Privacy as a brand differentiator

Privacy law is grounded in human rights and consumer protection. While most businesses think about privacy just in terms of compliance, some realize that preserving privacy can strengthen consumer relationships. Then there’s the select few companies that have figured out how to make privacy a brand differentiator. 

During Privado’s 2024 Bridge Summit, Robert Bateman moderated a discussion about leveraging privacy to increase brand value with a panel of high-profile privacy professionals:

• Emilie Kujit, Data Protection Officer (DPO), AppsFlyer
• George Jones, Senior Data Privacy Specialist, ZoomInfo
• Conor Hogan, Global Director, Privacy & DPO, BSI

Hiring privacy professionals to help internalize privacy

Recruiting privacy experts to help communicate with customers

George Jones explained how ZoomInfo’s market position presents an obvious challenge for privacy compliance.

“ZoomInfo is a data company at its core. We collect and process business contact data for millions and millions of people around the globe. And we make that available to our customers,” Jones said.

“Differing privacy requirements by country means differences in how our customers can use that data.”

Part of Jones’ job upon joining ZoomInfo was helping the company’s customers navigate emerging data privacy frameworks.

“We didn't have any way to help our customers navigate this. And that's why I was brought on board.”

Assigning internal ownership of privacy

Emilie Kujit explained how she was hired to take ownership of privacy within AppsFlyer.

“I joined AppsFlyer about three years ago, and privacy was already a very big topic within the company. But I was the first full-time data protection officer (DPO).” 

Kujit noted that before she joined AppsFlyer, privacy ownership was spread across several departments, including legal and security. 

“This was the first time that we said privacy is going to have its own hat.”

Recruiting privacy professionals to demonstrate your company’s values

Connor Hogan’s organization, BSI, acts as a standards-setting body and external consultancy—and so is very different from the other panelists’ companies. Hogan explained how BSI decided to go beyond the organization’s baseline privacy requirements by appointing senior privacy leaders. 

“BSI recently decided to appoint a DPO, which is maybe a little unusual… but we need to do things right. Not because a piece of legislation says so, but because it’s fundamentally the right thing to do,” Hogan explained.

Hogan said that focusing on privacy internally allowed BSI to “sell our services as the experts and the independent, purpose-driven organization that we are.”

Building a strong internal privacy culture

Selling privacy within a company

Privacy-centric marketing can make a brand stand out in the market. But the work starts internally by integrating privacy into the culture of the business. How can privacy professionals get the whole organization on board?

“I want privacy to be a positive part of the company. I want privacy to be embedded in everything,” said AppsFlyer’s Emilie Kujit.

“Before taking ownership of privacy, it takes a while to understand which teams are wearing which caps and to market internally what a DPO does.”

To help embed privacy into each part of AppsFlyer’s operations, Kujit pays close attention to each department’s unique position in the business.

“I've had the opportunity to work on that internal marketing… holding different training sessions for R&D teams and product teams than for HR and finance teams—to make sure we provide contextually relevant guidance and meet everyone’s needs.”

Helping an organization’s privacy culture mature

George Jones noted that ZoomInfo’s internal privacy culture was already strong once he joined the company.

“Our CEO is very hot on privacy. Our whole board buys into it. So we didn't have that challenge of it being an organizational focus.”

But during his time at ZoomInfo, Jones has helped the company mature its internal privacy program.

“We're at the point now where the audit functions are up and running. We've got accountability frameworks. We have regular reviews.”

Moving away from a check-the-box approach

Conor Hogan also reflected that BSI has had long-standing, strong internal privacy standards but that he has helped make the company’s culture more proactive on privacy.

“The thing I'm most proud of as the DPO is that we've affected a change in the culture internally,” Hogan said. 

“We've got people coming to us from different parts of the business saying, ‘Hey, what do I need to do when I want to do this?’ Or, ‘How can we do this?’ Rather than ‘I just need you to sign this off because I've been told that it's a check-the-box requirement.’”

Communicating privacy to your customers

Training your salespeople to answer privacy-related questions

ZoomInfo’s George Jones made privacy part of the sales process by equipping salespeople with privacy knowledge, which reassures potential customers that ZoomInfo is a privacy-focused company.

“Privacy can be a major roadblock for customers who are buying data for the first time. If it's something an organization hasn't navigated before, they have a lot of questions.”

“These questions will come up. It's not a matter of ‘if,’ it's a matter of ‘when.’” he said. “So we're training these sellers to have privacy-related conversations.”

Jones also ensures that sales teams can easily contact the privacy team when more complex questions arise.

“They can access our team at the click of a button. We’ll come in like a privacy SWAT team... We’ll answer a couple of questions around data protection and privacy, and then the deal will move forward.”

“We don't want to be a blocker. We don't want to put up any barriers. We just want things to be as seamless as they can.”

Developing external privacy resources

Emilie Kujit shared how AppsFlyer has invested heavily in privacy communication. 

“Everyone works either with an iPhone or with an Android phone, and there's a lot of different regulations,” she explained.

“We've got this massive privacy hub on our website. We've got collateral on all the major legislation.”

AppsFlyer’s resources guide mobile app developers on how to meet the demands of legislators and regulators worldwide. This builds brand awareness and showcases the company’s privacy expertise.

Integrating privacy by design

Using ‘privacy by design’ to enhance products

Emile Kujit discussed how integrating “privacy by design and by default” has helped make AppsFlyer’s products stand out.

“We've got SDKs and APIs in well over 90 percent of all mobile phones around the globe. So we really reach everyone everywhere. Which is, of course, a big responsibility,” she said.

“There hasn't been a single product within our company developed in the last three years that did not have privacy at the center.”

“Customers go into the platform. Everything is ‘privacy by default.’ That means if I wish to share data with another individual, I, as the customer, specifically need to be the one who presses that button, moves that toggle, et cetera.”

Implementing ‘privacy by design’ in different contexts

BSI’s Conor Hogan noted that there's no “templated or predefined” way to implement privacy by design or privacy engineering.

“It has to be tailored to the needs of the organization, to the risk profile and risk appetite of the organization, the technical environment, and the maturity of the privacy capabilities that the organization has,” Hogan explained.

“You identify where risks might be. Maybe you decide to use privacy threat modeling to get a good picture of exactly what is outside of your risk appetite. Then you break it down into manageable chunks.”

Demonstrating privacy’s ROI

Comparing products with competitors

Emilie Kujit revealed how AppsFlyer helps its customers demonstrate the value of privacy in their products.

“One of our products shows customers comparative products in their field. ‘This is what other customers in your field are doing with privacy-preserving methods. This is what you may also want to do.’“

“So again, selling privacy as an option of how to be more edgy and more savvy in your field in order to enhance protection for the end user.”

Measuring privacy’s risk-mitigation value

BSI’s Conor Hogan suggested that a privacy program’s ROI might not always be measurable in dollar amounts.

“It comes down to what you define as those metrics,” Hogan said.

“Whether it’s the number of breaches, the number of data subject access requests that you've met, the number of regulatory requests that you've been able to satisfy—the number of investigations, perhaps, that you haven't been subject to.”

Measuring the impact of privacy in business deals

George Jones shared how ZoomInfo measures the impact of the privacy team’s interventions in a very tangible way.

“We record whenever we have interactions with customers—if we have a call or create collateral specifically for a customer. Then we attribute that to the size of the deal,” Jones explained.

“We take a dollar amount and work with the sales team to attribute how much of that is down to our support.” 

“It helps us go to our leadership team and say, look, we've worked across X million dollars worth of accounts this year, and this is how much value we feel like we’ve added.”