News Stay informed about the latest enterprise technology news and product updates.

Learning about privacy from your CRM vendor

As privacy regulation continues to weigh on organizations, their CRM software vendors need to develop more privacy controls, says one analyst. Some vendors are appointing chief privacy officers of their own.

In a time when consumers are increasingly sensitive about their personal data and federal regulations regarding that data are growing stricter, privacy has become a major concern for many organizations.

Can software vendors provide any guidance for their customers?

To date, vendors haven't offered customers much privacy support, said Larry Ponemon, chairman and founder of the Ponemon Institute in Tucson, Ariz., though he expects that to change.

"I think that CRM vendors, particularly the smaller ones that are up and coming, have a monstrous advantage if they build privacy technology into their software," Ponemon said. "When they start to build it into their programs and processes, they can ultimately use it as a competitive advantage."

While the big CRM vendors -- like Siebel Systems Inc., SAP AG and Oracle Corp. -- have a good architectural base for adding privacy controls, the smaller, more nimble companies have an opportunity to more quickly separate themselves in this area, he said.

For example, E.piphany Inc., of San Mateo, Calif., has functionality that lends itself to good privacy controls because of the way it tags data, while Intuit Inc., of Mountain View, Calif., does a good job of embedding privacy controls into its product, Ponemon said.

For more information

Article: A look inside Procter & Gamble's privacy protection crusade


Article: The privacy fallacy

Federal regulations like the Health Insurance Portability and Accountability Act and the Federal Trade Commission's National Do Not Call Registry are driving most of the privacy concerns.

"Someone's going to get caught [in violation of regulations]," Ponemon said. "The clients are going to blame the software vendor, and that's going to give the small guys a chance."

However, privacy controls within an application can increase liability if they are turned off, Ponemon noted.

"The evidence would suggest that it's almost worse to buy privacy-enabling software and not to use it, than not to buy it at all," Ponemon said.

In a legal sense, deactivating privacy features demonstrates that a company is doing something it ought not to be doing, Ponemon said.

Grappling with privacy concerns of their own and responding to customer concerns, some vendors are creating a privacy position within the company. Late last month, Epsilon, a relationship marketing company owned by The Relizon Company, named Steven Roth its chief privacy officer (CPO). As vice president for CRM strategy and planning, Roth also oversees privacy and security issues for the Wakefield, Mass.-based company's customers. Epsilon hosts more than 40 databases of marketing data.

Due to recent legislation, Epsilon's customers have been concerned enough about privacy to request independent audits on the company, Roth said. Others have asked for assistance dealing with opt-in/opt-out policies.

"Its fine to have a privacy policy, the next [step] is really implementing it," Roth said. "To make sure that everyone -- from the executive team to people who are managing the data -- understands what the issues are, asks the right questions and recognizes the responsibility we have to our clients and our client's customers."

Roth acts as the point person for privacy issues both within Epsilon and for its customers. He also oversees a privacy committee that draws from the IT, legal, human resources and marketing departments.

It's not absolutely necessary to have a CPO, but most software companies should have a privacy architect, similar to Microsoft, Ponemon said.

"At a large company, like say Ford or GE, with complex organizations, the reason you need a CPO is you need someone at a high end of the management scale to say no [to business decisions that could affect customer privacy]," Ponemon said. "A software company doesn't do that exactly. They're the architects building privacy into what they provide."

Software companies need a person or a team of people to ensure that privacy controls are addressed throughout the development process. And there's still work to be done in that area, Ponemon said.

Managed services in privacy may be the wave of the future. Both Hewlett Packard Co. and IBM offer good privacy education services, but it's not ongoing, Ponemon said. He expects to see more solutions like privacy consulting for a new marketing campaign.

Dig Deeper on Sales technology

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.