Marketing & SalesConsumer-data privacy andpersonalization at scale: Howleading retailers and consumerbrands can strategize for bothCustomer concerns about the security and privacy of their online data can impedepersonalized marketing at scale. Best-practice companies are building protectionsinto their digital properties.November 2019by Julien Boudet, Jess Huang, Kathryn Rathje, and Marc Sorel© Getty ImagesPersonalization at scale is where retailers andconsumer brands are competing to win. But infocusing on “playing offense” to capture value,executives are often overlooking their “defense”:preserving, protecting, enabling, and acceleratingthe hard-won gains of their digital efforts byensuring that personalization at scale keepspersonal data secure and private.As the enterprise risk of collecting, holding, andusing consumer data to personalize offeringsgrows, so do the business-impairing consequencesfor those who fail to get it right. Despite thesechallenges and opportunities, most marketingleaders remain surprisingly unconcerned with howto manage data security and privacy.In a recent McKinsey survey of senior marketingleaders, 64 percent said they don’t think regulationswill limit current practices, and 51 percent saidthey don’t think consumers will limit access to theirdata (Exhibit 1)—this despite other recent surveysshowing that more than 90 percent of consumersare concerned about their online privacy, and nearly50 percent have limited their online activity becauseof privacy concerns.¹Getting the security and privacy of personalizationwrong can slow time to market for new applications,constrain remarketing and consumer-datacollection, result in significant fines, or—worse—cause material harm to brand reputation throughnegative consumer experience. Getting it rightreduces time to market, puts security and privacyat the heart of the company’s value proposition,boosts customer-satisfaction scores, and materiallyreduces the likelihood of regulatory fines.1 Brian Byer, “Internet users worry about online privacy but feel powerless to do much about it,” Entrepreneur, June 20, 2018, entrepreneur.com;and Rafi Goldberg, “Lack of trust in internet privacy and security may deter economic and other online activities,” National TelecommunicationsMany marketers feel condent that neither regulations nor consumersentiment will limit data collection in the future.64 306 Regulations will not limit current practicesRegulations will make access easierRegulations will limit current practices51 2623 Consumers will not limit data accessConsumers will limit data accessConsumers to demand transparency butseek new ways to share dataMarketers’ perspectives on regulations,%Marketers’ perspectives on consumer attitudes,%Source: 2018 senior management personalization survey: Based on question 27: How do you expect regulations to affect personalization practices in your industry?And question 28: How do you expect customer behavior regarding data collection to evolve over the next six years?Exhibit 1Many marketers feel confident that neither regulations nor consumersentiment will limit data collection in the future.2 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for bothWhere to startFor most companies, getting security and privacyright begins with remediating and transforming thedigital-marketing applications and systems thatgenerate, transmit, consume, store, or dispose ofconsumer data (Exhibit 2). Leading brands makethis part of a broader baseline assessment of datasecurity and privacy across people, processes, andtechnology and tie it to business use cases.They also put marketing at the center of theeffort, educating teams on the value at stakethrough, for example:— establishing and enforcing standards onsecurity and privacy for creative agencies— using best practices for data protection intheir day-to day-workThe marketing structure should enable digital-property remediation andtransformation.Descriptions (not exhaustive):a) Content development for consumer-facing brand websitesb)a) Cookie management to granularly track and collect consumerbehavior data across properties as customers engage with themb)a) Using consumer data from digital properties and othersources to drive outbound marketing (such as pay-per-click,advertising, digital display)Technical capabilities, such as data lake or discovery scantools, to facilitate collection, storage, management, and testingof consumer dataThe global vs local policies, processes, and tools to adopt,follow, and validate to meet security-and-privacy obligations ina variety of regulatory environmentsAgile organization and operating model that clarifies rolesand responsibilities across functions and rationalizes externalpartners/agenciesWhere and how digital assets/properties should be created andmaintained1 2 3 4A B CDigital properties (consumer-facingor consumer-touching applications)Technical architecture, infrastructure, and data Compliance and risk managementand digitalproperties Organization design, operating model, and governance234A B CContentcreationand deliveryConsumerdataacquisitionand useOutboundcommunicationsMarketing operations thatenable digital-propertyvalue creationRemediation & transformation enablers—the foundation ofmarketingoperationsMarketing-operations pillars that support digital-property impact1 Digital-property workflows and processesContent delivery through e-commerce and merchandisingportraying products and brands in a way that allows the enterprise to “do business” with its customersRemarketing by using data to drive portrayal and placementof products and brands with which the consumer engagesExhibit 2The marketing structure should enable digital-property remediation and transformation.Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 3— tokenizing consumer data— ensuring consent compliance— sanitizing data before using them in outboundcommunications and remarketing— being accountable for incidents when theyoccurThe dialogue with marketing and otherstakeholders in this context should be ongoing,to match the enterprise’s evolving needs for dataand technical capabilities and to capture the valuefrom use cases.An imperative on security and privacy can helpwith many things—from eliminating tech debtto breaking down silos—by opening iterativedialogue on data needs and new operationalrequirements between the business and thesecurity and privacy functions. Aligning on corebeliefs and a framework to approach the effort(Exhibit 3) can help the team quickly get theneeded conviction and buy-in.How to move quickly at scaleAs the transformation of data management ispiloted and scaled, prioritizing a few key actions toimprove security and privacy will ensure outcomesthat enable rather than disable the business.Build a risk register for digital propertiesTaking a risk-back approach can help theexecutive team defend its decisions on where andhow to allocate spend on security and privacy.Understanding how properties such as informationsystems and assets map to each other, to thethreat landscape, and to the business value chainalso clarifies where eliminating risks can enhanceenterprise value.Company alignment on the core principles for transforming digital propertieswill enable personalization at scale.Implement the transformation by deploying cross-functional teams in agile sprints. This will not onlymitigate execution risk—a requirement, not an option—but also enable you to capture value at scale anddemonstrate that the process is iterative.Clarify roles, responsibilities, decision rights, and talent requirements across the organization. This is thekey to ensuring you can quickly embed the cross-functional capabilities needed to bring new properties tomarket.Align risk with enterprise appetite. A risk-back, minimum viable approach to building security-and-privacyprotections into the transformation of digital properties is a commercial imperative for personalization at scale.Create and maintain a risk-based asset inventory. This will help to clarify your enterprise digital-propertylandscape, as well as compliance issues and business risk, and is an essential tool for prioritizingtransformation initiatives.Anchor the approach in use cases. For a successful transformation, understand which business use cases thetransformed digital properties will support, and clarify the architectural gaps you need to fill to support bothproperties and use cases.Manage digital property the way you manage your people. Knowing the identity, performance, and safety ofyour applications is as important as knowing the identity, performance, and reliability of your people.? .…Exhibit 3Company alignment on the core principles for transforming digital propertieswill enable personalization at scale.4 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for bothClarify data strategy, governance, and policies,and build in the roles and requirements tomake them workThe details of programs for data security andprivacy may vary by company, industry, or thelocal regulatory climate. Consumer and retailenterprises, for example, often hold consumerdata for no more than 13 months, in order to trackconsumer patterns through seasons and holidays.Auto retailers, on the other hand, often holddata longer, to reflect the longer time betweenautomotive purchases, which tend to be multiyear,not annual. Other companies may tailor theirglobal privacy policy to meet local regulatoryrequirements, such as General Data ProtectionRegulation (GDPR) or the California ConsumerPrivacy Act (CCPA).But some best practices are emerging asenterprises focus on data privacy and security.One leading privacy policy is the tokenizationand sanitization of data before using them inremarketing. Further, leading institutions will alignon the “minimum viable data and controls” requiredto preserve a long-term view of consumers andempathetically engage them at scale.To embed awareness of security and privacyacross an enterprise, some companies find ituseful to create roles for business-informationsecurity and privacy officers (BISPOs) or “securityand privacy ambassadors.” Such programs cannot only empower employee teams to becomeknowledgeable about organization practiceson security and privacy but also ensure that theintegrity of digital properties continues long afterthey are transformed and remediated.In the event of a breach of data security or privacy,it is helpful to have in place incident-responseplans that are “living documents” formed throughthe test-and-learn iterative process of simulation.These can help executive teams make betterdecisions faster about managing their digitalproperties—and their relationships with regulators.Build security and privacy into enterpriseanalytics and application developmentConsider the example of an enterprise seekingto transform itself into a platform company usingconsumer and customer data to cocreateapplication programming interfaces (APIs) totransform how consumers engaged with thebrand. Before the enterprise built securityrequirements into its application development,it had missed at least one major marketopportunity because of regulators’ securityconcerns, frequently experienced applicationlaunch delays because of security-relatedrework requirements, and lacked capacityto verify whether around 80 percent of thebusiness-support applications it developedannually complied with its requirements onsecurity and privacy.By building those requirements into itssoftware-development policies, the enterprisemade the software-developer team responsiblefor meeting them right from the start, in thedesign phase. The security-and-privacyteam would only involve itself “by exception,”if a development team declined to meet aspecified requirement. This approach ensuredthat standards on security and privacy weremet in more than 90 percent of applicationsdeveloped, which reduced downstream rework,accelerated time to market, and put dataprotection at the center of the enterprise’s valueproposition to consumers.Create and deliver role-based training onsecurity and privacyGiven that more than 80 percent of enterprisecybersecurity incidents begin with a humanclicking on malware, regular training tailoredto key roles is essential to reduce the risksof personalization. Marketing teams, forexample, might need to learn best practices forremarketing, such as parsing data to eliminatepersonal identifiability while preservingbusiness value.There are about 15 core employee behaviorsthat can be addressed and transformedthrough a focused campaign of annual trainingsupported by unpredictable reminders, suchas occasional emails and text messagesor antiphishing test campaigns. Similarly,building security and privacy standards intoperformance reviews—for example, setting aConsumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 5threshold for the number of security or privacyincidents in a line of business over a period oftime—can ensure that the entire business, notjust the experts on security and privacy, owns theproblem and the solution.Personalize security and privacy for theconsumerLeading financial institutions have alreadyunlocked the value of increasing net promoterscores (NPS) by taking the hassle out of consumervalidation processes. By reducing hold times,simplifying and tailoring multifactor authenticationto meet consumer preferences, and placingdata-protection controls for consumer-facingapplications in the hands of the consumer, theyare improving customer experience withoutcompromising underlying security and privacy.Leading retailers and consumer brands canadopt a product-management mind-set anddelight consumers by building data-protectionoptions into consumer-facing applications andsupport functions. By partnering with cuttingedge technology innovators, they can tailorprocesses to what is most convenient for theconsumer. Good places to start are multifactorauthentication by text, call, or randomly generatedcode, or built-in strong-password-generatingtools to simplify password recall for consumersaccessing a retailer’s direct-to-consumerapplication. Measuring performance overtime through commonly available customerexperience dashboards such as NPS can ensurethat attempts to build security and privacy intoconsumer-facing applications are refined quicklyand iteratively.The opportunity around personalization at scalefor consumer brands and retailers has never beenmore critical to capture. At the same time, theneed to create a net positive consumer experiencewhile avoiding the downsides of reputational,operational, legal, and financial risks is a hardbalance to strike. Several core questions can helpclarify where your enterprise stands—and what todo about it:1. How does your personalization technologymeasure your customer’s security and privacyexperience?2. What is your enterprise’s critical-asset or-system risk register for data security andprivacy?3. How complete is your security-and-privacytechnology stack, and how do you determinethis?4. How are you managing your data to derive valuecreating analytic insight from personalizationwithout causing value-destroying financialor operational loss due to privacy or securityincidents?5. What is the state of your secure softwaredevelopment life cycle program?6. How are you ensuring the secure operation ofyour cloud environment?7. How are you ensuring that security and privacyare every employee’s responsibility?8. What is your capability aspiration for customerdata security and privacy, how are youmeasuring progress toward that aspiration, andhow are you reporting progress to the board?By answering these questions, companies can helpensure that personalization at scale is only a benefit,not a bane, to any consumer and brand.Copyright © 2019 McKinsey & Company. All rights reserved.Julien Boudet is a partner in McKinsey’s Southern California office, Jess Huang is a partner in the Silicon Valley office, KathrynRathje is an associate partner in the San Francisco office, and Marc Sorel is a consultant in the Washington, DC, office.6 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both
