What publishers should do to implement data privacy protection

When users enter information about themselves on digital publishing platforms, they trust the publisher not to misuse that data, and ideally they want to specify how the publisher may or may not use their personal details.

by WAN-IFRA Staff | August 20, 2015

Keeping users’ trust is not just a moral obligation – it is a massive business asset that sets successful publishing operations apart from the rest of the field.

That means data privacy protection must be a top-of-mind issue for news publishers, to keep their crucial competitive advantage intact. Their longstanding customers demand it. Their potential new users, many of them Millennials, demand it. Emerging regulations demand it.

So what concrete steps can publishers take to implement data privacy protection in their organisations, starting immediately?

The following excerpt from the WAN-IFRA report, “Data Privacy: An issue for our time,” is taken from Chapter 6: “Recommendations – What publishers should do now.” These recommendations focus on internal organisation; building solid privacy programmes are obviously a top priority: being clear and transparent with users, keeping track of processes, and keeping track of third parties. We will cover those in an upcoming post.

Internal organisation

There’s no getting away from it: taking ownership of your data protection requires investment. Of course, as we have seen in our best-in-class case studies, probably only larger publishers can contemplate employing full-time data protection officer(s). However, irrespective of your size, establishing data privacy awareness in-house is fundamental to being able to leverage the data you collect and to build trust with your users.

Riikka TurunenRiikka TurunenSanoma’s Director Data Protection & Privacy Riikka Turunen explains why they consider data protection a business function, rather than “just” a compliance one: “Data is an asset, and if you’re going to optimally use your asset you have to make sure you’re able to do that. We have privacy champions across the organisation who are like antennae for the business. They are employees who understand the business, know the roadmap of the operations, and have also been trained in the area of privacy to identify potential issues that they might detect from the future roadmap.”

So what are your options?

Appoint a data privacy lead

While many large publishers employ a full-time data privacy officer, that is clearly not financially viable for smaller ones. However, you may still want to consider appointing someone in-house as data privacy lead – in the audience, advertising, information or other department, thus establishing privacy as a priority. And once it’s a priority, a strategy can follow, driven by a member of staff committed to your business success.

At The Globe and Mail in Toronto, the privacy lead is Sue Gaudi, who is also VP General Counsel. She says a privacy lead has a unique role in that they look after both the interests of the business and the consumer: “The advertising department beats the drum of ‘more first-party data please.’ As CPO, I look out for our customers and help determine how we get that data, how we safeguard it and how we collect it in a usable way and in a way that doesn’t negatively impact our brand value. At The Globe, experience tells us that if we do this correctly and in a way that people understand, our customers become our family in a way, and we’ll have a lot more valuable information to use in our business.”

Marc GromanMarc GromanMarc Groman, President and CEO of the Network Advertising Initiative, and a member of the board of directors of IAPP (International Association of Privacy Professionals) has years of experience as a CPO and explains why it’s key to have appoint a privacy lead:

“It is critical today for every publisher to have a person who is responsible for data privacy. Whether or not that person is the chief privacy officer or holds a different title is less important. The key is to have an experienced and senior person who looks at data collection and use strategically and takes proactive steps to ensure that data is managed responsibly across the enterprise. Without a data privacy officer or similar executive, companies run the risk of failing to protect data until it’s too late – a law has been broken, a breach has occurred, consumers have been harmed, or the publisher’s reputation has been tarnished.

“The key functions of a data privacy officer are to develop, manage and routinely update an enterprise-wide privacy programme to ensure that data is protected from cradle to grave and that privacy by design is baked into every line of business and project as early as possible. Other tasks include employee education and training, advising company leadership on strategy and risks, staying on top of legal and policy developments across the globe, working with vendors and third party partners, and drafting corporate privacy policies. A data privacy officer – together with legal counsel – may also be required to respond to data requests from government agencies and law enforcement. I was a chief privacy officer for several years and I can confirm that it is a challenging but fascinating position – and a critical one.”

Appoint data protection champions across the company

If you want to be able to fully leverage the data you collect as a business, the recommended strategy for data protection is privacy by design. That approach involves building data protection into all business services and products, rather than treating it as an addon after a new product has been launched. And to make privacy by design work, you need to put in place “privacy owners” across the organisation, so that you don’t rely on product managers, editors and marketers to make the right choices about sensitive customer and personal identifiable information (PII) as business development goes on.

As Sanoma’s Riikka Turunen said above, the privacy champions are like antennae for the business: “Because they know the business they will then, first of all, indicate how to solve any privacy issue that’s arisen. In more complex cases, they contact the expert privacy team and start to resolve the potential problems as they are being designed into product, so that we find a solution early enough. If you put business experts, privacy experts and tech experts together, they can come up with the right solutions.”

Establish privacy awareness among all staff

As with all business-critical issues, in order for the entire organisation to move as one in data protection, you should provide training for all employees, to create at least a fundamental awareness of the law, internal policies, processes and pitfalls. That can be done in different ways.

The Guardian has developed bespoke training modules on the different aspects of data protection, which all staff can participate in. Each module concludes with a practical workshop where an imaginary Guardian business has been created and the participants go through the process of managing the data collection, hosting, transfer, etc., involved in running that business. Eventually – and this is of course the goal – staff start thinking like data protection officers. While the face-to-face modules are all entirely optional and are aimed at commercial and operations staff, all staff are required to complete an online training module on information security and data protection.

Sanoma is ramping up a training programme so that everyone gets basic privacy awareness – knowledge about the existence of the policy, where they can find more information, and what the basic do’s and don’ts are. In addition, operational areas have been identified where staff need to be aware as part of their roles. These teams are specifically trained in their respective area of operation. “And again – the privacy champions have helped us identify what the most relevant roles and teams are in the different operational areas,” says Turunen.

Some companies specialise in privacy training for staff, such as Teach Privacy (

Share via
Copy link