My role:
Research
Process design
Negotiation
Pitching
Context
According to GDPR every business that processes personal data must inform the peole whose data they process about what data and why they are processing asap.
In the international company I worked at we processed quite a lot of data which was gathered in a variety of ways online and offline by several teams in each country. For example we could have had personal or group meetings, have come in contact with new people during events or they could have reached out to us digitally or via phone. As soon as we found out their name, we were data processing.
For a while a blanket approach was used where each person whose data was processed was supposed to receive a data privacy notice via post within a month of coming in contact with us.
Sending data processing notices was dependent on someone registering the interaction in our CRM systems. It was quite expensive and it was easy to miss someone. Occasionally however people got several such scary legal letters, causing a negative customer experience, damaging the brand. On top of that as a rule didn’t receive any confirmation about whether those letters were received by intended people at all.
Goals
Business wanted to improve customer experience and in no way complicate the lives of customer facing staff members more than necessary.
Compliance wanted to make sure that we are following the laws and internal guides and aware of risks.
Finance wanted to optimise costs.
Process
I was trusted with the responsibility of exploring our ecosystem of customer interactions and designing alternative process(es) that would make our data processing more fool proof as well as make it fit the needs of different stakeholders. Thereafter we had to convince all the stakeholders to support the chosen alternative(s), execute changes and potentially train all staff.
Research phase
At first I had to get a better understanding of the current process since I was not directly involved in it before. As an expert of customer communication and our CRM system, I had unique knowledge and skills to analyse the possibilities.
Since we had many ways of interacting with customers, each having its own specific conditions, there were also many nuances to think about starting with what is technically possible in a specific remote interaction system and ending with how exactly are interactions currently registered – if at all. Due to the nature of the business we were in – pharma – we were legally obliged to register all interactions with health care professionals quickly. This was not always possible or could be delayed due to some other vetting requirements and country specifics which I won’t get into this time.
I discovered that not all forms of data processing were considered when deciding whom we should inform about it which meant that we didn’t always inform people in timely manner.
It was clear that some processes always happen in a specific order. For example you need to have some interaction to get consent for emailing and that has to happen before sending any emails. Yet I found cases where we had records of emailing people without records of having sent them a data privacy notice.
In practice we were also providing almost identical data processing info to the same person multiple times without counting it as job done. As the only accepted form of informing was a physical notice sent by post, we didn’t count any case of informing customers digitally while doing it anyway.
When talking with area experts in other countries, I also found out that we all have different processes and its ownership sits with different roles. For example, some countries were sharing the notice over emails. This made it more complicated to collaborate and align but also clarified that our guidelines are not understood in the same way.
And last but not least, same types of interactions were called differently in different systems, complicating monitoring the whole situation. If a system is set to automatically look for traces of sent “marketing email”, they might not pick up records of “system email” or “rep email” etc.
Ideation
I started with mapping all types of customer interactions per channel that were happening and designed the alternative journeys for each scenario where different required steps were the responsibility of various stakeholders.
We also had differences in processes depending on whether there were one on one or group meetings including variation when there was catering. Online whether it made a difference if it was a digital meeting or a webinar as we used different tools for those and the latter required registration usually. For webinars we had a good solid process of ensuring awareness and acceptance of our data processing rules already and data was transfered into our systems automatically. With digital meetings we were highly dependent on each customer facing employee’s actions had had lots of room for errors.
Click to read:
We also had to factor in that in Nordics, unlike many other countries, most customer meetings are group meetings and they are few and far apart. We probably won’t know exactly who will attend beforehand so we cannot prepare much and during the time together conveying the most important info for achieving business goals has to be prioritised. Admin work most remain as fast and hassle-free as possible. Each country also has to follow local rules which meant that the solutions I come up with must be flexible and cater to different needs of seven Nordic and Baltic countries.
Click to read:
During the course of several months I talked several times with stakeholders of target countries, business leads, local and EU privacy leads, other countries’ teams, CRM and other martech support teams and more as new questions and ideas arised to verify needs and possible solutions.
We received initially a lot of pushback from international data privacy leads about changing processes due to risks. At first they insisted on continuing with hard copy data privacy notices only but after I explained that some other countries are already doing it digitally or even just orally, they became more open to discussing alternatives.
Pitching
In the end, we tried to simplify the complex ecosystem of interactions and possible ways of informing about data processing as much as possible while also flagging how reliable each suggested process is as we needed to be able to prove to authorities that we are doing everything that is required. In some cases we also introduced multiple options to let business leads make a final decision between easy processing and level of risks they are willing to take. All of it was presented in one table for easy overview but detail slides per each channel like you can see above were also included for deep diving.
Results
After presenting the new and improved process proposals to key stakeholders, they decided to take these to European level for discussion for potential EU level alignment and implementation which I consider a success. Also a central change was initiated where customers who had given an email opt-in were to be treated as having received a data privacy notice which helped us simplify admin considerably. My involvement in this project ended at this point but I was very proud of having brought some clarity and managing to come up with solutions to improve customer experience, compliance and cost efficiency in long term because with reduction of duplication and more digital execution, there might be some set-up costs but in the long term it supports both financial and environmental sustainability of the business.