually the most significant impact that organizations are going to find. And the other thing I'll mention, because the question use the words, trust and transparency. And I think that's really important because when consumers are thinking about a brand, that's exactly the types of things that a lot of times they're thinking about is do I trust this company? And trust has lots of different aspects to it. It's not just privacy.
And a lot of times consumers don't necessarily know the difference between privacy, security, ethics, you know, social responsibility. And so I think the other opportunity here is really thinking about these things as a package, what is our brand and reputation we want as a trusted company and any one of those areas can bring down the entire, you know, trust brand that you've built. And so I think that's also another important point. There are any, Yeah, yeah, that's really interesting.
And it makes me think a little bit of the distinction that we sometimes forget to make between privacy as a concept and consent as a concept. And transparency really goes hand in hand with privacy, which is, you know, the, the right to, as an individual or as an organization and entity to decide who has access to what information and of consent of course, is this, this key to lowering that privacy level a little bit when you feel comfortable.
So it's a, it's an interesting interplay here, but transparency really has to go hand in hand with privacy too, to set that barrier. And then we can build the relationship up from there being able to use consent as, as a means of control as the individual able to control that relationship. I'd interesting. Yeah. Let me do a check to see if there are any other questions from the audience and I believe that's it. So then I would do a last call out to the audience. If you have any questions, feel free to submit them. We're happy to discuss them, but Kabir, thank you so much for your time today.
It was really interesting to discuss with you, hear your opinions on this. And I look forward to talking again, Likewise, and it was a pleasure. Thanks.
Yeah, Absolutely. So to all of you out there, thank you for your participation today. And we look forward to welcoming you again at another KuppingerCole webinar event. We look forward to speaking with you. Thank you.