Dr. Sachiko Scheuing, Acxiom’s European Privacy Officer and author of our featured book, “How to Use Customer Data,” discusses effectively balancing data protection and marketing. Sachiko shares insights on navigating complex privacy laws, implementing robust data security, and fostering collaboration. Sachiko introduces the MaRCS protection check and recommendations for thriving in the evolving data regulation landscape, bridging the gap between marketing and privacy concerns.
Episode Transcript
Announcer: Attention, marketers! Get ready to transform your advertising strategies with Bigeye’s new 2024 National Research Study, Retail Revolution. This in-depth report explores the rapidly changing retail landscape. You’ll find valuable consumer insights across key areas, including shopping behaviors, direct-to-consumer brands, sustainability, brand collaborations, retail advertising, influencer marketing, and AI. To download your free copy of Bigeye’s Retail Revolution, go to bigeyeagency.com/retail-revolution. That’s bigeyeagency.com/retail-revolution. Reshaped by technological advancements, new consumer preferences, and global events, Bigeye’s Retail Revolution is your guide to the future of retail marketing and advertising. Join the Retail Revolution!
Adrian Tennant: Coming up in this episode of IN CLEAR FOCUS:
Sachiko Scheuing: On the one camp, you have the marketeers. On the other camp, you have the privacy people. And when actually they get to talk to each other, they really come up with like great ideas, how they can innovatively come up with solutions that would be privacy compliant and allow creativity in the marketing field.
Adrian Tennant: You’re listening to IN CLEAR FOCUS – fresh perspectives on marketing and advertising produced weekly by Bigeye: a strategy-led, full-service creative agency growing brands for clients globally. Hello, I’m your host, Adrian Tennant, Chief Strategy Officer. Thank you for joining us. Customer data has become invaluable for brands and retailers seeking to deliver personalized experiences and drive growth. However, with increasing data protection and privacy regulations, marketers face significant challenges in leveraging this data effectively and ethically. Implementing laws such as GDPR in the EU and the DPDI Bill in the UK has reshaped how companies collect, process, and use customer information. As a result, marketers have to navigate a complex landscape of legal requirements while still striving to create meaningful connections with consumers. Our guest today is an expert on data protection and marketing, with a track record of providing valuable insights on balancing these often competing demands. Dr. Sachiko Scheuing is the European Privacy Officer for Acxiom, part of IPG, and the co-chairwoman of the Federation of European Data and Marketing. With over two decades of experience in marketing and data science, Sachiko has been at the forefront of data protection practices in the advertising industry. In 2020, she was awarded the DataIQ Professor Derek Holder Lifetime Achievement Award for contributing to the data protection and advertising industries. Her new book, published by Kogan Page, is “How to Use Customer Data: Navigating GDPR, DPDI, and a Future with Marketing AI.” To discuss some of its key ideas, I’m delighted that Sachiko is joining us today from Frankfurt, Germany. Sachiko, welcome to IN CLEAR FOCUS
Sachiko Scheuing: Thank you, Adrian, for the invitation, and thank you for pronouncing my name properly. It’s a huge plus from my side.
Adrian Tennant: Great. “How to Use Customer Data” is your first book. What inspired you to write it, and who is your target audience?
Sachiko Scheuing: Well, you see, the book is actually written for marketeers and privacy professionals. And I may have a slight emphasis on SMEs, considering the fact that marketeers and privacy professionals in small and medium-sized organizations may have to take on a wider remit. You know, by definition, people working in SMEs need to be a little bit more of a generalist than those in large corporations, I would say. And as of the motivation, well, can I say, I think this is the joy of uniting the two departments at client calls. So on the one camp, you have the marketeers, on the other camp, you have the privacy people. And when actually they get to talk to each other, they really come up with like great ideas, how they can innovatively come up with solutions that would be privacy compliant and allow creativity in the marketing field. And, you know, I just wanted to spread the spirit of coming together, coming up with great solutions, great atmosphere, and by doing that, improving the privacy for everybody.
Adrian Tennant: In the introduction to your book, you state that it aims to bridge the gap between marketers and privacy professionals. Sachiko, can you explain why this gap exists and why it’s crucial to address it?
Sachiko Scheuing: That’s a very good question. I think one thing you do need to know is that in the privacy profession, unless you are in the credit rating or pharma and medical research sector, the emphasis is usually put on the HR data. So marketing, usually for like privacy persons, is like the thing on the side. It’s one of those unimportant things. So maybe that’s one aspect to this entire setup. And marketeers tend to shy away from reaching out to their privacy or data protection departments because they’ll say no. Who are they going to talk to them? The privacy department actually sees marketeers, in many cases, just those troublemakers. They’re just coming up with all sorts of these problems. So I think we need to work together to come up with a solution that works for both marketeers and the privacy department and minimize the risks to data protection. So this is the reason why I think to have like a nice bridge between the two parties is very, very, very important.
Adrian Tennant: Got it. I love that. Marketers as troublemakers. You introduce the MaRCS-protection check in the book. Can you explain what it is and how marketers can use it?
Sachiko Scheuing: Sure. So MaRCS stands for… the first M-A, Ma. It comes from Maintain clean and accurate data file. So it’s all about data hygiene. The next one, develop responsible. So the R is for responsible apps and websites. And the next one stands for consequences. Think of all possible consequences to your customers and your clients when you are, for instance, appending attributes to your customer records or creating new insights or whatever. And the last letter, S, stands for security. Ensure data security. and I think before you actually talk to other people it’s always a good thing isn’t it like if you’re going for a job interview you know you prepare yourself you try to take a look at the website of the company and find out you know how best to pitch yourself and and so on but it is exactly the same for going over to the other department i.e for your marketeers to go over to the privacy and legal department and start your conversation. The better you’re prepared, the smoother the conversation goes, because by anticipating what questions they’re asking, you can already score many, many points, and they’ll be like, hey, that marketing person is a very nice person. I want to work with them much more, which is actually my underlying motivation of writing this book. I want these two organizations to become friends with each other.
Adrian Tennant: In the book, you also discuss various legal grounds for using customer data in marketing. Can you explain the concept of legitimate interest and why it might be more flexible for marketers, especially those working on smaller brands?
Sachiko Scheuing: Yes, I think it is important to know that in Europe we don’t use the word opt-out consent, right? Consent is always and only opt-in. So legitimate interest is an opt-out consent in Europe. Opt-out consent as you use it in the United States would be considered legitimate interest. And legitimate is as opposed to illegitimate or illegal. So first of all, if you are using the legal ground, the legitimate interest, it has to be something legal. And then the next criteria is that you need to make sure that interest does not weigh heavier than that of the data subjects. So this is usually referred to as like a balancing test. Balance your interest against the data subject’s interest, and then make sure that your interest is weighing more, because then you are allowed to use the data. And also, Adrienne, unlike consent, which is basically, you know, you go through this okay, okay, okay clicking exercise every day so many times, but it actually puts the responsibility to the person who’s clicking okay, i.e. the consumer or the client themselves. Legitimate interest actually puts the responsibility squarely with the organization, the company. So it actually makes you as marketeer, you as the company, be responsible about what you do with the data, how you treat the data. It really increases the accountability of the company. And I think that is a good thing. because you know what you are going to do with the data to the smallest detail, you might as well also take assume the responsibility because I think that would actually make so much more sense. Also consent as an opt-in consent in the US term, it has to be specific under the GDPR. So it is not suitable for the data collected using opt-in to be recycled. There’s really no flexibility. But legitimate interest, on the other hand, can generally be recycled for other purposes. So you see, it increases the value of your data altogether if you’re collecting data based on legitimate interest. I hope that makes sense. It’s a really, really like, you know, nitty gritty, jargony stuff that I’m talking about right here.
Adrian Tennant: It does. Your book covers both GDPR and the DPDI bill. Can you explain the key differences between these regulations and US data protection laws?
Sachiko Scheuing: Sure. To start with, about the DPDI, oh, what a problem. Because after everything got finalized towards the beginning of this year, the UK decided to actually drop the DPDI because they decided to have a general election. So, you know, DPDI is no longer there. But having said that, I think the Brits have done a great job because they are in this privileged situation where they have experienced, implemented, lived GDPR for six years, and they were able to actually use the learnings that they have accumulated and use that knowledge to improve the GDPR. And that was what the PDI bill was all about. I bet it is going to come back. However, some of the thinking, like reducing administrative burden, particularly to small and medium-sized companies, And also the legislators have found that it is very important to strengthen the use of what we have just spoken about, the legitimate interest or opt-out consent for marketing purposes. So that would have given marketeers more legal certainty. But anyways, this is to be seen how Britain would evolve. Now back to the GDPR and the difference between GDPR and US privacy laws. Well, first of all, I think it is important to clarify that GDPR is a general law. So that means it applies to all industry sectors. You know, it’s not industry specific. Secondly, this may be a key difference because GDPR covers personal data outside of persons in his or her private capacity. Like, for instance, my information as the European Privacy Officer of Acxiom would be considered, or data related to that, on that GDPR would be applicable. So I think these may be the two key differences.
Adrian Tennant: You dedicate a chapter to working with partners and suppliers. Sachiko, what are the most important aspects smaller independent agencies or brands should consider when collaborating with larger partners on data-related projects?
Sachiko Scheuing: Yeah, very good question again. So I’ll try to sum it up on what the agencies and so on can do. I think the most important thing is to button up on compliance. You see, you need to also take a look at the situation from the larger partner or the larger customer’s point of view. You see, of course, working with them would give you a huge lift on your revenue. But you also need to understand that it would also require a higher level of compliance because the larger companies are themselves under more scrutiny. And also buttoning up in a sense of, you know, getting certified and things like that would be really useful. Once again, from the perspective of these larger companies, Of course, they will be sending you auditors and so on, right? But it costs money. Auditors cost money, you know, it costs time and effort. If you can go to these companies and say, hey, I am this and that certified, then, you know, the business partners would be like, oh, Well, that’s cool. Then we’ll take it to that external independent organization has said you’re all right, so it must be all right. Next. I thought you were doing like a great favor. Therefore, I would conclude buttoning up maybe and being certified may be a great way to actually take advantage of the situation should you need to be in a competitive situation with other companies that are offering the same services.
Adrian Tennant: You’ve mentioned certifications. Which of the principal bodies, agencies or brands should think about certifying with here in the US?
Sachiko Scheuing: Generally speaking, the ISO 27001 is highly regarded. Anything that can actually provide an indication that your data is physically safe, like data in your hands would be physically safe, would be very much appreciated.
Adrian Tennant: Thank you. Let’s take a short break. We’ll be right back after this message.
Sachiko Scheuing: I am Sachiko Scheuing, the author of “How to Use Customer Data: Navigating GDPR, DPDI, and a Future with Marketing AI.” My book provides a practical and user-friendly guide to ensure your data-driven marketing complies with GDPR and other regulations. I break down key concepts and explain how to balance customers’ privacy concerns with the latest innovations in data-driven marketing. As an IN CLEAR FOCUS listener, you can save 25% on “How to Use Customer Data” when you order directly from my publisher at KoganPage.com by entering the exclusive promo code BIGEYE25 at checkout. Shipping is always complimentary for customers in the US and the UK. |
Adrian Tennant: Welcome back. I’m talking with Sachiko Scheuing, Acxiom’s European Privacy Officer and the author of “How to Use Customer Data.” For Bigeye’s recent research study, Retail Revolution, we surveyed over 1,400 US consumers aged 18 to 76. Ninety-four percent of all respondents expressed some level of concern about the privacy of their data when used for personalized advertising – only 6% said they were not concerned at all. Sachiko, what are some cost-effective ways for small and medium-sized brands to implement robust data security measures?
Sachiko Scheuing: First of all, let’s talk about the security measure. Protecting data is like a must, right? The good thing is, you know, the robustness of the technical and organizational measure that you need to adopt depends on the risk that your data is carrying or the processing that you are carrying out. Meaning, if you’re dealing with information that relates to permitting somebody to come into the country or, you know, prosecuting somebody or medical details before operating this person, whatever. Of course, these data must be protected with utmost care and you need to actually invest so much more in the protection. But if it is about names, addresses, let’s say pseudonymized information as in key coded or encrypted information or whatever, then of course the level of security measures that you need to adopt would be not much less. So that’s the part one, security. And then you have the second element. I think the second part of your question relates to communication. And I’ll quote another survey – a 2022 survey by GDMA or Global DMA found out that 48% of US respondents are so-called pragmatists. meaning if that person sees value in what they’re getting in exchange of data like for instance you have access to information about like how to build a birdhouse or if you would actually have access to a certain article then they’ll be happily sharing their data with you compounding that with the security point. And I think when you are sharing data, you do want to know that it’s not going to end up getting into trouble because the data at that company has been stolen or something like that. So, I would say, if you are actually having a robust security system anyways, then tell those people. I like to quote this Muhammad Ali story. Apparently, he has said, “Well, you know, 50 percent of the time I’m training so hard, look at my muscle and all the rest. And then you know what I’m doing the other 50% of the time? I’m telling people that I’m training all the time.” Well, this is exactly what we have to do. And here, you see, that’s why marketeers are very important for privacy people, for your organization, because you need to tell people that you have a great security measure put in place, of course, in an appropriate place. So most probably that is going to be on the privacy statement or somewhere like that. And also, if you’re already communicating, you might as well also talk about what value the sharing of the data is going to be exchanged with the consumer or with the customer.
Adrian Tennant: Great points. Your book also includes a chapter on AI and marketing. Can you briefly explain the EU AI Act and its potential impact on marketers?
Sachiko Scheuing: Yes, this is my recent favorite topic, so I can actually go on for hours and hours, but I’ll try to make it short. The EU AI Act is the world’s first AI law, as you know, and the nice thing about this law is that it is written with global interoperability in mind, meaning already from the outset, the legislator said they want to make sure that if there are other AI laws in other countries, that it would actually take a similar position and hence would be no contradiction between the two laws or several laws. And you can, for instance, see from the fact that the EU AI Act makes use of the OECD definition on AI, which also appears in Biden’s executive order from October last year. So I think there they did a really good job in, you know, already starting with this interoperability in mind. And then it is also important to understand that it’s a very, very different type of law compared to the GDPR. It actually is a product safety law, right? So that means if the AI or the results of using the AI is going to be used in the EU, Then, it would also apply to companies in the US or other non-EU countries, like Britain is at the moment. In the EU, whenever we actually have a product, it carries this CE mark, which basically means it’s certified for some EU standard. Well, same thing, a manufacturer is in China, they still need to comply with the EU law, in this case, EU AI. A big thing that I think should be understood by marketeers, or it should be a relief to marketeers, is the fact that this law, it basically takes a risk-based approach, meaning the higher the risk, the stricter the rules, the lower the risk, the more flexible you are. And it basically defines what types of AIs are forbidden and what is high-risk AI. And things that do not fall under forbidden, I mean, forbidden is forbidden, or high-risk, you are free to use with, you know, perhaps transparency is one of the only things that you need to think about. You know, when using a chatbot, for instance, you need to make sure that people understand that they are interacting with a machine and not a person. This is to combat deepfake, I suppose, when you actually have videos or images that are created using AI, then it should be made clear upfront. I think that is going to be the space that we need to look at, like how will this transparency be given in a most effective way, like nutrition labels and things like that. So anyways, the aim of the legislator here is very clear to me. I think they are saying, go and innovate with AI. And therefore, I think we should really embrace the numerous marketing AIs that are entering the market and starting to be adopted by so many marketeers around Europe and all over the world, really.
Adrian Tennant: Great. In “How to Use Customer Data,” you discuss the role of Data Protection Officers or DPOs in organizations. How can marketers and DPOs work together effectively to create a more privacy-friendly organization?
Sachiko Scheuing: Yes, well, the reason why I actually spoke about this in my book is because for marketeers, some departments are like natural partners, like finance, because, you know, you need to make sure that you get your budget allocated properly and, you know, and stuff like that. Sales department, particularly in the B2B sector, marketing is like a sales enabler. So you really, really work closely. But once it comes to data protection or privacy, I think marketeers really need to consciously reach out to the privacy department and go and work with them. Same thing can be said to privacy professionals as well. So the data protection departments really need to reach out to marketeers and understand what great values marketeers can actually bring to the privacy organization. There’s one reason why I really think it is important for privacy people, DPOs in particular, to work closely with marketing. And that is because, in my view, there are several prerequisites to be a DPO. And some of them are like legal knowledge and stuff like that. They’re listed in the law itself. But from my point of view, when I take a look at the tasks of a DPO, DPO is an advisor, it’s a trainer, it’s a contact person for all privacy-related queries, and this person is a team player. All these things, what these things have in common is that this means communication skills, as well as interpersonal skills, make a huge difference to that organization so that company can become a robust, privacy-friendly organization. And so noticing that, I thought I really should dedicate a chapter on the DPO. And in that chapter you would read, there are so many things about what communication tools DPOs can use to actually excel in their communication.
Adrian Tennant: Got it. Finally, what advice would you give to marketers or brand managers listening to this podcast who want to ensure they use customer data effectively and ethically?
Sachiko Scheuing: I would say, first of all, go through the MaRCS Protection Check, which I suggest, in your mind. And then once you actually think about the product, or the tools that you want to use, or the concept that you want to deploy, is put through the Marks Protection Check, I think you’re then ready to go and see your privacy department or data protection department. Sometimes, you know, when you’re working with a very structured organization, they may actually have a specific interface on the intranet or a particular chat channel that you can use to actually reach out to the privacy team. Anyways, after you do that, start a conversation with them. explain to them what you’re up to, what you want to do, and solicit their opinion, and get into a dialogue. And then maybe privacy people would feel like, hey, you know what? Actually, I can think of a better solution because GDPR article this and this has got this exception, or GDPR in combination with the e-privacy directive would mean that They have to put this mechanism when they’re actually building up the solution or this interface. So get into a conversation. And I think that is the start. When you actually go through many projects, go through many discussions, then there would be the rapport that you need. that really help you work closely together and then you can get into your fancy stuff like, you know, DPOs, working together with the marketing department. Maybe there is even an internal communication specialist that would help them, for instance, amplify their message within the company. So these are my very general thoughts. Sorry, it’s very chaotic. These are my thinking.
Adrian Tennant: Well, thank you for taking a very complex topic and making it understandable for the rest of us. Sachiko, if listeners would like to learn more about your work at Acxiom or your book, “How to Use Customer Data,” what’s the best way to do so?
Sachiko Scheuing: I think you can either go to my employer Acxiom’s website, www.axiom.com, and there’s a contact form. I’m sure they will forward it over to me. The other way is, of course, you could always reach out to me via LinkedIn.
Adrian Tennant: And a reminder that you can save 25 percent on “How To Use Customer Data” when you order directly from KoganPage.com. Just use the promo code BIGEYE25 at checkout. Sachiko, thank you very much for being our guest on IN CLEAR FOCUS.
Sachiko Scheuing: Thank you very much for the invitation.
Adrian Tennant: Thanks to my guest this week, Tachiko Shoying, the author of How to Use Customer Data. As always, you’ll find a complete transcript of our conversation with timestamps and links to the resources we discussed on the IN CLEAR FOCUS page at bigeyeagency.com. Just select ‘Insights’ from the menu. Thank you for listening to IN CLEAR FOCUS, produced by Big Eye. I’ve been your host, Adrian Tennant. Until next week, goodbye.
TIMESTAMPS
00:01 – Bigeye’s Retail Revolution Study
00:59 – Introduction to the discussion on data protection and marketing
03:39 – The inspiration behind writing the book “How to Use Customer Data”
06:09 – Bridging the gap between marketers and privacy professionals
10:40 – Comparison of GDPR, DPDI bill, and US data protection laws
13:01 – Considerations for collaborating with larger partners on data-related projects
15:01 – Importance of certifications for agencies and brands
16:27 – Discussion of consumer concerns about data privacy in personalized advertising
17:08 – Implementing robust data security measures for small and medium-sized brands
20:05 – Overview of the EU AI Act and its impact on marketers
23:45 – Collaboration between marketers and DPOs for privacy-friendly organizations
26:07 – Advice for marketers on using customer data effectively and ethically
28:09 – How to learn more about Sachiko Scheuing and “How to Use Customer Data“