false
en,es
Catalog
Data Privacy Webinar Series
Session 3: Getting in the Weeds: Risk Areas to Wat ...
Session 3: Getting in the Weeds: Risk Areas to Watch
Back to course
[Please upgrade your browser to play this video content]
Video Transcription
Hello, welcome. We will give it a moment for all of the attendees to pop in, but very glad you're here today for our Part 3 in the Data Privacy Webinar Series. And as you're coming in, we've had you do this before, but I think it's always just nice to know who we have since we don't get to see your lovely faces. So if you could just take a moment and tell us who you are in the chat, that would be fantastic. We're also going to have a formal poll in a moment to get an idea of what type of institution and what area within Advancement you're representing. So if you can go ahead, put your name in the chat, tell us what institution you're representing, and I'm going to go ahead and kick us off. So hi, everybody. Very happy to have you with us today for Part 3, Getting in the Weeds, Risk Areas to Watch. And I was thinking about, this is very apropos, I spent a lot of time this weekend weeding, and I was thinking, this is the kind of weeds I actually enjoy a lot more. No bug bites, hopefully, from our conversation today. But really excited to welcome back Mark Koenig, who joined us for Part 1 of our series, and as always, Elise Walnut, who's been with us through all three parts. They'll formally introduce themselves in a moment. I am Jenny Cook-Smith, and I lead our Case Insights Solutions team, and very happy to have you all. So as a reminder, this is Part 3, so if you have not listened to Part 1 and Part 2, you can still hang with us today, but we absolutely recommend going back and getting some of those foundational elements. As we envision this third part in this series, what we're really looking at is assessing gaps and thinking about what you need to do to protect your audience's privacy. And I'm really excited because we're really going to do this through the form of Mark and Elise really walking through a case study of how they assess these gaps at Oregon State. And I think, you know, one of the pieces that they'll talk about is how are you not just compliant but doing things in a way that's strategic. So you're really in for a treat today. And just a couple of housekeeping items before I pass things over to Mark and Elise. Please do use the chat to communicate with one another, to, you know, add any comments as we're going through, but if you have questions, and we really hope you do, these are the weeds after all, please do use the Q&A feature, and that way we'll make sure we flag your question, and we've got time at the end to make sure we address that. All right. I'll pass it over to my lovely co-host. Hi, everyone. I'm Elise Walnut. So I'm running the slides. I said it last time. So if I'm going too fast, it's my fault. We can back up at any time. So I run Agility Lab Consulting, and I have gotten to work with Mark at Oregon State University Foundation for about the past year and some change. So we'll go through our work on that front, but I spent most of my career in-house at various non-profits and started consulting to help organizations navigate some of the changes with respect to legislation and data privacy strategy. I'll pass it to Mark. And I'm Mark Koenig. I'm the Vice President for Technology and Chief Innovation Officer for the Oregon State University Foundation, a separate 501C3 for the university that provides all of their support for fundraising and managing the endowment. I've been here for over 16, heading on 17 years now, and covering a range of items, especially in and around data and data privacy was a relatively, it wasn't new to me. I was aware of it. I just didn't realize how many layers there were to the onion. And where we're going with it. So I'm really excited to be here today to talk it through kind of where we were, and hopefully you guys can see the same thing. And if anything, you walk away realizing that data privacy is a concern of ours and we need to be addressing it. And we're going to launch the first poll. So, again, it's always just nice to have an idea of what types of institutions and where your role fits. And if you are a president or CEO of a foundation, you would mark the leader who oversees functional areas. And we really just combined alumni relations and annual giving, thinking of those of you that are doing broad based outreach. So you don't have to do both to mark that, but one or the other. So give us a moment and select what makes the most sense for your institution. And I am remembering that I think in this series we meant to add professional schools. So if you are at a professional school, we don't think of you as other, but we don't have the box today. So you can feel free to mark that. And you can see Christy sharing that. So it looks like we do have kind of a nice mix today. A lot of folks doing broad based outreach. So that's fantastic. A fair amount that are overseeing multiple functional areas. And I am always curious if you find yourself in other and either of those, let us know because we do want to make sure we've got the right choices. And again, a variety of institution types coming in, most from four year colleges and universities. Thanks so much. We will be coming back to you in a little bit with a poll, but I'm going to hand it over to Elyse to get started. Okay, so we're going to get into the case study about Oregon State University Foundation in a few slides. But to kick things off, we included a few background slides to give you a sense of the three big risk areas we recommend you keeping your eyes on so that everybody has some applicable foundation to start with here. So really, the challenge that we're all up against is that we're facing the legislative mandate, which we've gone into in previous sessions. So like Jenny said, if you haven't watched those, we definitely recommend starting with webinar one so you have that background. But more than that, we're looking at the rise of consent based marketing, which is in line with how people are thinking about how their data is used and what they personally want to do about that. So that looks like them making choices in terms of opting into cookie usage, thinking about their right to ask organizations to delete their data, and all of the things that really compound that profile that's being framed of them online. So with that, there's risk to your organizations, but there's also opportunity if we do this well. So the goals, as we laid them out here, is really to get a firm sense of how you're meeting the moment, how you're addressing your risk tolerance, your financial operations, and your technology strategy to make sure that you're lining up with what audiences expect of you at the moment. And then using those findings to create efficiencies in process, in things like staff trainings, and really trying to stay ahead of the revenue impact of all of the changes that are happening at this moment. Because there will be some impacts in terms of if you can't communicate with people in the same ways that you have been, you need to adjust for those strategies. Which we believe that if you do that correctly, you're actually reaching people who care more, and those are going to be more productive audiences for you overall. This was a huge sell for me early on. When we went through GDPR, we realized that we had about 1,000 people in Europe, and after GDPR, we had 50. And getting the compliance piece in there, that scared the heck out of us. So this is a really important piece, too. Yeah, absolutely. So in all of this, we start first with your data in terms of how you're going to go about this. So we've laid out three risks and how you can see to mitigate these. And then, again, that'll kind of lend itself to how we address this with OSUF, excuse me. But the first one here is not knowing the data that you hold. So I included this stat here, which is that 90% of organizations, nonprofits specifically, say that they're collecting data, but 49% of them reported that they don't know how the data is being collected. So this is a really big risk for a lot of reasons, not necessarily related just to data privacy, but is going to become even more so with legislation changing. So when we're thinking about this, the actionable steps that you can take first to get started here are a few. So we start with reviewing and documenting your data. And I have a template that I can share with Jenny after this that helps walk people through the different sources that you might be thinking about. But you want to understand how you're ingesting data, either from your own use cases, staff, volunteers, website forms, et cetera, but also by way of third party transfer, which I think it's missed a lot in thinking about these pieces. So when you're having, I see a lot of organizations doing things like wealth scoring or validating prospects. So when you're getting that data back, all the fields that you're getting count as data that you are holding and that you're therefore responsible for. This is an area that it's not just an advancement services, but it's also your security posture. Think of all of the, I mean, I think many of us went through the TIA data breach last year. It wasn't even TIA, it was a company that partnered with them, then their company that they bought the information from, and then another company. So that well goes back pretty far and you've got to have a good understanding of how they're using that data. That's a challenge, I think, for many of us right now. Absolutely. Yeah. And I think data security and data privacy overlap in a lot of ways that are important. And then the way that they don't necessarily overlap, but that you have to pay specific attention to is this next one, which is knowing what qualifies as sensitive data. So personally identifiable information. And there are specific obligations that you have around those fields. So we've talked about it in, I think, the webinar with Jen, but really having a sense of the business case behind why you're ingesting certain data is really important right now because some things you have different protocols attached to them. So you want to audit with those things in mind. And then last is who has access to the data that you hold and why. So you're thinking about staff at this point. You're thinking also about tools and third parties that have access to that data. So when we're looking at technology vendors like Facebook, like Google, if you're using Google Analytics on your site, they have access to your organization's data. And it's your responsibility to disclose that they have that access. So you're thinking through all of the points of which you're knowing the actual data that you're responsible for here. And it also causes us, I think we've not necessarily been great stewards of the data and working with our vendor partners. For example, understanding that they delete the data after a contract was done, or are they using your data to do aggregate information and providing that? These are areas that we're just going to have to get in front of and really understand better. So it's not just change for us, but it's also change for our vendor partners as well. Yeah, absolutely. And the only other thing I'd add here to your point, Mark, is with the rise of AI and so many technology companies being incentivized to train their own AI models, you need to be really thoughtful about how this information is leaving your hands and to whom it's going. OK, so the next one, risk two, is not reviewing and disclosing the data that you have. So as a level set, the two obligations that you have in providing consent-based marketing are to provide choice before you collect data. So that has to show up by way of disclosures in your privacy policy and through your cookie opt-in banner. So two obligations there. And the second one here is providing opportunities for opt-out after data collection. So you're essentially allowing people to opt in, consent, and you're also allowing them to opt out at any time. So that has to be present at any moment in their journey. So to get started here, the first place I always start is reviewing your privacy policy. So this, I think, goes a lot of different ways. Like we talked about with Jen last time, some of it's dependent on what your legal structure looks like and what support you have in-house versus via external counsel. But you want to look at your privacy policy from the eyes of an audience member being able to easily understand what you're doing with their data. So we don't expect that audiences are going to wholesale change all their behaviors and everyone's going to suddenly check the privacy policies of every website they visit. But if they wanted to, would they understand what it is that you are doing? And to Mark's point just a second ago, what your third parties are doing with your data. So that has to all be represented. So that changes the risk calculus a little bit. And in my experience, in terms of, like I mentioned, Google Analytics, we have this suite of free tools at our disposal in certain respects. But we also have risks attached to those tools now because the obligation to disclose is on your organization. And to make this more complicated, as we've talked about in previous sessions, you've got multiple laws that you may have to address and represent in your privacy statement. And I've seen several institutions already move to that. There's a category for California. There's a category for Colorado. Maybe one for Oregon. But this is the level of detail we're having to get into these. And so the old, hey, let's just copy theirs and we'll just put the same thing up, isn't working. That won't work for you anymore. Yeah, absolutely. And there's a lot that's dependent on your organization size and so on. So definitely worth noting there. The next, we already made the point about the business case for the data fields you're collecting. But just to reiterate that one, you want to make sure that you can protect the data that you're ingesting in the ways that are mandated. So with some sensitive demographic information that you're collecting, you have obligations to recollect consent to keep it on file. So if there are certain fields related to race or ethnicity or sexual orientation that you are ingesting for whatever reasons, you want to make sure that your business case for that is really sound because that's all risk that you're taking on. So if nobody's going to use that data, don't collect it, is my advice. And also in thinking about the audience member, if you can't protect it, you shouldn't have it. And then last here is what disclosures and opt-in opportunities are present when you collect a person's data. So this goes back to the privacy policy and your cookie opt-ins, but you need to make sure that each time you're asking somebody to fill out a form, they don't have to navigate back to the privacy policy manually. They have an easy link to get there, or they have the brief summary of what's going to happen with their data after they sign on to disclose that. I'm still amazed how many companies, and this isn't just non-profits, how many companies still don't have an unsubscribe button on their emails sometimes. It is amazing. A lot of times you need to check your, maybe your colleges and units are sending it out and don't have the same protocols that you want to make sure that they have. So it's not just sometimes it's not just your department's emails, but it could be others that are sending emails on your behalf. Yeah. Yeah. And we'll get into it in the section to come, but one of the things too that I think is really useful in the Oregon State University approach was the idea of providing choice and preference, which is something that Mark's team is working on now. But asking people to opt in doesn't necessarily mean they're going to opt out. It can mean they will tell you how they want to be communicated with. And if you can provide the technology and the platform to allow for that conversation, it can be really helpful to your engagement levels. Yeah. Just having the yes, no answer isn't always the best. You want to give them some options. We'll talk more about that. Okay. And then the last risk we have in this intro section is not understanding how you share the data you hold. And so I included this meme here, which is the user privacy being lit on fire by Spongebob. And his user privacy is being represented by Google and Facebook here. So that's being lighthearted about it, but it is a real thing that's happening right now. We're seeing it every day. Just to mention recent news, Google's decision to take back their mandate that they were going to deprecate third-party cookies really just means that they are going to continue making choices that allow them to ingest as much audience data as possible. So just to reiterate that, if you're using Google Analytics, that data is owned by Google. It's in their terms. It needs to be in your terms if you're using that. And all of that Google Analytics data feeds Google Ads, their paid search ads. So a lot of big tech companies are not necessarily going to be incentivized to create the type of transparency that is mandated. So we really can't rely on these groups to be the model for how we proceed. So we need to understand regularly what our partners are doing with data. And when it comes to technology companies, those terms are changing very frequently. So that requires some rigor on your end to have some internal stakeholder groups, like we talked about with Jen, ready to review those terms and make sure that they fit, not just the legal mandate, but your brand standards in terms of how you wanna communicate with people. There was a really neat Apple commercial I just saw this past weekend watching the Olympics, where they have this woman sitting on her couch and then all of a sudden this bird flies over and perches next to her, but it's not a bird, it's a camera. And it's watching everything she does on her phone as she's sitting there and then has all these blocks of camera birds flying. It is spot on. And I think Apple is taking a different approach to this and actually kind of locking some stuff down that we used to have opportunities to have access to. So it'll be interesting to see how these companies continue to play in the market. Yes, absolutely. Yeah, and that I know we're mostly chatting with advancement professionals today, but this does impact probably your friends in admissions as well who are dealing with advertising from or with these companies. The changes that Apple is making have a trickle down impact on all of these advertising platforms who are financially incentivized to create their own kind of walled gardens here. So keep some clear eyes ahead on the motivations of the companies that you're dealing with. And that extends to all of your third parties. So the second point here is really knowing what your brand standards are for what your partners can and can't do with your audience's data. So beyond chatting with your legal team, this really does have to do with marketing, brand integrity, fundraising, et cetera. That's why everyone needs to be involved at the table because if something goes awry and you're suddenly in the news or you lose a really big major donor gift, whatever it could look like, you wanna make sure that you're thinking proactively about what your standards are so you're not caught in the fire if something does happen. And then last, and this is what Mark's gonna talk about is the technology setup to carry forward a person's opt-out. So having your preference center in line, but also making sure that if a person opts out of having their cookies tracked, is your tech stack set up to log that preference and carry it through? What does it look like if they are on your site and they've cleared their cookies recently? All of those things are test cases that you wanna think about when you are assessing the data that you're holding. So I'm, oh, we have a poll first. Um, so the question here is, what's your biggest question or concern related to data privacy? So the answer can be as long or as short as you want within 500 characters. I'll give you a second to fill that out. See how fast you can type. And maybe while we're waiting on folks to enter an answer, maybe this is a good time just to address a question that came in, which is someone that said they're a researcher, fairly new to the field, but really curious how gift officers introduce or don't introduce the disclaimer that they will use the information obtained in a conversation with a prospect for fundraising purposes. And I just wanna capture the expression on your face right now, Mark. I can tell you've got feelings. Yeah, it's a tough one. I know that's immediately, can I call this person? And we've had similar consternations amongst our fundraising staff in our organization. Right now, we are still learning, as you'll hear in a second, about what the law entails, what it doesn't entail. You know, a lot of it's around mass communications, maybe not one-offs. You know, again, we're struggling with that. However, we have done some things, think of it in a different way. So for example, we have a product, in-house product called Scout, and it basically pushes notifications to anyone in a managed portfolio. So if they have a birth date, if they, you know, make a gift, they come into an event, all of that. It includes now, did they opt out of our communications? Because what we're finding is some of our largest donors are opting out of our communications and not realizing what they're opting out of. And it gets back to what Elise was saying, was how does all your communications connect? Do you have an opt-out feature? Is that the only feature you have is to opt in and opt out? And what does it mean? Do you mean you opt out of every single email? Because there are, and this has been a nice little trigger for our development officers to start to understand how this is working, why people are opting out, and then having an open communication with a managed major gift donor who might have just opted out of something unwittingly. Because we hear it too on the opposite end. Hey, I'm not getting event invites anymore. Why am I not getting these? Well, you opted out of them on this date with this email. And having that knowledge of who's doing what and when and where, and I'll talk about, that's the key to what we see as our success in managing this new law that's in front of us. Yeah, and so the only other thing I'd add to that is that the obligation to give people the ability to opt out has to happen online and offline. So if you're collecting email addresses at an event, or to I think this person's point, you're collecting information that could travel via conversation, you do have to give the person that notice and the option to opt out. So that doesn't mean that you can't talk to them about the benefits of opting in and making sure that they understand that they will have a positive impact or whatever it is that's going to transpire, but you do have to tell them. I think of it similar to in journalism when you're telling somebody, hey, this conversation is being recorded, you're on the record, it's akin to that. Well, and two, I mean, this is where the tie-in back to security, your contact reports, what we've been putting in contact reports. I know we talk about this a lot. There's very sensitive information you have in there. Are you actually managing and curating and making sure the development officers aren't putting things into these as much as, you know, again, it's the data we collect and sometimes we don't think of it as the right data because it's different data or it's coming through in a different way. Okay. And what I'll do so we can follow up with the group afterwards, we're having some technical difficulties on sharing the poll in a way that everybody can see it, but what I'll do is just note a few of the responses that we got. So concerns around how to retain limiting the opt-outs, which I think you're probably going to both speak to. Notes around DEI data that it's usually requested by stakeholders, but there hasn't been a clear business case from the top. So thinking about how we encourage that business case and we're looking at internal and external, thinking about processes in place to maintain and keep data up to date as preferences change. So a lot of things, I think, around some of those risk areas we've talked about, opt-in for texting for engagement call center, how to keep track of all the state standards. And we actually did talk about that a bit in the first session and Elise shared some resources on that as well. Type of organization really determines what's ethical, advisable, and required by law. So again, some of those pieces around there. A few folks saying email opt-outs, some concerns around retention, acquisition, et cetera. So makes sense. Again, I feel like a theme of this has been what are some of those elements that keep us up at night? And I think we're seeing some of those pieces there. So back to you two. All right. We're ready to talk about keeping us up at night. So the case study I'm gonna deliver today and Elise is gonna hop in as needed is really kind of how did we get started with this to kind of one, normalize it for you as well. I mean, this was not something that we just jumped in with a wealth of knowledge, although Elise did, I did not, about what to do, what we had. We didn't even know. We knew that there was a proposed legislation at one point. It was called Senate Bill 619. And it was running through the legislature. It didn't have a lot of visibility per se amongst the nonprofit community early on. When I finally got attention driven to it, it to me really worried me. As I mentioned before, we had been through GDPR. We followed the guidelines. We gave the, it was, yes, no, opt-in, not, and no one, we had very few opt-ins after that. It was 50 to from a thousand people. I took that same number of my managed pool and then said, okay, if I had that same percentage, oh my goodness, what are we gonna do here? And so early on, it was a search to learn as much as I could. There's resources in the previous sessions, the, I'm gonna butcher it, it's the IIAP, I believe, which is a website you can go to. You can see all the legislature underway. We recognize we got California, Colorado, ourselves, Massachusetts, all of them. There's about, I think we're somewhere close to about 30 different states now, either in some play of privacy legislation. And in addition, the Fed started one this past year, as in the previous session, Brian Flahaven mentioned that as well. So we may see a federal standard. So for me, I needed to address first and foremost, the Oregon law. However, I also recognize that with the changing landscape, I wanted to do something that maybe didn't just put us into compliance, but also positioned us as we were going to see more and more of this. Also, fundamentally for us, we are a trust organization. People donate their money into our endowment and they wanna make sure that we're using that endowment and we're doing the right things with their money. No different than they expect us to do the right things with their data. They don't want us to spam them. They don't want 400 emails from every single college and unit that has ever looked at us. That's something that we don't always think of. We've had the opportunity to frankly, shoot fish in a barrel for many years. Now that is changing on us. So how do we approach it in a new, meaningful way that also leaves us an exit strategy when more legislation comes in place? Okay, next slide. So ours, mentioned really briefly though, as a Senate bill, what became the OCPA, the Oregon Consumer Privacy Act is similar to GDPR. It does have some differences. The one that worried me the most initially was a $7,500 fine per infraction that anyone could go to the attorney general and just say, hey, they're a bad actor, charge them some money. Paraphrasing here, of course. Well, that's changed a little bit, but it's still there. And it's still, we're waiting to see how it is actually put into effect. With GDPR did it, it was like big fines, let's get Microsoft and Google on the hook. It wasn't looking at us as the direct agents of that. In fact, when they really wrote it early on, it included the board of trustees that was eligible for this fine, as well as anyone that hit the send button. That was obviously an interesting proposition. It has changed as we followed it, but the actual underlying $7,500 is still opportunity for us to have some money charged to us. Now think about, I often, I took the same idea with the percentage of people that might drop out. Well, think about the number of grumpy grams you may get at any time. You're probably going to get maybe a 0.5 of a percent. Just take that number, multiply that by 7,500 and you would change your tune real quick about how you want to address this or not. Because people will complain, they do it all the time. So, all right. So our approach is a little bit different. We wanted to really respect privacy legislation and understand that all of the industry changes that were coming. So we were starting to think about how do you maybe not create a, you know, giving everybody opt out, but actually having them opt in, sometimes called building a big tent or building a community around your mission and getting those people to want to join you. Not that they immediately just inherited these emails, perhaps from graduation, et cetera, but this really got them to let us know and raise their hand they wanted this information. That actually is more valuable to me than having a cold email in the list and I send them a hundred emails and they haven't done a single thing with a single one. So how do we change even the way we approach our marketing to get people to opt in? We really wanted to, we see privacy and preference as two sides of the same coin. I can provide privacy, but on the opposite flip side of that, you know, these are the things I want. So things I don't want, things I want. And giving the consumer the ability to control what they get from us is a hallmark of what we're trying to build right now. And some of that we'll talk a little bit about leaning on forward thinking tech to help us. For example, I've got at least 16 to 17 major colleges and units at Oregon State University. If you add up everything, there's probably 25 different groups sending emails every day about different things across the campus. If we think about what that algorithm would look like, I want this, but not that. I want this type of email, not that type of email. The equation quickly becomes much more than our analytics team would be able to pull up on the fly. Now, here's our list of people with all of these variables inter-cross-mixed and made sure that they're consistent across the board. We're leaning right now, we're working with an outside partner to help us build our own warehouse to store this information because again, it's not good enough to go to the attorney general and say, no, we opted them out. Chris Hunt did it back at this time. Chris is our favorite, our data person that she's been here for a long time. And she would normally just type in removed or opted out or something to that effect. It was very non-technical. There was no show or track to where it occurred from and who did it. So we have to provide that going forward. Otherwise, we're at risk because we don't know where it's coming from and we can't speak intelligently where it was from. Elise. Yeah, the thing that I was going to add about this set of standards, we were smithed to this place in working together, but when I met Mark, he already knew that he wanted to approach it in this way, which I think there was a question in the chat about how you think about your brand standards and who should be included. And I think that having that really firm cultural approach to respect was a huge through line of what made this work possible. So if you listen to the session with Jen, we talked a little bit about who should be included in those conversations in addition to legal, but really legal can give you the advice on where you're open to risk and what the possible business impact might be, but it is on the business owners to decide what the appetite for that is. So legislation only carries us so far. Preference is what will make somebody pick up the phone and ask questions or decide not to give or take action in some other way that you don't want. So I think to Mark's point, it's two very important factors here. And taking a step back, this is our threefold approach. This looks like we just came together and voila, we had this. Actually, it started again with me being very concerned about this, starting to pull in my colleagues from across the organization and actually looking for outside counsel as well, not just with our legal counsel, Stole Reeves, but also with someone that had expertise in privacy and the changes that were going there because yeah, you just need that double team there. Legal approaches things as legal should. And sometimes you need to have both voices in the room. Now, speaking to the voices in the room, you really want to have your marketing communications team represented. You really wanna have your tech team represented. You wanna make sure the data folks are there if they're a separate group. Is there a representative from the fundraisers there as questions come up from them? And so this really helped us to coalesce a group we call Team Privacy in-house. And Team Privacy took this on early on. So we had representatives from everywhere and at least helped us facilitate these meetings with one of our own in-house individuals. And so this is how we started figuring out how we were even going to tackle this and what would be the stakes that we put into the ground and how are we gonna get this done? There was a lot of work involved. I will not say this is super easy, just add water and come back and it's there. Now you're gonna have to spend some time and effort and where we're gonna get into some of that in the weeds is really around your data. Where is it coming from? How are you using it? And I'll talk about that I'm sure in a second. So next slide. So what does it mean to respect legislation and industry changes? So back to my approach, I really wanted to do this in a way that didn't box me in. I don't wanna have to go back and revisit this. We will have to go back and revisit it at some point, obviously. But if I had a mechanism by which I had opportunities and options and I didn't play the game of snake and I boxed myself into a corner in this. So how do we do this in a way that allows us to have some flexibility as the laws change? So far for us, some of the big things we've managed to accomplish so far is we're working our privacy policy updates. And I will say at first, I thought this was gonna be easy. I thought we'd send it off to the legal and legal would sit here and spit out another privacy policy just like it's done in the past when we've done this. We got the list of, and we're still working through that list that's going to the legal this month to it's every point of data that we use, how we use it and why. And think about that in your systems. I mean, this is a call for data governance, let me say. However, I'm also not a fan of all the data governance because you can really spend a lot of time chasing your tail. However, this is all very important data and you need to get a hold of it. When I talk about strategic data management, the privacy pieces are super important to really get your hands on and understand how you have that data. It starts from a very simple first document that says this data is directory data, this is confidential, this is sensitive data, and ensuring you know where all of that data is, especially in the sensitive realm, that's social security numbers. Hopefully, you don't keep those anymore. Obviously, we got rid of ours long ago, but if you have to somehow get it for the tie back to the student or what, you know, your PCI compliance, all of these different things that you do, they kind of coalesce together into this body of work. And so it's really important that you have that figured out. And I'm not saying, real say, it's not easy, especially as you're trying to fly the plane as you're building it. The cookie consent banner planning. This one took us a while, but we finally got our cookie consent up. You can go to FortOregonState.org and take a look at it. It should pop up and ask for your consent. That's honestly what most sites have on these days anyway, so we were behind the times there. But you know, you may not have one either. So review of the data transfer protocols. Oh, this is the one that really worries me, and this is one that I think collectively as a group, especially the advancement services folks, we're going to have to really work with our vendors to make sure they understand the importance of data privacy and what we're asking of them. So if I'm saying this data point, you take this data point and what do you do to that data point and how do you give it back? Sometimes in their minds, that's their black box, super special sauce. They don't want to tell you. But we now have to know. It's not good enough to say it goes into a blender and it comes out over here and we don't really know where it comes from. So there's a lot of work left to be done working with our vendors. And through our partnership with Elise, we now have a survey that we not only send with our security, when anytime we have a new vendor come in, we have a security survey that they fill out. Now they have a privacy section within that survey. And there's questions in that privacy survey that really help us understand what their position is and how they're using that data. And we have a pilot out right now with three of our companies that use the most of our data. So I'm eager to see what the results are and how we continue to move that forward. It's not perfect, but it's a start and we've got to kind of get our feet moving forward on this. That's what I would recommend to you all today. It's not a matter of trying to come up with an ultimate plan and do all in plan. You've got to kind of just start getting started. So see where you're at today. And explicit consent form audit. So eventually for us, we really needed to get a handle on what our opt-outs were. We had hundreds of opt-outs and we still are managing and kind of consolidating and trying to put those into a format that ultimately will be our privacy and preference center. So that yes, no thing. However, boy, talk about opt-outs that were created for a variety of reasons. Some of them we don't even know anymore. There was no documentation. One of my favorites was in the very long past, 20 years ago, one of the things that development officers would do to not have anybody contact their prospect or potential prospect, they would just code them, do not contact. Well, that's not real. That really wasn't the intention of, I mean, I know in their case and what they're thinking, but we have a lot of records out there that are coded that they're old or, you know, how did we collect the information previously? I mean, we have certain levels of confidence and I love to, you know, take the, I think one of the things you can do is you pull this data together to look at, put a confidence rating, how confident you are of what those codes and categories mean. Think of the case AEM survey, the alumni engagement measurement survey. They had that confidence rating, use something like that as well, because that'll alert you that you may need to go back and figure out what that even was. Anything else? Go ahead. Oh, the only other thing I was going to add to this Mark was, I think this also speaks to the changing nature of state legislation. So in the original interpretation of SB 619 in Oregon, they were mandating that if you wanted to ask someone to join your list, you couldn't, you know, auto-check the checkbox when they fill out a form. You had to fully disclose what was going to happen. And you could only contact people who had authorized, yes, I say affirmatively, I want this. And that has changed since then. But I do think that that form audit is an important step of the process to Mark's point about having your hands around what you have and where. You'll want to know also what, as the law changes in its hypothetical state into the realm of implementation, a lot of these lawmakers don't actually, it's become clear, totally understand the business implications of what they're putting forward. So you'll want to, you want to gut check this as the law progresses into its. And thank you, because that, I had blocked that out of my memory because it was so frightening at one point. So just picture this in a world that you have to go back to every single record in your system and ask them to opt in. Take a deep breath. Think about that again. And ultimately that really was the thought that, okay, we have to get out of front of this. I'd rather us be an opt in type of organization than this other thing, because this is where we may be going anyway, even if we don't want to, if the legislation changes or however they approach. It's fairly, as you can imagine, apocalyptic a little bit when you think about your groups and you have to rebuild your groups after so long. But luckily that has passed and thank you for bringing that memory up. I'm going back to therapy now. All right, next slide. If you're sitting, if you're an attendee sitting in a blue state, you're, the law that eventually is put forward in your state will probably be more on the aggressive side. So that is something to watch there. So two components to respect preferences and privacy for us is adjusting our technical landscape. As I mentioned before, you immediately start thinking of the equation just if you have 16 or 20 colleges and units and how all of those email lists are going to be prepared and spit out. Now think about your systems. You may have at least five systems that send communications for you. What is their backbone like? Could they absorb if you come up with a privacy and preference model that is open and such and gives them choice, how does that new system absorb that data? And you may have to figure out what that rubric is. It's kind of like a decoder ring. We did a lot of work in the past when we were able to get political data around party affiliation, et cetera, in our districts that they may be in that we had to figure out what that is. It's the same idea here. You're going to have to figure out how do you provide that privacy and preference to them when the platform that you have may not have the capabilities of. So back to my commentary about working with our vendor partners. That's an area that I've started work with. I'm working with our marketing automation platform, even as of yesterday, talking to them about I'm going to build this. Can you support this? If not, I'm going to translate this information and provide it in a way that still works. And that's quite technical. Happy to talk offline, but we're looking at a new Azure warehouse and automated data, intelligent data layer that's going to help us sift through this and provide that. It's also going to store all of the opt-outs, the date and time and what communication that came from. And that's probably not something, hopefully you have it. Great. You don't have to worry about it, but if you don't, well, this is where you're going to have to start thinking. And then also at the same time, our communications and marketing team started to think about, well, how do we talk to our audiences different? What is the messaging to get someone to come into your fold is a little bit different than when you're just sending them emails, not paying attention to what they really are interested in or not. And so this is, and Elise, you can talk a little bit more about the approach here that explicit consent versus letting them just opt out of everything. So. Yeah, I think the approach that we moved forward with was that we'll know directly what people are telling us when they do things like opt out or opt into something specific, but we also need to be responsive to what people are indirectly telling us when they're doing things like not opening emails or not engaging. So when we adjust our segmentation strategies and prioritize some of the basics that some of you might know in terms of email deliverability, best practices, when we adjust for meeting audiences with what they're telling us indirectly through their behaviors, then we're likely to see more success anyway, rather than blasting out communications that go to everybody and then land in spam folders or just upset people. So there's the direct and indirect messaging that we're getting from consumers. And this is the big challenge in our organizations, especially with leadership at times who may say, well, what do you mean I can't send to everybody in this pool? I'm going to send to everybody in this pool. Well, 20% of this pool hasn't opened an email in a year. We need to stop sending them emails because it's hurting our deliverability score. Well, just send it to them anyway, because I need more attendees in an event, or I need more of this, or I need more of that. The object isn't to keep pounding on them as we used to do. All right. Oh, is that the last? Yes, that was the last one. So I know we have a couple outstanding questions. I'll run through this slide quickly. Just need to move my chat window here. So this is just a brief synopsis of how you can do this too. So this, again, it's boiled down into seven steps that were a lot more work than this one slide reflects, but I think the brief summary of how we built the foundation of the movement to consent-based marketing at OSUF is here. So really, Mark did the biggest lift of internal bridge building with identifying the stakeholder group that he mentioned. And then when I came on board, we convened sessions, standing sessions with that group to make sure we had a standing cadence that we were touching base with them on. But Mark really did the heavy cultural lift and getting them bought in on, yes, this is important. We have to pay attention to this. And that group spanned, just to say it outright, we also included athletics and the fundraising teams that spanned into alumni relations as well. So those kind of groups that maybe you don't engage with every day, but are impacted by this are important to think about there. And then from there, I led a gap analysis phase, which identified the ways that people were engaging with data in their practices and with the technology. And those insights formed the basis of a full day workshop that we convened. So that brought everybody together to review the findings of what the gap analysis revealed. And then we built the roadmap to how we were going to address these pieces. So that looked like all the infrastructure that you saw referenced in the slides previous, as well as the team trainings that we needed to broach with. We approached it as senior staff, the board, and then execution level staff, so that everybody got to understand how this would impact them on the day-to-day, as well as making sure that the board and leadership knew that our eyes were on the prize here. We were doing what needed to be done and asserting confidence there. There's so much more that we can continue and we will still do to help educate our staff. I mean, I have questions almost daily. Hey, can we, as the Alumni Association, still sell the data to get basically sponsorship? So how do we approach that? Is that legal in our state or is it not? These are all questions that we still continue to work through. And we're actually sitting back now as the legislation is in place to see how things start to pan out, because there's so many questions, you can so many rabbit holes you could go down. Yeah. Yeah. So I know Jenny's going to pose these questions for us. So the last thing, the last point that I think Mark and I are aligned on here is really just the need for subsequent progress check-ins. And then we do progress report outs internally as well. I'm trying to determine internally in my organization, do I need a compliance officer to sit and help us with this? Or can we continue with dispersed model? So I think, I know we had a few questions that came up and I believe we actually got them all answered either weaving into the conversation or through typing those responses. So I, since I have a couple of minutes left, I do have a couple of questions that I don't think we've addressed that I think would be really helpful. And one of those, as you talked about, you know, your team privacy, Mark, and pulling all those stakeholders. I'm going to flip that question around. Can you just speak a little bit to some of your internal roadblocks as you thought about this securing the buy-in on prioritizing data privacy? The biggest one immediately is the units that are driven by marketing, that are used in a custom to doing what they've always done. It's a change management element. It's a huge change management element. You've got to explain why this is necessary, the importance of it, but isn't the university exempt? Aren't we exempt? I mean, honestly, many of you on this call today are probably technically exempt in your states. My comment to that is the consumer isn't going to know that you're exempt or not. We were having a short discussion about the political environment and the fundraising environment there. We can't get off that roller coaster sometimes when you get on it. How does that make you feel? That's not great. So as an organization that you're trusting, you're trusting us with your money and your donations and we don't treat your data the same way. I don't see that being, I don't see the two being different conversations. I see them being the same. But yes, Jenny, there's so many, you know, or the organization itself, the university stance. I have to figure out how the university is going to comply with what we have if they're not exempt and they don't see the need. And so that's another area that could be reality for many of the guests today. So starting to get, just getting your toes dipped into this, bringing it up at a leadership meeting, if you're in my position and having this conversation and making awareness. I mean, honestly, this series, I'm so happy that Jenny and Elise are here to do this because it's raising the flag on something that I feel like we haven't really been thinking about because it's just the way we've always done it. And it's a fundamental business change. If you don't see that now, it, you know, this is why you want to get out in front of it and really understand what you need to do today. And then also make sure that you're open and flexible to when it changes, it's going to change. Yeah, I think that, yeah. Oh, I was just going to say that was one of the questions asked in the chat was the university and foundation relationship, which you answered Mark. I think we spent a lot of time on that one though, just to reinforce that point that they definitely, they were exempt and OSUF was not. So we needed to understand how OSUF was ingesting data from the university and make sure that the obligation to disclose was as good as we could get it on the foundation side. And then you can only agitate so much on the university side. And ultimately, as we build this privacy and preference center and launch it later this year, I have the choice at this point, where do I include the colleges and units? Because I don't control the college and units sent. So if the university will not or cannot honor those, it will be a policy. And I think the university of Illinois states it clearly, these communications are the purview of the foundation and its affiliates and, you know, other communications you may get from the university are separate from these communications, something in that way, a caveat at the bottom, because I won't be able to solve for that equation. So nothing's worse than trying to solve for something you can't control. And so that may be a decision you're faced with. And I guess, I feel like you both touched on this, but Elise, anything else you would add about getting started and specifically, you know, for those in attendance who aren't really sure where their state is or will be landing? Yeah, I think that's where I know we keep mentioning it, but that stakeholder group, I think is really key. The cultural piece of it, I think is what will carry you is having those things decided, because you could adopt a GDPR level approach tomorrow, if you wanted to. And in a lot of cases, that's maybe beneficial so that you don't have to play the state by state game. But you want to be able to manage what the financial implications of that are. So having all the people represented that are going to be impacted, I think is the big first step to me. And Jenny, I'll throw a pitch in the alumni engagement measurements and how we measure who's marketable and not. I think we probably should consider that within however we're organizing that, because it's always been how big your alumni pool was at one point, which was the barrel, you know, and we would just do that. And I know we've modified it some, and I think it might, again, another opportunity to revisit. Well, and I think it's interesting to go back five years ago, we have the words legally contactable. And I remember saying, well, of course, this is global, don't worry in the States. And it's funny to go back five, you know, I had five years and see, actually, yes, this conversation has really evolved quickly in that time. And I know we're at time. And if you can actually just advance us a couple of slides. And as you're doing that, at least I'll add a special thank you to Mark and Elyse for bringing this to CASE. I think this has been a fantastic topic. And thank you all for being with us. I thought I'd just take this moment because the people that chose to attend our data privacy webinar series, I think would also get a lot out of our CASE Drive conference. And so this is a friendly reminder to save the date. But also, please be on the lookout because we are very shortly going to be doing a call for proposals. And I know there's a lot of smart people out there doing great things. And we really span the topic on all things related to data, no matter where you set an advancement. So hopefully, that's something you'll consider. And thank you all so much for your time. Special thanks to Mark and Elyse. And Mark, go enjoy your vacation. Thanks for giving us a little hour before doing so. Thanks, all. Take care. Bye.
Video Summary
In this webinar, the speakers, Mark and Elise, discuss the importance of data privacy and the steps taken by the Oregon State University Foundation to comply with data privacy legislation. They emphasize the need for a team effort involving stakeholders from various departments to address gaps in data handling practices. The foundation focused on building a solid foundation for consent-based marketing, which includes adjusting the technical landscape to align with new privacy policies and preferences. Mark highlights the challenges faced in securing buy-in from units driven by traditional marketing strategies and the importance of cultural change within the organization. Additionally, they touch on the necessity of ongoing progress check-ins and training to ensure continued compliance and respect for data privacy. Their approach involves a strategic roadmap with a focus on transparency, customer choice, and adapting to changing laws and industry standards. Ultimately, the foundation aims to create a privacy and preference center that meets the needs of donors while respecting privacy regulations.
Keywords
data privacy
Oregon State University Foundation
compliance
stakeholders
consent-based marketing
technical landscape
cultural change
training
transparency
privacy regulations
×