Enhancing retail trust and loyalty through data privacy: a fireside chat with EY data and privacy leaders

0:01

Good afternoon, everyone and welcome to our session on enhancing retail trust and loyalty through data privacy. I'm Christina Estamos, a Senior Manager here in our cybersecurity consulting practice at UI Canada, and I'm focused on all things privacy and data trust. I'll be your monitor moderator for today's session. I'm joined today by my colleagues, Karamja Baines, Partner at UI Canada and E-commerce Leader, and Carlos Chaleco, Partner at UWI Canada and Private Cybersecurity and Privacy Leader.

0:32
I'll ask our panelists to introduce themselves in a brief moment, but before we get there, I'll quickly go over our agenda for today.

0:39
First, we'll start with an overview of the retail sector of today and tomorrow and discuss how privacy is increasingly becoming a business imperative. Next, we'll discuss establishing trust with your customers from the first interaction and of course, maintaining that throughout the client relationship. And then we'll get our panelists thoughts on how you can gain a better understanding of your data ecosystem to better govern it and use it,

1:05
followed by a discussion on adopting a collaborative, holistic and flexible approach to privacy. Privacy. And finally, we'll end up with some audience Q&A. So a couple of housekeeping items to cover before we jump right in. The session will be recorded and available on replay. You'll be receiving an e-mail within the next couple of days to access the recording. And of course, you may share it with colleagues who might not have been able to attend Live Today.

1:29
So now please join me in welcoming our Steam panelist. I'll ask you both to briefly introduce yourselves. Why don't we start with KJ?

1:38
Thanks, Christina, and hi everyone. Nice to be with you all today. Like Christina said, I'm KJ Partner at Ernst and Young and I am part of our business consulting customer transformation practice. And really my passion and my focus is helping organizations drive their business through better customer engagement and primarily ecommerce and digital. Of course, data is key and central

2:08
part of that. My experience prior to EY is in retail for a number of years in e-commerce, digital and strategy.

2:18
Thanks Christina Carlos,

2:21
Thank you Kenji and thank you Christina for this and happy belated privacy day to everyone. I have to say maybe happy Privacy week. My name is Carlos Chalica. I'm a partner with Aguas. Christina was explaining, I have been with a firm for

2:34
a little bit more than 23 years. It's been awhile. Sixteen of those in Mexico, 7 in Canada, always doing cybersecurity. And I have to say that that one of my passions, if not my deepest passion is precisely privacy. In addition to working for you, why I am an instructor for the University of Toronto School of Continuing Studies teaching cybersecurity and privacy as well and active member of different organizations related to cybersecurity and privacy. In my free time, I love riding my bike, Not in winter, I have to say. Petting my dog and I occasionally play drums at a hidden bar.

3:05
Mississauga,

3:06
I'm very excited to be here with these stars in our forum. Thank you. Thank you so much both for those intros. So let's get right into it. Why don't we start with you, KJ, would love to get your thoughts based on your experience that you've shared about the retail sector of today. And perhaps more importantly, how are we seeing business imperatives change with evolving customer priorities and expectations? And how is that shaping the retail sector of tomorrow?

3:37
Yeah, I'll, I'll talk about three things. First, consumer trend, key trends within retail in response to those trends. And then finally, the importance of really data and setting up the stage for our privacy discussion. So let's start talking about first our consumers.

3:56
We know this is not a big surprise. Consumers and customers expect to be able to do things the way they want, when they want, how they want. They expect, they expect personalization, convenience and engagement from the experiences that they're spending time in.

4:11
And and it's now more easier than ever to create those types of new experience thanks to digital

4:18
and in retail, the key fundamental trends we're seeing against this backdrop are really four that I'm going to name. First is unified commerce. This idea of

4:29
commerce the way customers want and essentially frictionless shopping experience.

4:35
Hyper personalization, anticipating and really creating the right journey for your customers.

4:41
Experiential retail, specifically for the retail sector. Immersive experiences that really bring that in person

4:50
experience to life. And lastly, sustainability, transparency and traceability of impact. And like I said, all of this is being driven by digital and digital is no longer supplemental. It's really core part of the experience, whether it's ecommerce, mobile search or social media.

5:08
So what this means for organizations is now more than ever they need to be very customer centric.

5:17
They need to be hyper experiential focused.

5:20
They need to be agile and really be experimenting with building new experiences to see what works and what doesn't work.

5:29
They need to have the right technology platform, systems and integrations that allow them to deliver those experiences all at a lower cost of ownership. And lastly, probably the crux of the conversation today is data crucial to understand what customers are doing, how they're behaving, how the business is performing, and all of that powers everything that we have just discussed. So my last point is around data specifically, and let's talk about the importance of privacy. And I think this will be a good segue

6:00
Christina to the conversation is availability and accessibility of digital is growing, trust in technology and its use of personal data is not so much. We're seeing no significant change in consumers willingness to share data. They remain weary and more than half of the consumers in our future consumer index survey really concerned about ID theft, fraud, security breaches and about companies selling their personal information to third parties. So it really comes down to weighing the benefits

6:33
of sharing the data with companies against the risk and value that they receive in exchange. Christina,

6:41
I think you laid that quite beautifully so that we can just transition to Carlos. But before Carlos, I ask you a question just to kind of play back some of the things you were mentioning. KJ. So this idea of, of course, consumers want those personalized experiences, They want those relevant experiences, They want convenient experiences. So there are certain expectations around data use for those benefits on the consumer side, but they're all there

7:12
also a hesitancy on the side of of data sharing based on some certain level of apprehension around the different technologies that may be used to provide these services. So then a question for you, Carlos, then becomes as privacy teams within these organizations work to try to, you know, be part of shaping those experiences and

7:40
wanting to deliver those in a way that satisfies the customer's expectations on those experiences, but also makes them feel safe that their data is being used in a way that is being safeguarded, of course. And I think another second point that sometimes gets overlooked is using it in a way that is transparent and that is in line with how they have consented that the organization use it and also using it in a way that is

8:10
in line with what could be disclosed, for example, in privacy notices. Thoughts, Carlos,

8:17
many Grace, thank you. And uh, I, I, I definitely agree on what KJ was explaining on how retail companies are now focusing their attention and customers and they are trying to make it better for them from the experience perspective. But I think that the first call to action for organizations is to recognize that in doing so, it is not only using personal information in any way or any capacity. There's regulations that we have to follow in different countries, and Canada is not an exception to that, that basically say

8:48
that we can use personal information for different purposes. If the owner of that personal information is OK with that, and the owner of personal information is every single one of us, that they're sharing personal information with different organizations for different purposes. So those organizations need to be aware of properly communicating to individuals the purposes they are going to be following. And individuals need to consent or demonstrate that they are OK with that through the proper mechanisms depending on the different regulations they have, the company has to be following.

9:18
And if that is happening, then then that is perfectly fine. So, So I think I will round up the response, Chris, just just calling a couple of concepts that I think are relevant and we need to keep in mind all the time. The first one of them is by design. And I am saying only by design and not privacy by design because I think that we need to know what's the outcome that we need to get from these relationships we are having with customers. If we think of privacy by design, that's amazing because that means that we are going to be incorporating privacy from day one since the very moment we are designing a new processor

9:49
in your system. But I think that we need to escalate that up. And I need to, to, to say that we need to call that trust by design because that's the outcome that we want to have. We want to generate trust or we want to preserve trust. So how is it that these transformations are working in order to help customers and every single person that will have their personal information touched by processes in a way that will help them trust that organization that is doing so? Because as as KJ was saying before, this is something that is going on decline and we will be exploring that a little bit more later.

10:20
So, so the first element is, is by design approach. I, I remember there's one of our clients that we are working with that made me feel and that worked in very proud because she was in a meeting and she was saying, I understand that we need to go through different engagements that are touching data. Where I want to say, and I want to be very vocal about that is that I don't want to see any data related engagement that has no cyber security or privacy embedded on that. And we said wow, because that's the type of posture that you are expecting from a decision maker and an executive that is setting the example

10:51
on how things need to be done. So that's the first piece I wanted to go through Grace and the second one is collaboration.

10:57
It is it is impossible for one single

11:01
business unit, privacy included, to do everything within an organization. Protecting personal information for any individual customers or employees is something that everyone needs to partner with the different business units in order to make it work. And the privacy office needs to pay attention to what marketing needs, to what the analytics team needs, to what every single person needs in order to properly orchestrate everything. So that the experience that we are offering to customers or employees, depending on what we are doing,

11:31
is something that is just going in the right direction, delivering what has to be delivered. While at the same time we are doing two things #1 protecting personal information the way we have to, and #2 we are providing to every single individual the mechanisms they need in order to exercise their privacy rights whenever they want to do that. That's that's what I think we need to do. Implement by design approach number one. And #2 look for that collaboration.

11:58
Thank you, Carlos. That's just very well said.

12:02
One of the things I do want to double little deeper into about you mentioned is the concept of trust, right? OK, you also mentioned it, you know, a bit earlier during this webinar and so touching on that trust, right? We know that trust is the foundation of all relationships. It's no different here in the retail sector. And I think with all relationships, first impressions are super important, right? Of course, it's about building and you hopefully want to build that throughout a very long lasting relationship, but you only have one

12:32
opportunity to make that first impression. So why don't we start with your perspective, KJ? How important is that from the purchasing standpoint when you have a perspective customer going and wanting to make a transaction, especially in a digital experience? How important is that building that trust from that

12:52
first impression?

12:55
Yeah, it's, it's, it's critical. Actually, I think let's talk about this idea of trust. So I'll talk about two things. First, why it's important,

13:04
especially for retailers and consumer product companies especially. And then to your point, how do you begin to establish that trust? So let's talk about the first point, the importance of it. We know from our latest feature Consumer Index survey, level of trust consumers have in many companies, including retailers has fallen.

13:25
And we know consumers and customers are more likely to buy from organizations and retailers they trust.

13:33
The challenge for retailers is they are in a position where consumers are interacting with them on a much more regular basis than other organizations, which creates an opportunity to build trust or to your point and at risk of damaging it.

13:50
So what does trust entail? That trust, you know, can be across the entire customer experience from being aware of your brand, your product, your promotion, experiencing your product, touching it, feeling it, realizing the quality and value of it, the traceability of it, where it's sourced from, trusting the price and the promotion and and trusting in the service that you're providing your customers, even when it's after they've made that purchase.

14:18
So it's really important for especially a retailer that has these constant touch points with their consumers and customers to establish trust throughout the journey. So let's talk about

14:30
the second part, which is, well, what does it take to start to build that trust? There's really 5 sort of key components. The first is transparency. You know, be upfront specifically about the data you collect, how you use it. Make it easy for your customer to understand what is it that you're collecting and what you're doing with it.

14:51
Give your customers control. Give them control over data. Make it easy for them to access it. Update it, change it, delete it,

14:59
show them the value. What is the value that you're giving them

15:04
by collecting their data? How your personalized experiences improving your services make customers feel like their data is being used for their benefit and not just for your own benefit

15:16
aligned with your values. Show them how what your values are and how you collect data and use data aligns with your values and aligns with your customers values. And lastly, it's about data security and invest in data security to protect your customers data. And not only do that, but also communicate that to your customers. Tell them how you're investing in protection and privacy and what you're doing about it. So you really want to provide

15:46
control, show the value, be ethical, established security, being transparent about the things you're doing to your customers and with their data. Christina,

15:57
thank you so much for that, KJ. And I think let's dive into it directly, Carlos, to get your opinion on this topic. And you did mention things about transparency, about understanding that you're making sure that your customers understand what data you're collecting, why and more specifically, how does that tie in with the service that they're purchasing? And I think that's a key challenge that we're seeing our customers struggle with is, you know, we want to give all the information,

16:28
but we want to give the information in a way that is easily digestible in the sense that as they're interacting with our business, as they're purchasing, as they're logging into their account or as they're just browsing, perhaps we're giving them that information in a way that it makes it really clear and it's simply articulated. So then, Carlos, how can privacy teams support their organization, facilitating that type of transparency and communication? Thank you, Grayson. And you know that they can become very passionate about this

16:58
particular topic. There's many reasons why I love privacy and one of them is the, the, the philosophical concept of things and the connection to trust and ethics and all of that. So, so you have heard me, I'm going to say you, I am talking to the people attending this session. Many, maybe some of you have already heard me say that we are experiencing globally at a Cline of trust. And, and this is something that we have called many, many times that is supported by a report prepared by a company called Edelman Communications. The Edelman Trust Barometer since 25 years ago is measuring that and they pay attention

17:29
know how trust is

17:31
increasing or decreasing for four different types of companies, businesses or corporations, governments or NGO's. Governments, excuse me, NGO's and media. And sadly what we have started to see since 2021 is a constant decline of trust. Right now, if you go and download this report, it's completely available and it's free, you will see that the only one of these four different types of organizations that peace still preserving some trust from people is precisely businesses.

18:00
What does that mean? We will go to that in a second. But before going there, I want to connect that to another report, another study that I have mentioned as well in other forums. There is a our Mega trends report. This is a study we do every single year at the Y. And I want to call specifically the 1 from 2021 because that study was focused on the Genzeb Generation Z just to understand what these generation was expecting from companies after COVID. And the reason why we went to Generation Z is because this is the youngest generation joining the workforce right now. So they are going to be the ones

18:31
leading the way in the years to come and the summary of their expectation was we expect companies to be kind and think human. So if we think

18:40
from that angle and we'll lean the conclusion that generation set is bringing to our attention versus that decline of trust, we, we are facing a significant challenge. But the, the, the good news here is that corporations are having a great opportunity to help break this cycle of distrust and restore the cycle of trust. And we think that it is not only an opportunity, but our responsibility. Considering all the things that KJ was explaining, yes, of course there's this need of being highly customized when it comes to customer interaction from the retail perspective.

19:12
But we need transparency as well. And we need organizations as generation said very wisely, be kind and think human. And in order to do so and in order to be transparent and in order to show how is it that we do things, we can use privacy as that tool that will help us do that. There's privacy notices that we need to use when we are explaining to the customers how is it that we are going to be using their personal information. We need to make them clear and easy to read. In some cases, we have seen fantastic examples by made by organizations that are making them

19:43
even fun. There's a large toy manufacturer that decided to use their own characters to have very funny videos where the characters are explaining in a very simple way. Why is it that they are going to be doing with personal information and knowing that the audience that may be seeing these videos watching these videos is these kids mainly when when they are going to start the privacy notice in video. They said, hey, wait a second buddy, we need to get to your parent so that your parent can can have a look at what we are going to say so so find.

20:13
Creative ways, funny ways, attractive ways that can help people understand how you are going to be using that personal information. Now beyond that, it is not only saying how personal information is going to be used is respecting that. If we say we are going to be using personal information for AB and C, which can include of course making these hyper customization for customers, that's fine. Let's just say what we are going to be doing. Let's just say which data we are going to be using. Let's just give people the opportunity of talking to someone if they have a

20:44
question to make, question to ask, if there's anything that they want to post to so that this can go in a harmonic way, increasing the trust that customers will have. So that's how I think privacy can help on this on on this capacity, just being transparent, being clear on how personal information is going to be used. And then

21:01
facing inside the organization, being the orchestrator within the company to help the company bring together all the different factors that are necessary in order to define a privacy program that is going to help the organization Preserve those actions that were committed in the privacy notice so that we can create, create, excuse me, or preserve trust with the customers that we are interacting with.

21:24
Sorry, I think I became very passionate, but that's how you made me talk about that topic. So thanks, space. Thanks, Carlos. And we, we love the passion and I love the example that you mentioned because I think it leads this beautifully into our next question. And maybe get a little tactical. So I think one of the key things that resonated with me in the example that you provided is that the format that was provided for the privacy notice was very much aligned and integrated with the product and service offering of the organization.

21:54
And so Privacy Notice was part of that experience. And I think a question I'd love your thoughts on KJ is that as we're using different types of technologies to provide those experiences. So technology being that vehicle to facilitate that those experiences and that the outcomes that you mentioned around hyper personalization, convenient shopping experience, friction, frictionless, excuse me, big word experience. And so from that perspective, how important

22:24
is, you know, making the investments in the right technology that can support those experiences and also in a way that

22:34
it integrates those privacy touch points that Carlos mentioned?

22:39
Yeah. And, and, and I think there's there's a couple of parts to it. First, the technology itself

22:47
and then #2 is how it needs to come together both to align to the organizations goals and the customer experience objectives, right? So let's talk about the technology. First. We talked about

23:01
a few areas, personalization and relevance. Hyper personalization. There's a slew of recommendation engines, dynamic content platforms, targeted marketing solutions, testing and experimentation.

23:15
Their seamless shopping experience. We're actually shifting to world of unified commerce.

23:20
So that's the next evolution of Omni channel which is

23:23
customer at the middle and all of the customers information is available regardless of channel instantaneously and synchronize.

23:31
You have order management, inventory catalog,

23:35
in store solutions, unified commerce, point of sale solutions, client telling, interactive digital displays and any digital solution really being mobile first.

23:46
This engagement and loyalties or loyalty platforms, customer relationship management, customer messaging platforms,

23:53
customer service, interactive chat bots, personalized support. And at the core of it, you start getting into things like data and analytics.

24:02
A data warehouse that's secure, single coherent view of the customer that sits on top of all of your data elements and data warehouse. And then you get analytical and data visualization tools that bring the insights around what the customer is doing and how you want to change and experiment with your experience.

24:22
And of course, there's data visibility, privacy control, and cyber security. So there's the technology components. And then there is, to your point, how do these need to be put together in a way that actually delivers your business objectives and meets your customer experience? And that's where the secret sauce really is. And it's really critical to think about

24:42
what experiences you're looking to build.

24:45
What are the business processes that need to go to supporting those experiences? What is the change that the organization needs to go through to deliver that experience, be it selling more or building a better privacy infrastructure as you do that, and then the technology and how those pieces need to come together. So we really take a view of start with your customer experience, the intended experience,

25:09
make privacy and integral part of that customer experience journey as we discussed, and then start to think about business processes and technology. You need to support that customer experience.

25:22
I love that thinking because it really places the customer at the centre, which is, you know, the main objective of privacy, but it's the main objective of the business also at the end of the day. So it kind of to me dispels some, you know, sometimes the bad rap we might get in privacy to say, oh, we want, it's a compliance function, it's complying with regulation. And of course it is that right. There are laws and regulations that we need to abide by and be good, you know, good corporate citizens. Of course, there's also the fact that the goal of privacy is very much

25:52
align with the goal of the business, which is at the end of the day to serve the customer.

25:56
And, and so touching on what you said in terms of adapting business processes, working to build technology that is in line with the experience you want to offer and tying that to something you mentioned earlier, Carlos, around, yes, of course we need to be transparent with the customers and we need to make commitments that are clear, that are transparent. But also that internally we need to have the right processes in place so that we can actually honor those commitments that it's not just a talk track, but it's actually what we do internally.

26:27
And so with that being said, Carlos, in, in, in your experience, what are some of the key players getting a bit tactical for a moment that need to be around that table when they are doing exactly what kind of KJ alluded to earlier, thinking of the customer experience than thinking of the technology and the business processes to support that?

26:47
That's a great question. Uh, Chris, um, there's, there's different factors. I, I think that

26:54
the first message I want to deliver is privacy officers cannot play The Lone Ranger that, that that is not going to be working. That's, that's impossible. And as I said before, it's not only the finding a privacy policy, transforming that into a privacy notice and placing that in the website, it, it goes much far beyond that. I, I want to go back to the different studies, the International Association of Privacy Professionals, the IAP preparers and concern that has been triggered by that report. That is the fact that privacy offices

27:24
are not necessarily having effective relationships with different doctors within multiple organizations. And and that's something that is happening not only within privacy, but in cyber as well. And that's precisely what we need to break. We need to break these silos and we need to identify the proper players that we need to be working with. That will be different depending on the type of processing we are executing and depending on the specific sector that we are working with. But to make it very particular for this audience here on on retail, I am thinking as members of these groups

27:55
get the the product managers, the ones that are having the visibility of the different initiatives that will be run. And how is it that this is going to be collecting personal information. The marketing team who is the one that is interested in understanding the customer and the behavior and how promotions are going to be managed. The ones that are championing data and how data is managed within the organization, how it is preserved. The ones that are in charge of the data leak and will be working with different and exciting tools in order to present different analysis to the company. the IT team

28:25
which is providing with the infrastructure that is going to be supporting all these different elements. The customer service team as well that is going to be in touch with people and interacting with them to understand how they are feeling that the experience they are having is the one that they were expecting. The cybersecurity team of course, because they are going to be the ones providing with the protection mechanisms that are necessary for the different activities that are going to be to be done. Of course, if the processes that are being executed by the company are still depending on paper, while someone taking care of information,

28:56
that specific media needs to be involved as well. And privacy, of course, privacy is a player that needs to be involved on this. And the earlier we have all these different factors working together in these initiatives, the better and the more effective their support is going to be. As I said before, if companies have in their minds the idea of having trust as the ultimate goal, trust generation or trust preservation. The idea is how can we orchestrate every single member of this team so that we can develop a solution that in addition to generating the value we are expecting,

29:28
they can help us create trust or increase trust with the customers and the users that are going to be having access to peace. That's that's how I see it even even

29:38
with these artificial intelligence transformation that we are going through and how companies are adopting multiple solutions that are using this technology. Of course we, we can have the idea of using a fantastic AI solutions, but in the end these solutions will be dependent on data and a significant portion of this data is going to be personal information. So how is it that we are going to be properly protecting that so that these algorithms and these tools are doing what we are expecting and delivering the way we are expecting when at the same time

30:07
they are providing individuals with the level of protection we we need to to provide. So that's that's how I think we should be doing things, bringing everyone together and having these by design approach.

30:19
Absolutely. I think the examples that you were mentioning really talks about that trust by design, right? Having everyone at the table and early enough in the process that you know, the collaboration happens at a stage where there's no rework down the line, that it's really a collaborative approach, which ends up being the most efficient approach at the end of the day as well.

30:42
And I think some of the things you mentioned, Carlos, around the use of AI and technologies that will makes it easier to access the data ecosystem or more quickly, more efficiently.

30:56
It brings me to, you know, talk about this idea of the data ecosystem and managing your data ecosystem and understanding what you have in order to be able to use it and use it well and use it in line with customer expectations and in honor in honoring their privacy rights as we spoke about. So maybe let's start with yourself, KJ. Of course, we're talking about this idea of understanding the data ecosystem and it's often talked about as something

31:26
is a very critical factor for success and in this digital age, especially when implementing technologies such as AI. So from your perspective, how would you describe really the value of that

31:39
insight into the data ecosystem? AJ and Chris, sorry for the interruption. Chris, just just to let our audience know if they want to ask anything that's through the QA option in the Zoom, is that right?

31:52
Yes. OK, perfect. Just wanted to clarify that in case anyone is already thinking on asking questions. Absolutely. We'll get you. Of course, I will just hide when that when that comes to us. OK, sorry, back to you. Well, that's good. It's important. Yeah, please look forward to

32:07
answering your questions. So the the yeah, Christina, the this point around value and

32:15
how everything really starts with data. Carlos, to your point, ultimately the value comes from building better intelligence around your customer and your business

32:29
that that's the way that you're going to find the insights and take actions

32:34
to drive Better Business, business outcomes and, and customer experiences. I mean, it's, it's really that simple. And let's talk about what these insights can look like and, and how you can be set up to find these insights and take action.

32:50
Insights when you talk about a retail business can really be end to end. The more obvious ones that we have talked about here around customer experience. How do you change the customer experience? How to adapt and build new customer experience based on what the customer is or is not doing?

33:08
How do you drive customer acquisition and growth?

33:11
Are you going to find new customers at lower cost and drive retention and basket with the ones you have?

33:19
How do you optimize your marketing and your media spend across channels?

33:23
How do you plan better assortment and inventory? Where are you selling more of an item? Where are you selling less of an item across your retail footprint?

33:35
What promotions are working? When promotions should start? Should we be running fewer promotions later? How do we drive higher sell through at full margin? How do you drive margin improvement in the entire business?

33:49
How do you then feed all these insights into your procurement part of your business? How do you optimize procurement? And in fact, how do you optimize supply chain? What product is better suited to land at different parts of your retail business at different times of the year?

34:05
And it can even go into your physical real estate, you know, looking at optimizing your physical real estate footprint. What locations are driving more demand? What types of customers are shopping where and how is that shifting? The foundational element of all of these insights is data,

34:25
and it really comes down to having that high fidelity customer level data that will give your business the ability to find the right level of insights to take the next best action. And quite simply, the organizations that are able to do this better and faster

34:44
will outcompete competitors.

34:47
So really it starts with data and and we really take a big focus around understanding where you are in that data journey.

34:58
What is your data readiness look like? What is that on their data maturity curve and what investments do you need to start making and what does the road map look like so that you have the right data

35:10
available and accessible and democratized so you can drive the insights and analysis out of it. So Christina, ultimately it's really about

35:20
data. Data is the plumbing and is the foundation of driving value in the business.

35:29
And that's it. That's that's great to give those examples. So I think it really brings to life some of these things that we're discussing. And when we hear things like data is the new oil and sayings like that, that we hear time and time again, I think you really spoke to it in a way that's a very tangible. So I really appreciate you sharing that with us. And so then Carlos, with that in mind, I think the same thing can be said for privacy teams, right? It's also as important for the privacy teams that are

35:59
supporting their organization to have that same visibility over data, simply to be able to then write size programs that are fit for purpose based on what the organization is actually doing with the data. What's the risk profile based on what those activities are and be able to be effective and know where to prioritize their efforts. What are your thoughts on that?

36:23
It's, it's a fundamental, as KJ was saying, data, there is a plumbing of an organization. And as you said as well, data is a

36:30
seen by many people as a new oil. Now, as

36:35
incredible as it may sound

36:38
in, in my experience, I have seen companies that are doing pretty interesting thing from the data perspective and stuff like that. But when it comes to understanding their data with detail, that's something they don't have. Let me let me tell you a quick story. When, when, when I was in Mexico, I was in the process of migrating to Canada and I was very excited. Of course not, not, not not only for the change and what the country represented. But in addition to that, as a privacy professional, in my head, privacy was much more mature in Canada

37:08
and in Mexico. That's what I was expecting. And I came to the country, I came to Canada, I started working with different organizations and the privacy space. And then at some point I remember and it didn't happen just once I remember going to organizations to execute privacy assessments and I remember asking to to different organizations, are you, are you like in a position to say that you are compliant with regulation? And the answer was yes. OK, that's perfect. What makes you feel that you are compliant though? Because I have all these policies and procedures. OK, that's, that's fantastic.

37:39
So let me have a look to your policies and procedures. They look great. They were beautifully written. I have two questions for you. The first one is, do you have a personal information inventory? And the response was what? Yes, you know, a personal information inventory, a document that lets you know the personal information you have and perhaps how it flows across organization. No, we don't. And may I know why? Well, it is not mandatory. There were many companies that responded like that. And I said, well, I, I will not go into that because we can have a conversation on the, the, the,

38:10
the relevance of that being mandatory or not, or, or the fact that it is mandatory or not. But beyond that, putting the legal requirement aside, how is it that you can be sure that you are properly protecting something that you don't know? You need to have the certainty that you know the personal information you have and you know how this personal information is being processed from end to end so that you can incorporate the proper protection mechanisms all over the place. If, if you don't have that element, it's hard to do. And as I said before, there's organizations that are still struggling with that challenge.

38:40
I'm not saying that it is simple, because it is not, but I am saying that there is something that you need to pay attention to. The, the, the challenge we have right now is that the complexity and the volume of information that many companies are processing is significant. And that makes it complicated for these to be properly documented and understood. But the good news is that there's many tools we can use in order for that to be done. It's not something that you need to do purely manually. Of course, if for whatever reason that's the path you want to follow, that's something you can do. But in addition to that, there's many vendors, many tools

39:11
outside that are offering solutions that can help you do this with certain level of automation or

39:17
with something that can be called full automation. So again, with that in mind, I think it is pretty important for the privacy office to partner with the different business units, to partner with it, to partner with cybersecurity to work all together in understanding how is it that personal information is flowing. Because if we don't have the, the, the capacity and if we don't have the possibility of understanding how this goes, it will be very complicated to protect this personal information. It is, it is fundamental to understand what your process, where are you,

39:47
where you are processing it and the players that are involved in the time we are leaving. There's many organizations that are outsourcing portions of their processes or their processing its entirety to other entities. And when they interact with these third parties, they need to have the certainty that those third parties are offered offering, excuse me, the protection mechanisms they need for the processing activities they are responsible for. You will not be able to do that if you don't have the full picture. So we need to build maps that go end to end that help you understand how is it that?

40:17
Personal information flows from one point to the other.

40:21
And I think this goes back to what we were discussing at the beginning around those initial interactions with the customers and those privacy notifications, right? So at the end of the day, you wanna make sure that when you're articulating what data you're collecting, how it's used, where it's stored. Also, people are also increasingly interested in where the data stored. So when we look about the location and data residency, that's also a topic that people are thinking about a lot more, a lot more. So it's, it's really about

40:52
what you're talking the talk and you're behind the scenes. Also walking the walk and making sure you have confidence in what you're including in your privacy notices, I think is a big aspect of it. One thing I wanted to delve a little deeper in, we kind of mentioned it a couple times throughout the session where we speak, where we spoke about taking a collaborative approach to privacy and really working together within the organization and making that part of the fabric of the organization and making it a shared mandate

41:23
across a lot of different groups in the organization. Rather than I think, Carlos, you used this expression earlier and I think I'm gonna steal it, that Lone Ranger privacy team, right? So with that in mind, would love to get your thoughts on the idea of responsible data stewardship. I think with privacy as privacy folks, sometimes we're faced with the challenge of really explaining this concept, right? Because it's, it's again dispelling this idea of

41:52
preventing the use of data or limiting the use of data when it's, when it's really about using relevant data, using the right data, not having more than what you need and what someone would have consented to, right? So

42:08
I would love to to, and I know like you mentioned, it's it's, it's easier said than done, of course, but in your words, maybe how do you characterize that concept of responsible data stewardship and how can organizations take that from a concept to action?

42:27
Carlos OHS sorry, I thought it was for KJ. Yeah, I know you're still in the hot seat. Thank you. Thank you. Oh, thank you. Sorry for that. I was distracted with The Lone Ranger again. I, I think that it is, it is important for organizations to start defining fundamental concepts. So what is it that ethics mean for them? What is it that trust means for them? What are the specific characteristics they want to preserve in the way they process personal information and data in general? And what is it that they want to achieve as a result of that? If they have clarity on that, I think it will be easier to get

42:57
what what they are expecting.

43:00
It is important as well to identify the multiple users they are going to be having on the multiple solutions they are managing so that when they go through testing, they can incorporate in testing the multiple scenarios and the multiple use cases they will be facing to. To comment this, there's there's an example I want to share. There's a pretty interesting book that I am reading that is called Disease Data Ethics and it's pretty interesting. This is this is a book that has made me think

43:28
very intensely and which is something I appreciate. I, I don't remember the name of the author. I'll see if I can have it later. But at some point the author is talking about ethics in data management and data usage. And, and he's saying people needs to pay attention to testing and needs to avoid bias and needs to incorporate again the multiple use cases and scenarios when this is happening. And then he goes with a situation that is real. He says, I am going to paint just an example. There's a large hotel chain in the United States that went recently

43:58
through our renovation. They work very intensely on this. And then when they were done, they were very proud of the changes they have made. And, and some of these changes were impacting the the washrooms. So there was a conference in one of the multiple cities where these hotels are located and they had a lot of people attending this conference. So at one point there's a break

44:18
and then people go to the washroom and there's these two friends going to the washroom, one of them with dark skin, the other one with light skin. So they go and wash their hands. And when the dark skin guy is washing his hands, he puts his hand under the soap dispenser and there's no soap. And he tries again and there is no soap. And then his friend with lighter skin just put his hand under the the soap dispenser and he gets the soap. And they say, oh. So the guy with the dark skin inputs the hand again and no soap and the guy with the light skin put the hand.

44:49
Then he gets this hope and they start playing with the situation and they start making a video that they uploaded into YouTube and they said is this soap dispenser being racist? And they started getting a lot of comments and stuff in social media. And and the the example or the analysis that the writer is making with this example is so please pencils have a light beam that is the one that have some reflection in the palm of your hand or in your hand when you are going to be getting soap. The thing is that darker skin

45:19
managers in a different way, this reflection, But The thing is, if the testing team that was in charge of this soap dispenser was not able to think of the multiple types of skin of the users of the soap dispenser in order to do the proper testing in order to properly calibrate this device to dispense soap. If we are not able to pay attention to these small details, are we being able to pay attention to more complicated and more challenging issues when we are talking about artificial intelligence and these new tools? So, so again, thinking of defining an AI

45:50
governance model, thinking of defining concepts like ethics and trust in order to be in alignment with that when we are thinking of defining all these models is, is fundamental. If we don't have this guidance, the possibility of having issues in the proper scale, of course, like like the one these this company had with the soap dispensers are are going to be just there. So again, I think it's just involving the property members as early as possible in order to go to these elements and just go with leading practices and models that will help us define the proper AI

46:20
government models, IT governance models, data governance models that will help you go in the right direction to get the results we are expecting.

46:28
I love that the the story you mentioned. And I think some using those examples really brings what you're saying to life. So keep those coming. I love when you guys interject with those. So Katie, I have a question for you in terms of related to what Carlos just mentioned around being a responsible data steward and working together to achieve that. And I think some, I would love to hear from your perspective on on the business side, how can the, what's an effective helpful privacy partner

46:58
look like for the business to be able to help them look out for some of those considerations that Carlos was mentioning that may not be immediately thought of, but so how can that actually be affected? What's an effective way to partner with your business from the business perspective? What advice would you have for for privacy professionals and how to best work with your business?

47:23
Yeah, that that's probably one of the most important things to be thought through. And I think of this, Christina, is sort of making a change happen within an organization. You talked about change in mindset, change in cultures, change in the way you're doing business.

47:43
That takes time and it takes deliberate effort. And I was part of making a large change around digital and ecommerce happen in an organization where it didn't exist. So there's, there's, I think 3 sort of key things that come to mind around effort that can help make that happen. First is education and awareness

48:08
and in particular around the value of privacy,

48:13
showcasing in, in simple business terms, the value to the business and the customer in making privacy a part of how business is done, providing practical guidance, resources to the teams, making impact assessments. We talked about this earlier, easy to understand in layman's terms, simple language, both for your business and the customers. And then training, educating and training the workforce

48:43
at different levels around what this is and why it's important #2 is engaging with the business teams.

48:52
And this is really important. It's got to be hand in glove. Designated privacy champions within departments, providing on the ground support,

49:01
integrating privacy into daily operations, adopting a risk based approach, essentially prioritizing privacy efforts, making it part of the everyday work and thinking within business teams. And lastly, probably the most important is it starts with really executive leadership and alignment. So having an executive sponsor around privacy, integrating that into and making it part of corporate priority and initiatives.

49:30
And I think Carlos, you talked about this is really regularly reviewing and measuring progress. I'm a firm believer that if you're not measuring it, you're not managing it. So it's really got to be measured, reported and talked about at all levels, including leadership. So Christina, these are sort of some ways in my experience and, and how we think about driving sort of change within an organization and the culture of an organization.

49:58
I think that's, that's very beautifully said. And I think the same way that, you know, on the consumer side, we see those, those attitudes evolve and change. And I think that that that same shift needs to be kind of mirrored within the organization to kind of say meet our mindset should meet where our customers mindset is. So it's kind of like the flip side of the evolution we're seeing in the market and then mimicking that and really putting yourself in also your customer shoes, right? How do you, how would you expect

50:29
your, your data to be used and how would you, what type of transparency would you like? What type of behaviors would you expect from the businesses that you interact with and just try to offer to your customers what you would expect as a customer yourself. So with that, I would love to get to some audience Q&A.

50:53
Yeah. So one of the questions we have here that I would love to get to is around the increased integration of technologies such as AI and retail, right. AI is kind of a big ticket item. So question we have here is, and I'm paraphrasing, so apologies from paraphrasing the question. So how should retailers keep in mind aligning their use of AI to on one hand, regulation and on the other

51:23
and consumer expectations around data protection? So maybe Carls will start on year end with the regulatory aspect and then maybe KJ you can kind of complement that with the consumer expectation side.

51:36
Thank you, Chris. From the,

51:38
I will say purely compliance perspective, I think that's something that is important is understand what are the rules that are applicable for that company for their operations based on the jurisdictions where they operate, the jurisdictions where the individuals they are collecting personal information from reside. It is important to think and keep in mind that when it comes to artificial intelligence, we need to think of privacy, yes. But in addition to that we need to see if there's any other regulation that is applicable. There are some specific countries or jurisdictions where there's already artificial intelligence regulation in

52:08
ways that we need to pay attention to, in addition to privacy regulations, like in the case of the European Union and hopefully in the case of Canada, at some point it will happen. So #1 identify the rules we have to be compliant with and then verify that in the development of the procedures and processes we are going to be following, we have controls in order to respond to every single one of those applications. Something that is available right now as well is standards and frameworks that can be followed. The

52:39
International Organization of Standards of the Yeah, that's, that's the right way to say it.

52:45
Organization has different standards to to help people get leading practices in different fronts. 27,000 is a family that has become very popular in security. 9000 has been very popular on the quality management side. Good news is that there's a new framework, a new standard that is called 42,000 and one that was designed precisely to define an artificial intelligence management system that is going to be providing us with controls that will help us comply with multiple regulations.

53:16
So identifying a framework that we can follow to provide us with that guidance, identifying, clearly identifying the roles that we have to be following in order to be in alignment to that, it's going to be helping us with compliance. But of course, in addition to that, very quickly, I think that just having a clear idea on the path we want to go through to, to generate and preserve trust and to have our clients going through the level of customer experience that we want to take them through is something that we need to keep in mind when we are doing this as well.

53:45
Hope that helps. OK, anything else? Yeah, it in addition to that, it's about making sure you understand how the AI is working, what data it is using, what data should it be using to run its algorithms and produce outputs that it's generating.

54:07
And and Carlos, your pointer on frameworks is an important one because understanding this idea of confidence that you can have in the AI driven output. So this is idea of confidence index around based data algorithms. How much of the output is hallucination versus real? We've seen examples in the market where AI output, unless it's within this framework of confidence and understanding the confidence around it can lead to bad unintended

54:37
outcomes. So there's frameworks out there. We have our own confidence index framework around the AI that you can deploy to just get a sense of

54:48
are we using the AI output? So we understand how the outputs being created and do we understand how best to use it

54:55
exactly in, in the end, there's a principle that the, the responsible use of AI has, which is explained ability. So, so I, I love what you said, KJ, because the, the, the model you are using for AI needs to be clear and you need to understand it because at some point you will need to explain that to your customers as well. So that's that's something we need to keep in mind.

55:14
Thank you, Chris. Thank you both. So I think I'm gonna take one of these other questions we have in the chat and kind of leverage that to ask each of you to deliver closing thoughts on related to this question because I think it sums up really well

55:30
a lot of what we discussed today. So we talked about trust by design. So if you know there's one thing you can each say in like 30 seconds,

55:40
elevator pitch around trust by design and implementing that in your customer interactions. What are some of the practices that you would recommend to adopt to really live and breathe that responsible data stewardship concept that we had talked about earlier?

56:00
And whoever wishes, whoever has an inspiration, I'll, I'll let, I'll ask you to go first,

56:05
Maybe I'll go 1st. And then Carlos, I feel like you'll provide the more inspirational closing remarks. So just based on how, how well you've articulated your ideas here. But I, I think of I'll leave you with this. Think about data and privacy related to that data as a way to deliver,

56:24
actually deliver better experience and build that trust with customer. So it's less of a liability. It's actually a point of differentiation. And we've talked about ways in which you can do that. And this will ultimately we believe drive Better Business outcomes. And, and really to do this is really about change. Change in your organization is not just about what that customer experience looks like, it's also about how what your business experience around privacy looks like.

56:51
Carlos, thank you. So I will say just two things. The number one is we need a clear definition of what trust means for every single organization. They need to have clarity on that. And #2 as in every significant engagement, significant engagement in a company, they need to find the right sponsor. Again, I want to go back to that example of that client of ours that we have where this lady, this executive said, I don't want any data related engagement to be executed if there is no privacy and cybersecurity defined for that. When you have this level of sponsorship

57:21
by someone with authority within a company to start permeating that down in the organization, everyone will start thinking, OK, I will not waste time on a data engagement if I have not paid attention to in this case, trust. How is it that I will explain that this project is going to be creating or preserving trust. What I want to say to summarize that is that it's a cultural transformation. We we need to embed that in our minds so that we can start incorporating that as as a very relevant component in every single engagement as we are delivering. So if we clearly define

57:53
trust means for the organization and then we take that idea to the proper sponsor so that this sponsor can help us cascade down this across organization, the chances for it to be successful are significantly higher.

58:06
Thank you both for that. Yeah, that was great,

58:10
which I think brings us to the top of our hours. So I want to take the time first to thank our panelists today. Carlos and KJ, thank you both so much for sharing your insights. And of course, thank you so much to everyone who spent their time attending this session and providing your questions. We really appreciate it. Over here, you'll see some QR codes that can take you to some articles that we've published that are in line with some of the topics that we've discussed today. And I also would like to let everyone know

58:41
that they'll be receiving an e-mail within the coming days with a replay of the webinar and some contact information for our speakers in case you had some questions that we weren't able to address or something you might think of as you ponder on this over the course of the day and hopefully further along than that. So thank you everyone.