Data Privacy Translated: A Marketer’s Guide to Privacy by Design

July 25, 2018 Olivia Koivisto

With GDPR in effect and subsequent multi-billion dollar lawsuits in full swing, it’s safe to say that data privacy is on every marketer’s mind these days. Even if GDPR isn’t affecting your business today, legislation like California’s GDPR-lite regulation is a sign that privacy-first will soon be the rule rather than the exception.

And while data cleanup and privacy policies aren’t inherently the most exciting aspects of a marketer’s day-to-day, it’s pretty clear that we must understand and embrace privacy best practices.

This means not only following the rules your IT and technology operations teams have laid out, but also being an active participant in the ways in which they are rolled out internally, embracing privacy by design thinking and always remembering to keep the user experience in mind.

There are seven principles to the concept of Privacy by Design:

    1. Proactive not reactive. Preventative not remedial.
    2. Privacy as a default setting.
    3. Privacy embedded into design.
    4. Full functionality: positive-sum, not zero-sum.
    5. End-to-end security: full lifecycle protection.
    6. Visibility and transparency: keep it open.
    7. Respect for user privacy: keep it user-centric.

The first time I read through these, I’ll admit, I was a little lost. But thanks to our ISO 27001-certified team (and a little hand-holding), I have a better grasp of what adopting a privacy-first mentality means. These concepts are especially important to marketers because we are so often dealing with data in order to create better experiences for our users (re: personalization, email marketing, retargeting, etc.).

Although there definitely is concern that regulations like GDPR could negatively affect marketing strategies and outputs, I think this shift in digital culture is an opportunity for marketers to embrace the user in an entirely new way. Not only that, but the sheer respect for personal data is intrinsically tied to brand now. In fact, Facebook launched an entire campaign about protecting its users’ data and its user experience as a response to this year’s leak scandal. That loss of trust by Facebook users had a direct effect on its brand, business and bottom line. Needless to say, data privacy officially matters.

So, how can we as marketers begin privacy-first initiatives? What can we do to cultivate a culture of security at our firms? I think the best way to think about this is by breaking down the seven principles of Privacy by Design, and how they translate to actions and best practices for marketers.

1. Proactive not reactive.
Translation: Have a plan in place.

One of the worst nightmares of any digital owner is getting hacked. And while it may feel like security breaches, hosting outages and hacking all sound like IT issues, it’s important that your team works in alignment with those technology-focused groups to define security best practices and crisis mitigation strategies.

You’ll likely play a role in contingency and communications plans if something were to go awry. You can also help build internal communications strategies to create policy alignment among employees (think: password difficulty, laptop policies, etc.) and assist with the documentation process (I’ll get to that more later).

As marketers, planning is in our blood. Considering possibilities, understanding risk and securing buy-in is an integral part of our day-to-day, so collaborating with various departments to define and document your data policies will be essential in creating a culture of security at your firm.

2. Privacy as a default setting.
Translation: Privacy is the expectation.

This simply means users expect their data to be protected and respected by all parties. Whether you’re a social media outlet collecting hundreds of thousands of data points or a consulting firm collecting an email for a newsletter subscription, users assume that their data is being securely stored and any sharing or usage of that data is permitted only if they’ve given clear consent for you to do so. Of course, firms with a culture of security have policies in place to keep it that way.

Therefore, marketers need to be conscious of what data they are collecting on their users and how it’s being used. If you are not properly protecting and controlling the data you collect, you lose the trust of your audiences and access to that data, which can lead to tremendous brand equity fallout (see Facebook example above).

3. Privacy embedded in design.
Translation: Don’t let privacy be an afterthought when creating new assets.

This principle most closely reminds me of the surge of responsive design. Similar to how mobile screens are now an inherent consideration when designing digital experiences, privacy-first thought should be an integrated aspect of any digital marketing initiative.

Consent collection, forms and subscription centers should never seem like last-minute add-ons; instead, they should be clearly aligned with the experience. For instance, your brand guidelines and content style should be taken into consideration and inform the language you use to request consent when collecting data. 

When you’re designing, building and introducing new apps and sites, make sure your internal and partner team are thinking about privacy from kickoff to launch by embedding it throughout each phase, role and deliverable. The key to this principle is layering on privacy considerations as you create great work - thinking through its UX, design and branding - rather than curating privacy-focused content and experiences in a vacuum. 

4. Full functionality.
Translation: Privacy-first isn’t an excuse to create mediocre work.

To me, this principle is really about embracing privacy as an opportunity, not an obstacle. Great campaigns, content, strategy, design and UX are important ways to engage and delight your most important audiences, but layering those marketing initiatives with privacy-first thinking creates an umbrella of trust between you and your user. Delight combined with trust can help your firm develop rich relationships with its users, which is always the marketer’s end goal.  

5. End-to-end security.
Translation: Users are protected at every touchpoint.

Having a process in place (see Principle 1) lends itself heavily to creating end-to-end security for your users. It’s essential to document the process of your data flow as well as the tools you’re using to understand how to protect that data. You and your technology team may have to work together to audit your marketing tools, where/how your marketing lists are stored, how your data flows and the ways in which you use it to confirm the protection of any personal data you’ve collected.

It may be useful to hire third parties to help with this process initially, but once the system is in place, it will be easier for you to evaluate new marketing tools and vendors as your marketing ecosystem undoubtedly evolves.

6. Visibility and transparency.
Translation: Communicate your policy.

This principle is most easily understood by marketers because communication is our thing. Privacy by design is all about an integrated approach to user data privacy, and a key to any integrated process is the proper internal dissemination and training about it.  Earning buy-in from your employees on those privacy policies will make your IT teams happy and make it easier to follow through with those processes.

Of course, it’s also important to communicate to your external audiences about how you protect and use their data. Incorporating clear consent language and requests on forms and establishing an accessible privacy policy page are easy ways to articulate your privacy plans.  

7. Respect for user privacy.
Translation: As the data isn’t yours, be sure to treat it with care.

Above all else, Privacy by Design needs champions to own and spread the message of the importance of maintaining user privacy throughout the firm. There is a reason GDPR passed in the EU, that legislation continues to pass, and that privacy has become so important in the past year to users.

It stems from the belief that the data we collect does not belong to us. At the end of the day, the most important tenant of Privacy by Design is that personal information is owned by its user, and gatekeepers of this data are charged with respecting that boundary. Keeping this in mind will undoubtedly shape your marketing initiatives for the better.


Transparency of use, high security standards and user experience considerations are necessary to cultivating privacy-first digital. Even though these regulations and cultural shifts are in the early stages, they can be intimidating to take on as a marketer.

But with change comes opportunity. I think marketers can create extraordinary digital experiences even as these data standards continue to evolve because earning and cultivating trust among users is a powerful opportunity in and of itself. By putting the work in and embracing Privacy by Design, your brand, your business and your users will thank you.


The One North Ideas Update delivers each month’s latest posts on digital for PSOs—including industry trends, news and our latest research—directly to your inbox. Although it’s our goal to always include thought-provoking and compelling content, you can unsubscribe at any time. 

See our Privacy Policy to learn more about how we protect and manage your submitted data.

Olivia Koivisto Marketing Coordinator

At the time of publishing, Olivia was a Marketing Coordinator at One North.

One North Interactive 
222 North LaSalle St, #1500
Chicago, IL 60601

+1 312.469.1740