We wrote recently on this blog about how preventing data and information from falling into the wrong hands requires vigilance on the part of the whole organization. 

For many information professionals, heading up this type of initiative can be quite challenging to get started and manage forward. However, it helps to first gain an understanding of where sensitive data lives across the organization, within shared repositories and across smaller silos, to enable a holistic understanding of where privacy risks may exist.  

While all members of an organization’s departments should be trained on privacy best practices, this post is for information professionals looking to dive into the specifics of how different parts of an organization should be reacting and proactively changing their practices to protect information while simultaneously being efficient on the job, remaining compliant, and keeping sensitive information from falling into the wrong hands. 

Data Privacy in Sales & Marketing 

Before we delve into data privacy risks for sales and marketing teams, we need to dig into some background on the history of web browsers and the internet. 

Soon after the internet was born came the invention of cookies. Not the tasty kind of cookies, but the web variety.  

Created in the early days of the internet by Lou Montulli, these bits of text data store information about how a user navigates a website and eventually, even allowed for the creation of the first reliable internet shopping cart.  

As the world transitioned more and more into the digital realm, more behavioral and demographic information was collected and stored in these cookies and became invaluable to organizations looking to understand, market, and sell to various subsets of people in a more targeted manner. 

Eventually, both European and United States lawmakers recognized the privacy concerns inherent in tracking cookies, and as of 2011, this once bottomless availability of data became only available on a consent basis. 

How to Ensure Your Sales and Marketing Team are Compliant 

There are a few sales and marketing-specific activities that are covered under privacy considerations: 

Email Marketing 

Email still remains a popular channel of communication for sales and marketing teams but there have been rules in place for decades. Email must be used compliant and in accordance with local legislation. For instance, complying with email marketing laws in Canada means complying with CASL. While similar legislation does not exist broadly across the United States yet, there are laws such as the California Consumer Privacy Act (CCPA) that offer some protection from email SPAM and must be followed. Likewise, if an organization has any chance of doing business with a citizen in the European Union, they should know they will be subject to GDPR requirements.  

Customer Databases 

Most organizations that store client and prospect information do so within their sales and marketing department’s customer relationship management (CRM) system.  

This makes it paramount for the operations teams supporting these functions to put privacy controls in place. The only employees that should have access to CRMs or Marketing Automation Platforms are those with permissions in the departments that use them. 

The imperative for these departments is to ensure preferences are updated, and to know exactly where the data is kept, how it’s being used, and who has access to it in case of an audit. 

IT Should be Leading the Charge 

Business is changing. Digital strategy is evolving and your technology stack is expanding.  

More data is flowing in and out of these tools and systems, and your teams expect this data to be integrated and accessible to meet their needs.  

But data security is mission-critical, especially as cyber threats become more sophisticated and can bring down the most established brands.  

Among these myriad responsibilities, a modern IT organization needs to be aware of any and all policies related to privacy.  

This often means that education often falls on the shoulders of IT departments to protect against external intruders while also educating their internal end-users how to be privacy compliant. Verizon’s 2021 Data Breach Investigations Report (DBIR) noted that nearly 40% of breaches fall under the category of social engineering. As a result, it’s important that an IT organization be the driving force behind privacy compliance education, especially when it comes to using technology. 

Human Resources: Ground Zero for Personally Identifiable Information (PII) at Every Organization 

As recently as a few years ago, most HR teams still kept their most critical HR documents (active employee files) in paper format, and in many cases, even those weren’t held in one centralized location. While the pandemic threw most digital transformation plans into overdrive, many of these systems may still be in hybrid forms and/or lack effective automation. 

When HR professionals spend more than half their time finding, organizing, and updating paper documentation, it isn’t just mind-numbing or inefficient, it’s a challenge to remain compliant and a threat to the success of the business.  

In the current job market, HR teams have vital work to do to support the growth of their organizations and to continue to engage employees. A better digital document solution can digitize, centralize, and secure document access. This allows HR teams to be more productive and efficient, with a goal to focus more on strategic initiatives that help organizations grow and improve. 

Legal and Compliance Department’s roles in privacy programs 

Your legal team should always be up to date on legislation.  

The rate of change is rapid and organizations are subject to many more laws than one might expect. During a recent webinar, Access’ T’Don Marquis noted, “along with many regulatory changes over decades, we’re seeing that many Access clients are affected by a large number of these laws and struggle to stay informed.” 

This can range from 8k- to-15K requirements for US organizations while global customers are subject to more than 30k or even as high as 100,000 requirements. 

As such, legal teams need to keep track of these requirements in order to understand how long they must retain information to remain compliant. This can be a full-time task in its own right. For instance, our own Virgo database includes retention policies for 140 countries and contains over 200k citations. This number continues to grow and change by the day.  

Likewise, legal teams need to be aware of contracts that are being signed with partners and third-party vendors. As a rule of thumb, when you choose your vendors, you should choose ones with similar ethical principles as your own organization. This includes any that touch your customer’s data, such as your cloud provider or any relevant entity in your supply chain. 


“Data protection goes beyond a corporation’s social responsibility in a digital age,” writes John Rhoades, Managing Director, Data Privacy & Technology Compliance at Insperity. “It has become an essential compliance function for any organization that collects, uses, or shares personal information or other potentially sensitive data.” 

What he doesn’t say is that in the digital age, that category includes literally every organization.  

It’d be a challenge to find an organization that kept no personal information on anyone, anywhere across the entire organization. In fact, it would be impossible to find such an organization, assuming they are compliant, because there are several laws that require a company to retain PII on their employees for a certain period of time even after termination. 

With that in mind, every organization today must be proactive in setting up a privacy program that protects access to sensitive information not just for the laws that exist now but for those that are sure to be passed. 

While much of what is written in this post is department-specific, there are clearly practices that tie them all together that every single department from the custodial staff up to the c-suite should be aware of and abide by.  

These include general privacy best practices such as: 

  • Educate the entire organization about best practices 
  • Be aware of phishing attempts 
  • Delete data when it has expired – follow retention schedules  
  • The only employees who should have access to sensitive data are those that use it to do their jobs. 

For more information on how to develop a privacy program that works in tandem with your information management program, check out Data Privacy for the Information Professional. 

Learn More