Add Value By Discussing Data Privacy: It’s As Easy As Serving A Big Holiday Meal
The morning after a big holiday celebration is usually one of John Horace’s favorite times to think.
Really think.
The holidays require lots of planning, errands, and effort. The celebration is great, but it takes work. That’s why he always found the next morning so good for thinking. Kitchen gadgets are put away, serving dishes are back in the cupboard, leftovers are secure in various containers, and there is a brief calm before the next big holiday season gets going. With a fresh cup of quality dark roast, he made his way to his home office.
John is the Sales & Marketing leader at a mid-size professional services agency, focused on and passionate about new growth opportunities. His industry has been relatively strong, but the year 2020 has been extremely challenging for the team. The COVID-19 pandemic has forced them to learn new skills to be effective in virtual meetings and sales calls, and they’ve endured significant uncertainty both personally and professionally. The new year will be welcomed by many.
To keep the team’s focus on hitting their year-end numbers, John has scheduled a sales and marketing meeting for the following Tuesday. He fired up his laptop to make out a list of agenda items:
- Finishing the year strong
- Gratitude for strong efforts in a tough environment
- Adding value for clients and prospects
- Differentiating from competition
- Emerging growth topics
After typing that last one, he minimized the window and opened the folder labeled “Growth Topics” to review the files he’d been accumulating. Topics make into this folder only if John thinks they may create a growth opportunity in the market or present a commercial risk. He always looks for the “so what?” of an issue before deciding to discuss them with the client-facing team.
Catching his attention right away was an initiative from the recent election. California ballot initiative Proposition 24 passed, approving the California Privacy Rights Act (CPRA). The Golden State already has the country’s toughest data privacy regulation in the California Consumer Privacy Act of 2018 (CCPA), which became effective in 2020. This new ballot approval will make that data privacy regulation even tougher when it takes effect in 2023.
John started to consider the “so what?” of this recent development. Since California is such a lucrative market and sets the highest data privacy standard in the U.S., many firms have already invested to comply with the CCPA. They choose to avoid complexity by having one data privacy approach based on the toughest regulation, and that is California’s.
John wondered which of his larger agency competitors would follow this approach as well.
He also wondered how consumer expectations may change as major companies in numerous industries base their data privacy strategy on the CCPA and, soon, the effects of the CPRA.
He would have to demonstrate to the team that risk from data privacy wasn’t a scary subject, but something they can confidently discuss with customers and prospects. But how?
That’s when John thought back to the delicious holiday meal he’d enjoyed the previous evening – and the process required to make it happen.
You Can Understand Data Privacy Risk – And So Can Your Clients
While the topic of data privacy is certainly a potential emerging risk area that should be on the radar of the agency’s commercial customers and prospects, John questioned whether his team would be able to use privacy to add value for clients and differentiate from competition. He winced when he thought about the blank looks he gets from his team whenever a similar topic – that of cybersecurity as a risk factor – is brought up.
Many sales producers lack the confidence to discuss cybersecurity risk with clients. They perceive it to be technical and confusing. Too often, the subject is not brought up in conversations with clients, when it really should.
Is data privacy destined to fall into the same trap?
John made a note to consider this reluctance as a potential constraint before next week’s sales and marketing meeting.
As John continued reviewing the Growth Topics folder, he noticed an article about data privacy that a member of his trade association had sent to him. The article attempts to demystify data privacy by highlighting that the CCPA and CPRA basically define a set of individual rights and organizational responsibilities that must be observed.
John didn’t see any confusing technical stuff. It all seemed pretty basic – things like providing notice, obtaining consent, consumer choice. As he reviewed the article, John started to feel like most of this privacy stuff was relatively easy to understand, and potentially something about which the team could have meaningful discussions with clients and prospects.
If only he could make them see that data privacy wasn’t as scary as the dreaded “cybersecurity” topic – and that it was actually a tremendous sales opportunity.
John did have to review one sentence from the article several times. “You can have security without privacy, but not privacy without security,” it said. He needed to give that one some thought before mentioning it to the team, but he understood it to mean that data privacy is a company policy or approach, while data security is one aspect of it: the protection of the data.
The Data Privacy Canvas: All The Key Points On One Page
The article included an attachment entitled “Data Privacy Canvas – Threat Or Opportunity?” John was a fan of the various “canvas” tools from Strategyzer, so he took a look.
The Data Privacy Canvas is a one-page summary of basic questions, practices, regulations, and approaches to data privacy. John liked how it provided structure for a substantial discussion about risk management with clients and prospects.
John reviewed each of the twelve blocks on the Data Privacy Canvas. There were several terms he didn’t understand, but most of it was at a level that every member of his team could understand – especially with the built-in “cheat sheet” on the back to prompt discussion.
John noticed that only one of the twelve blocks on the Canvas was for security. “How is Data Protected, Destroyed / Disposed?” He shook his head at the realization that before today he thought privacy and security were basically the same thing. They are related, but different.
Encouraged at the prospect of finding a new growth topic with the potential to add value and differentiate his team from competing agencies, John went to refill his dark roast.
Back in the kitchen preparing his coffee, John started to think about how to introduce the topic to his client-facing team. The lessons of cybersecurity risk would be the elephant in the room, so nothing technical, nothing confusing. He had to think of some analogy everyone could relate to.
How Data Privacy Is Like A Holiday Meal
As his mind was working on that challenge, John decided to raid the fridge for a quick snack. After all that work planning, shopping, preparing, cooking, and serving the meal, it was always sad to see the big feast’s leftovers stored unceremoniously in plastic.
An elegant meal one day, basic leftovers the next.
John likes to cook – and he really likes to cook those big holiday meals. He reviews recipes from his personal files, The Food Network, and the latest issues of Bon Appetit and Food & Wine, then he devises a plan. John makes out the shopping list, does the shopping and plans out every aspect of the meal. He loves doing it.
Thinking about his preparations for this latest holiday meal sparked an idea. Forget the leftover snack. Time to return to the laptop.
John pulled the Data Privacy Canvas up on the screen. As he looked again at the twelve boxes containing a series of questions, he considered his holiday meal preparations.
He noticed a similar pattern between preparing the big meal and identifying a data privacy approach. Not perfect, but a way to think about it in a way he and others could relate to it. A way to build understanding that leads to confidence.
Not yet convinced, John printed out the blank canvas. He would definitely have to make a few tweaks, but it might just work.
With a plan now in mind, John returned to the kitchen to get a fresh coffee and a sliver of his favorite pie – just to tide him over until the post-holiday leftover lunch, another Horace family tradition.
To guide his thinking and help develop his level of understanding, John created a table with the questions listed for each box of the Data Privacy Canvas, the key clues from the cheat sheet intended to facilitate a discussion, and the high-level example from preparing the holiday meal.
| Privacy Canvas Box | Key Clues for Discussion | Holiday Meal Example |
| Fair Information Privacy Practices | Guidelines for handling, storing and managing data; Individual rights (e.g. notice, choice & consent), Controls on data, data lifecycle | The overall plan to source, process, prepare and serve a great meal in a safe way so nobody gets sick |
| Privacy Policies, Notices & Disclosures | Internal approach and guidance on data practices, External notices | Provide transparency and information on ingredients used to avoid potential issues |
| What data do we collect? | Type of data, purpose for collection, limitations on collection | Shopping for meal ingredients |
| How do we use the data? | Limited to the use specified, only collect what is needed | Process the ingredients and prepare per the recipes and plan |
| How does our data flow? | Collection, storage, classification, segregation, use, sharing, disposal | Ingredients from grocery store to pantry and fridge to kitchen and meal to table |
| What data do we keep, where and for how long? | Data inventory, classification access, quality & correction | Store in pantry or fridge for meal prep, mindful of safety dates |
| Risk Management | Reputation, brand, legal, operational, & investment risk | Food safety, allergy and cooking risks |
| Clients, their customers and their expectations | Choice, access to data, user preferences | Expect traditional favorites prepared in safe but tasty way |
| Who do we share data with? | Businesses that collect data are responsible for it, even if shared with other entities | Guests and family, and combine with other ingredients to make new things like soup and leftover sandwiches |
| How is data protected and destroyed? | Security principles, de-identification | Safe food handling practices and mindful of “use by” dates |
| Which internal teams are involved with data? | Marketing, sales, IT, HR, compliance, operations, legal | All pitch in per the overall meal plan |
| Who is accountable? | One individual | Me |
| Applicable laws and regulations | Federal, State, Industry, and Sectoral | Food handling guidelines and stove / oven safety |
John reviewed the table and understood that while the comparison wasn’t perfect, it could be helpful for stimulating discussion with his team. His objective was to have a conversation about an emerging risk in a way that made the topic approachable, understandable and maybe even fun.
Comfort leads to confidence. Confidence leads to meaningful conversations with clients and prospects. The team could be positioned to add value and differentiate. Together they would have to understand a few new terms, but the questions in the table’s first column provide great discussion fodder.
The more he thought about the analogy, the more enthused he became about how this particular Growth Topic had real merit.
As John’s family was beginning to gather for the traditional leftover lunch. he penciled in his ideas on the newly named “Holiday Meal Canvas.”
To help the team connect even more, he planned to review the Privacy Notices from his own agency’s website and those of a couple major clients after lunch. Since likely very few members of his team look at these notices, they’ll likely be surprised to see how much information needed for the Canvas is right there in a website’s Privacy Notice.
He made a note to himself that that’d be an effective pre-call planning exercise. Another confidence builder, another conversation starter.
Cooking Up Opportunity: Discussion Questions About Data Privacy Risk
Before shutting down the laptop for leftovers and family time, John listed some new questions for his team to consider;
- In what ways will consumer expectations be changed by what is going on with data privacy, and how might that impact clients and prospects of his agency?
- In what ways will existing competitors change their operations because of the CCPA and the new CPRA, and how will that affect John’s agency?
- Will data privacy become “table stakes” for agency operations in the next year or two?
- Given the challenges of selling technical topics like cybersecurity risk and cyber insurance, how can John position his team to get confident talking about data privacy and privacy risk with clients and prospects?
- What is the level of confidence in reviewing a client’s privacy notice on their website, and using the Data Privacy Canvas, engage in a risk management conversation?
- Is this an approach that can position the team to add value for clients and prospects, and differentiate from the competition?
- Since privacy and security are related but different, could the team use the client discussions about data privacy to get more confident about discussing cybersecurity?
- The “product” we have available to sell for privacy risk is the team taking a consultative risk management approach. While this can add real value and help differentiate, John needs to help the sales producers see the bigger picture of how a consultative approach powers growth opportunity.
As the laptop powered down, John felt even more confident about a productive meeting the following Tuesday. He also felt like he had a fun answer to that inevitable question, “Hey, John, how’d your holiday meal turn out?”
“Well, funny you should ask. Let me share it with you.”
About the Author
David J. Dillon, MBA, is the owner of Watney Insights Network, Inc. and is passionate about helping businesses grow.
David believes everyone is capable of raising their game with the help of proven tools, process and support. Based on that belief, his “why” is to collaborate with others to solve big, meaty challenges so that together we “raise our game” to accomplish meaningful results for success and fulfillment.
He achieves this by combining extensive professional experience with world-class tools, process and support. David’s approach is to teach, facilitate and coach.
His focus is helping independent insurance agencies thrive. This focus positions him to understand their urgent needs and compelling desires. Their “core cares”. He also helps professional service firms, service-based franchise owners, learning development professionals and others.
David’s interest in data privacy began while leading several high-growth software development innovations which generated a significant amount of personal data from users around the world. The data was protected and secure, but he faced frequent privacy challenges from internal business leaders that wanted to use the data for competitive advantage. That is when he learned the important lesson that privacy and security are related but different.
To learn more or start a conversation, please contact David by email at ddillon@watneyinsights.com, visit his website or connect on LinkedIn here.
To download a copy of the Data Privacy Canvas or other resources please click here.