Educate: Have regular training modules for the entire organization as customer data protection is a company-wide endeavor. Have sporadic ‘testing’ to determine if best practices have been understood and applied. This periodic, unexpected testing at RAPP has been impactful in ensuring the learnings are being put to use.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing John Gim.
John is currently the Global Chief Marketing Sciences Officer for the RAPP Network within Omnicom and oversees a diverse team of analysts, data scientists, researchers, and engineers. Over his career, John has focused on producing measurably effective, methodologically sound solutions for clients by leveraging a wide-ranging background across analytics, technology, and data. Outside of building client solutions, John can be found pursuing his passions around transparency and data science growth through giving talks on data privacy and serving on various boards and networks.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up as the son of Korean immigrants, Dad was an engineer and Mom was a pianist. From a young age, it was clear that I had not inherited the musical gene but did find myself participating in a variety of math and science competitions. I ended up matriculating to Carnegie Mellon University where I studied economics and post-graduation pursued a career where I could utilize my technical and statistical skillset.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
Like many individuals, my career path has been a combination of planned goals and less planned circumstances. My career path in marketing and advertising was very much the latter as the catalyst was the desire to move from frigid East Coast temperatures to the temperate weather of Los Angeles and the West Coast. Post relocating, I found an opportunity within the analytics department for an Omnicom agency and quickly realized that it was an industry where I could merge my technical skillsets and love for entrepreneurship.
Can you share the most interesting story that happened to you since you began your career?
At a critical time in my career, I decided to take two years off and pursue personal interests and moved across the world to Cambodia. While it seemed impractical for my career growth at the time, it was a transformative experience where I learned how to pivot, adapt, innovate, and collaborate under challenging circumstances. I would not trade that experience for anything as it was instrumental for my personal and professional growth.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Much like a startup that finds believing investors to accelerate its growth, careers often need the same believing, early investors. I found that support in Jessie Kernan, current Head of Product & Strategy at We Are Rosie, who not only took an early chance on me for a leadership role that required the building of a new capability for the agency, but also provided me with the space and freedom to think differently, challenge the past, and recast the future. She’s someone I consider a mentor, colleague, and friend and one of the first people I would call to dialogue on future products and vision.
Are you working on any exciting new projects now? How do you think that will help people?
The advertising and marketing industry at large still has a way to go when it comes to Diversity, Equity, Inclusion, & Access (DEI&A) and over the past year we’ve looked to create solutions at RAPP that will not only impact our internal policies and culture, but also impact the world around us through the work that we do. Whether it is utilizing our technology and data science teams to support an organization that helps candidates with Intellectual and Developmental Disabilities (IDD) match with employers or building mechanisms to better detect bias in marketing and advertising, my team and I are working with data in news way to help drive cultural change and make a lasting impact in the DEI&A space.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
It’s very difficult to thrive alone. Find those colleagues, those teams with whom you can grow, laugh, and journey with; moreover, make the time to connect.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Broadly speaking, data privacy regulations focus on ensuring an individual’s right to privacy through providing the user with proper notice, choice and rights over their data (i.e., access to it, right to delete). Regulations, which can vary by region and sector, do this by mandating how businesses communicate with consumers about their data (i.e., privacy notices, breach notifications and timelines) and offer guardrails for how business need to handle these responsibilities (i.e., adequate security provisions, retention policies etc.)
From a communication perspective, there is an increasing focus on greater transparency when it comes to how businesses handle customer and client data. An example of this is how the CCPA created the “Do Not Sell My Personal Information” link on homepages for businesses who sell consumer data and stipulated privacy notices must be ‘easy to read and understandable,” among other requirements around disclosure on what a consumer can expect to happen with their data.
From a data handling responsibility perspective, there are various regulations that provide companies with guidance such as Article 5.1(e) of the GDPR, which says personal data can be kept in a form that permits identification of data subjects for “no longer than is necessary for the purposes for which the personal data are processed.”
From a data type perspective there are defined guidelines for Protected Health Information (PHI), Personally Identifiable Information (PII), Sensitive Personal Information (SPI) and other personal identifying information, but anonymized data regulations continue to be debated and remain less defined. While there are GDPR mandates for re-identification being impossible, even for the company that anonymizes the data, and HIPAA specific frameworks within its Privacy Rule, there is still a lot that most laws do not cover when it comes to anonymous data.
While companies must understand and adhere to global, regional, and sector regulations, each company must decide on how stringently to apply regulations that can often leave room for some level of interpretation. Outside of those set global, regional, and sector regulation frameworks, self-regulatory frameworks should also be followed.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Best practices can be drawn from principal documents such as the FIPP (Fair Information Practice Principles) which provide a common set of rules within the privacy industry to support ethical best practices (e.g., Data minimization; purpose limitation, respect for user etc.). FIPP and other principal documents have also served as foundational inputs for legislation that exists today.
When looking at data retention specifically, unless exceptions exist (e.g., safety recalls) it is a best practice that data should not be stored once it is no longer being utilized or is no longer necessary. While utilization alone may seem like a sound enough indicator, understanding necessity is a critical factor. Necessity pertains to areas such as modeling or analysis where the data point may not provide model lift or there are alternatives that can be utilized (whether an entirely different data attribute or an aggregation).
An additional best practice that pairs with the downstream best practices of retention is the upstream application of data minimization. Data minimization is the practice of not collecting more than you need from the consumer. This creates a step in the strategic process of planning the lifecycle of the data to ensure what is collected has a use case downstream. It may be as simple as not collecting a customer’s telephone number when asking them to sign up for your e-newsletter or as detailed as removing survey questions that are superfluous. Data minimization also adheres to the best practice that data should be mindfully collected, over time and with consent, rather than collected in bulk where the use cases and value are not defined for the consumer or the company.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Over the years our data retention policy has remained stringent and has adjusted with regulations that pass in various regions and sectors. Our data retention policies must not only pass from our internal standards but must also pass client audits and protocol checks as we have a variety of clients in sectors with specific requirements and legislation of their own. An area of focus in recent years has been increasing training for all employees on policies, whether they are in direct contact with data or not, to ensure holistic compliance and understanding.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Agencies, like RAPP, are primarily the data processors and data is only held for the life of client work. We practice data minimization and de-identification techniques to only hold what is absolutely necessary. Additionally, we advocate for limiting data passes unless necessary and often work within client systems versus transferring the same data unnecessarily into our environment.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
Generally, data privacy regulations such as CCPA and the upcoming CPRA, have had significant impacts when it comes to trickle down effects, especially for the US market. With walled gardens, data providers, and ad-tech products all trying to adapt to new privacy regulations and privacy best practice, the availability and utility of data is in constant flux. Modeling and targeting methodologies have had to evolve as companies such as Google continue to move towards limiting log level data access at an anonymous level and companies such as Apple introduce ITP (Intelligent Tracking Prevention) as default settings. Agencies like RAPP must continue to evolve and shift to develop and test new modeling methodologies and technologies to navigate a landscape where available data is constantly changing.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Yes, I would say that tools have continued to mature over time as automation, detection, and diagnostic features have become paramount to managing data retention practices. Generally, I would recommend that an audit be conducted to determine what toolset or adaptation of current toolset best meet the needs of the company. While certain tools are critical in managing data retention practices, it is equally critical to set up a dedicated internal team to oversee, track, and implement data privacy regulations and standards.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
I do not think these incidents have necessarily altered our practices as our internal teams have been and continue to remain stringent, but it has reinforced the need for ongoing company-wide training and testing as it is a collective effort. While not directly related to the publicized outages, there has also been a dedicated effort at my company to activate privacy officers across each of our client portfolios where data is used or managed. This not only ensures current compliance, but also allows for activating other best practices and continued support as the landscape rapidly shifts.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
#1: Exceed: When given a choice, interpret legislation stringently and conservatively. This puts the customer first and also safeguards the company from potential risk as well as allowing the company to adjust faster to continuing legislation changes. For RAPP this means that we go beyond adhering to legislation and have implemented additional privacy by design principles and bias prevention.
#2: Educate: Have regular training modules for the entire organization as customer data protection is a company-wide endeavor. Have sporadic ‘testing’ to determine if best practices have been understood and applied. This periodic, unexpected testing at RAPP has been impactful in ensuring the learnings are being put to use.
#3: Evaluate: Deploy tools and technologies that will allow constant and rapid monitoring of critical diagnostics that determine adherence to legislation and track other areas such as data utilization rate to determine what data to consider for deletion.
#4: Employ: Have a dedicated team that is tasked with data privacy and other data considerations. Within RAPP we have a privacy team and dedicated team members within our Cloud Services practice to globally monitor and manage these exact things.
#5: Evolve: Continue to look for alternative methodologies in data science and research that can be utilized with varying degrees of data availability and granularity. At RAPP, this means that our Center of Excellence for Marketing Sciences is continuing to experiment with alternative modeling methods and data anonymization to be prepared for a changing landscape.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Understand our own biases and act. Whether this is for the data scientist building targeting models and finding bias in the data or for hiring managers who are deciding between candidates, we will create a better world when we can understand the bias and course correct.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!