Janet de Guzman

Janet de Guzman
Janet is Director, Compliance Group in Product Marketing and is responsible for the go-to-market strategies for OpenText governance, risk and compliance solutions.

The GDPR and Why Digital Marketing Will Never be the Same

We know that the General Data Protection Regulation is giving Compliance and IT some heartburn as these teams work to understand the GDPR’s new requirements and how it will affect their organizations. But perhaps the biggest impact will be to Marketing; specifically digital marketing, which will require a cultural shift that presents challenges, but for smart organizations, opportunities to succeed as well. Consent is king The days of implied, sneaky, and bundled consent are gone. Starting in May 2018, brands have to collect active consent that is “freely given, specific, informed and unambiguous” to be compliant with GDPR. Someone provided their email address to download a whitepaper? If they didn’t actively agree that it is okay to use their data to send marketing messages, it won’t be legal to add those email addresses to your mailing list. Also, because there is no “grandfather clause” for data captured before the GDPR, we expect to see lots of re-permissioning campaigns to establish clear consent to use the personal data they already hold. The GDPR will change how gated assets are used, how leads are collected, and how referral programs work. In other words, the method of “collect it now and figure out what to do with it later” will become a high-risk strategy. The challenge for marketers will be providing “granular choice” for consent in a way that is minimally intrusive and not detrimental to the customer experience. Legitimate interest is not a get-out-of-jail-free card The GDPR states that “legitimate interest” of a controller can provide legal basis for using personal information without obtaining consent (GDPR Article 6.1(f)). However marketers should use this clause with caution. Legitimate interest can only be invoked provided that there is “no undue impact” on data subjects. In other words, a business that intends to use personal information must balance its legitimate interest against the rights and interests of the individual and bears the onus for demonstrating such. Personalization…and privacy – consumers want it all A recent study found that 90 percent of consumers have privacy concerns, but also seek highly personalized and tailored customer service. Personalization is key to modern customer experiences and customers make purchase and loyalty decisions based on the level of individualized service they receive. This introduces a challenge for many businesses and marketers – in order to provide highly personalized offerings they need to have a better understanding of their customers’ needs, purchasing histories and attitudes. That means collecting, analyzing and managing customer data related to these preferences and behaviours. However, it has also been found that consumers have growing concern over their privacy and the use of their data. Marketers will have to find ways to comply with the GDPR while continuing to deliver the personalized products, services and customer experiences that their consumers demand. Pseudonymization – Marketing’s new hope? The EU has been explicit that the GDPR should facilitate – not inhibit – innovation within business. In fact the regulation calls out “freedom to conduct a business” as one of the fundamental rights it respects. The tracking and analyzing of consumer behaviors and preferences are valuable tools that marketers and sales functions rely on to be successful. The process of pseudonymization may provide a way for regulators and businesses to meet in the middle. The GDPR defines pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” It is a privacy-enhancing technique where directly identifying data is held separately and securely from processed data to ensure non-attribution of that data to an individual. As it turns out, controllers don’t need to provide data subjects with access, rectification, erasure or data portability if they can no longer identify a data subject. Organizations should look to technology tools as means of pseudonymizing or masking consumer data and encrypting personally identifiable data, in combination with organizational process changes, to ensure compliance. It’s May 2018. Do you know where your personal data is? A majority of businesses have stated that they are not ready for the GDPR. A big reason for this is the potentially onerous requirement for organizations to be able to quickly assemble a data subject’s personal data upon request for purposes of erasure, rectification or export. According to a recent GRPR Readiness survey, only 26% of respondents currently keep an up-to-date register of the personal data they hold and the purposes for which they are used. If there was a time to get one’s arms around all the personal data they hold, what type of permission was obtained, and a governance structure to manage it, that time is now. Information classification schemes, data storage methods and records retention programs need to be reviewed to ensure that data portability, removal, or correction is not only feasible but efficient, if and when needed. How OpenText can help The GDPR is a game-changer for digital marketers and there will be challenges to overcome, however the game can change in their favor too. Yes the days of “data maximization” and blanket consent appear over. But it’s for those very reasons that the GDPR will lead to new marketing opportunities. The GDPR forces businesses to develop more thoughtful approaches to targeting and lead acquisition. Prospects who opt in are better qualified, more engaged and want to be marketed to. Because consumers have more control over how their data is used we’ll see better quality relationships between businesses and prospects. OpenText™ Enterprise Information Management (EIM) solutions help organizations meet regulatory requirements and should be central to your overall GDPR compliance and data protection strategy. According to Forrester, “77% of consumers have chosen, recommended, or paid more for a brand that provides a personalized service or experience.” Utilizing Workforce Optimization solutions within our Customer Experience Management portfolio, we can provide sentiment analysis to help measure the effectiveness of your marketing campaigns; provide guidance on appropriate promotions to communicate based on whether or not the consumer has given consent. Learn more about our solution here. Stay tuned for our next blog post in April on “Disrupt Yourself – Personalized Marketing in the Age of GDPR”. You can also read some of our previous blogs on this topic: Five 2017 Compliance Challenges GDPR and EIM GDPR – Opportunity or Threat for B2B Discovery Analytics and GDPR

Read More

Five Compliance Challenges Facing Your Organization in 2017

compliance challenges

2017 is turning out to be a tumultuous year for compliance. A combination of Brexit, a Trump presidency and the reform of EU privacy rules has put regulatory change and uncertainty back into the spotlight. Mega-size fines have returned too and compliance officers worry about personal liability more than ever. 1. The GDPR – the countdown is on If your company hasn’t familiarized itself with the General Data Protection Regulation (GDPR) yet you may already be behind. The GDPR was ratified in May 2016 and designed to bring personal data protection into the digital age. It imposes stringent requirements about how companies store and handle the personal data of EU citizens. The regulation will have far-reaching impacts – from how organizations obtain consent, use cookies on their website, to giving teeth to the right to be forgotten. Don’t think that, as this is EU legislation, that GDPR won’t affect you. It affects any organization that collects and stores personal data of EU citizens. With the GDPR becoming enforceable in May 2018, the countdown is on for organizations to prepare. The GDPR will impact more than just the Compliance team but indeed many other parts of the business. Key Steps An important first step is to have clarity of the personal data processing practices and content within your organization, including: • What personal data you process? • Where it is stored across the organization? • Who has access to it? • What consent has been provided and where it is documented? • Where it is transferred from and to (including to third parties and cross-border)? • How it is secured throughout its lifecycle? • Are there policies and processes in place to dispose of personal data? Visit OpenText GDPR to learn more about the regulation and how OpenText can help. 2. Pressure on the Compliance function not letting up Compliance officers have never had a higher profile than they do now but with great power comes great responsibility. Pressure on the compliance function has been steadily increasing and 2017 is no exception. For example, sixty-nine percent of firms surveyed in 2016 expected regulators to publish even more regulations in the coming year, with 26 percent expecting significantly more. In addition, personal liability appears to be a persistent worry. Sixty percent of survey respondents expect the personal liability of compliance officers to increase in the next 12 months, with 16 percent expecting a significant increase. In addition, with the GDPR comes the rare explicit requirement to appoint a qualified compliance role, the Data Protection Officer (DPO). Though the GDPR does not establish the precise credentials DPOs must have, it does require that they have “expert knowledge of data protection law and practices.” Key steps Compliance officers don’t need to be technology experts but need to know how to leverage governance, risk and compliance solutions to make their jobs easier. Other key steps include ensuring your policy framework is up-to-date and that staff understand and are trained their compliance responsibilities. Read the AIIM white paper and infographic: Managing Governance, Risk and Compliance with ECM and BPM. 3. A new administration means changes in regulatory priorities President Trump has been clear and consistent on his desire to reduce the amount of regulations in place. From financial services to the environment, compliance officers are bracing for the changes and what it will mean for them. Most industry experts agree that even where regulations are streamlined or reformed, there will be plenty of work for your team to do to address the vacuum left by previous regulations or to interpret the way the new regulations need to be applied. The picture may be uncertain at the moment but you can be certain that regardless, any changes means there’ll be work to do for your Compliance team. Key steps How do you prepare for the unknown? Many pundits advise wisely that it’s business as usual and not to re-draft policies and procedures just yet. Now’s a good time to evaluate your overall compliance program however. For example, if your organization does not have its regulatory information management house in order now is the time to clean up. Whether your firm is based in or works with the United States, the result of the potential changes to the regulatory landscape means that businesses will need to be adaptable in order to quickly take advantage of opportunities, mitigate risks, and stay in compliance. Learn about OpenText compliance solutions. Continue to read compliance challenges 4 and 5 on page 2.

Read More

The RFP Process and You – A Relationship Guide (Webinar)

RFP process

Do you have a love-hate relationship with the RFP (Request for Proposal) process? Does it elicit warm feelings that the acronym could also stand for “Reliable, Fair, Pleasant” process? Or is it more like “Really Freaking Painful?” The RFP process began in the Government sector as a way of ensuring fairness to suppliers – all competing vendors get the same information and deadline requirements, evaluate proposals against stated criteria, and select the “winner” in a transparent, defensible way.  Today the RFP process is used in most industry sectors, where organizations see it as a useful method to collect competing bids. However, for many procurement professionals, bid management can be time consuming and labor-intensive. Processes are often manual, paper-based and inconsistent. Large volumes of information with multiple versions must be collected, coordinated and distributed. Vendors, both known and new, need to be evaluated and multiple stakeholders must work together. Smart organizations know that the relationship with the RFP process can be fulfilling, productive and yes, even, satisfying. Below is our Relationship Guide which contains best practice advice on how to improve your bond with this sometimes misunderstood process. Enough with the spreadsheets If you are wondering why your procurement processes are slow, error-prone, and costly, it is probably because of the M-word – most RFP processes are manual. This results in inconsistent execution and vendor engagement, and potentially compliance risk. Moving your bid process online facilitates the efficient flow of work, while enabling the capture of KPIs and process metrics. Automating workflows provides decision makers and management with real-time visibility into procurement operations and enables sound strategic decisions. Difficult-to-manage emails become a thing of the past by moving all vendor and buyer interactions and communications to a single, central portal. According to global management consulting firm A.T. Kearney, the most successful procurement leaders “are fully automated – with real-time access to data.” It’s the 21st century. It is time to automate and join the digital world. Know your suppliers Large organizations often interact with hundreds or thousands of vendors and partners. Sifting through corporate memory to identify the best vendor(s) to fulfill a particular requirement can be time and effort-consuming — if not impossible. Intelligent tools are needed to keep track of suppliers’ capabilities, as well as how well they have performed in the past. Choosing the wrong vendor can have a host of impacts ranging from delayed projects and bleeding budgets, to business disruptions and public relations nightmares. A bid management solution with strong vendor management capabilities can ensure that all relevant vendors are included in the evaluation and that past vendor performance is taken into account when executing new procurements. Follow the rules Like in any relationship, there are rules. And if rules are broken sometimes someone gets hurt, usually in the form of a fine or reputational loss. In one extreme case a few years back, the Government of Canada was ordered to pay almost $30 million in lost profits to a losing bidder for intentionally favoring the incumbent. There are numerous policies that govern sourcing activities. Organizations must ensure they spend money judiciously and eliminate waste; and in the case of government, protect against abuse of public dollars. According to the US Office of Management and Budget, more than one out of every six dollars of federal government spending goes to contractors, making it essential that all sourcing result in the best value for the taxpayer. Legislation such as the US Federal Acquisition Regulation, Federal Accountability Act in Canada, and the Public Contracts Directive in Europe, mandate that business is conducted with integrity, fairness, and openness. Protect the information The RFP lifecycle generates many business records that must be managed. When processes are manual, there is no central repository for communication and collaboration between the numerous stakeholders, jeopardizing information integrity and efficiency. Choose a solution with a secure back-end system of record, enabling the indexing of documents for easy search, full audit trail of actions that have been taken, sophisticated access controls, and automated records retention and disposition. These features play a key role in demonstrating the trustworthiness of the bid process and protecting important records per regulatory requirements. Rekindle the passion In large organizations, an RFP can be worth millions of dollars to a supplier and represent a strategic effort for business, procurement and IT organizations. Business leaders want to know they are getting the best solution for their dollar, and suppliers want to compete fairly for the business. You don’t need to have a strained relationship with the RFP process. A strong bid management solution will make you look at the sourcing in a whole new way. Introducing OpenText™ RFx Center OpenText RFx Center is an application targeted at automating and improving the efficiency of bid management. Built on OpenText™ Process Suite with integrations into OpenText™ Content Server and OpenText™ Contract Center, RFx Center combines industry-leading process automation, content management, and contract functionality in a single solution. Automate RFP, RFQ, RFI, Framework, and sole source processes Enforce regulatory compliance and increase transparency though audit history and tracking of all procurement actions, documents, and artifacts Manage procurement documents in secure centralized content repository Empower business users to rapidly configure workflows and business rules with intuitive, easy to use interface – no coding required Improve efficiencies and integrity for all vendor and buyer interactions using a single, central portal – no more emailing documents Take advantage of powerful Analytics capabilities that provide deep insight into procurement performance Ensure fairness to vendors with increased internal auditability, visibility, and accountability OpenText Live Webinar featuring OpenText RFx Center – Streamling Bid Management Find out more, join us for the OpenText Live Webinar featuring OpenText RFx Center on Tuesday, May 31, 2016 at 11:00 a.m. EDT. Streamlining Bid Management with OpenText RFx Center

Read More

Why EIM Should be Central to Your Information Security Strategy

Every function in the organization — from human resources to operations to marketing — is creating, acquiring, processing, storing and sharing more information than ever before. Innovations in technology coupled with unprecedented data volumes are pushing the limits of privacy and security well beyond current regulatory standards and legal requirements, making it easier for data to get into the wrong hands. Security incidents are on the rise. The year 2014 will be bring to mind several high-profile breaches, such as Sony Pictures Entertainment, Home Depot and Target. While these attacks stole the headlines, thousands more took place around the world, resulting in the theft or loss of more than 1 billion data records, up 76% from 2013. The threat is coming from inside the house We know that organizations need to protect their most sensitive information from cyber criminals on the outside who are trying to get in, but there has been significant research indicating that it is the individuals operating inside the “trusted” network who are the biggest threat – whether with malicious intent or unintended, employees are the primary cause of data breaches. PWC Turnaround and transformation in cybersecurity: Key findings from The Global State of Information Survey 2016 (n=10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security) Why are employees cited as the biggest risk to information security? • Inadequate access and permissions controls for shared repositories • Lack of secure file sharing and transfer practices So what can organizations do to prevent data loss and protect intellectual property while optimizing productivity and speed to market? Enterprise Information Management (EIM) are the strategies and tools that help organizations maximize the value of their information while minimizing its risks…and it should be a foundational component of your Information Security strategy. Here’s why: Access and permissions – control who’s allowed to do what Your first line of defense is to limit information access to only those employees whose job function requires it. The “wild west” of unfettered data access to shared repositories to the vast majority of your employees puts organizations at risk. Also, you must monitor those with permissions for proper information access behavior. Effective EIM systems have complex access and permission structures to ensure users only have access to what they need and what they are permitted to see and do. From intellectual property to client information and personnel matters, EIM systems help ensure that content is retrievable and usable for those who need it and protected against unauthorized access and alteration from those who don’t. Audit trails – know who did what and when When an incident does occur or a suspected incident is being investigated, it’s critical to be able to understand the full history of activity that has taken place and reconstruct the content’s forensic trail. EIM solutions offer customers the ability to view the full information lifecycle, all of the actions that have been performed on it, by whom and when, including: • When and by whom an asset is accessed or viewed • When it is downloaded or copied • When it is deleted or moved • When a version is added, viewed, edited • When administrative settings or access has changed Information audit capabilities are an additional layer designed to help you manage and assess threats around your information. Secure information exchange – preventing data loss Data leakage and loss from negligent file sharing and information collaboration practices is becoming just as significant a risk as data theft. • 84% of employees are using personal email accounts to send sensitive files, 51.5% at least daily • 52% expose company files or data by uploading to a non-secure, public cloud-based service • 30% of employees have lost a USB drive containing confidential information Comprehensive EIM solutions offer secure file sharing tools to safely exchange files and keep proprietary, confidential, and sensitive content safe. Capabilities you should be looking for include: • Data encryption during file transfer and information exchanges – both inside and outside the enterprise — ensuring superior protection of sensitive data • Notifications are date and time-stamped when messages are received and files are downloaded, allowing for easier tracking, auditing, and more efficient workflows • Full control over file and data download availability • Secure messaging that integrates directly with your existing email system to provide enhanced encryption, tracking, protection and control of email • Secure and efficient exchange of very large files inside and outside the organization • Compliance with privacy regulations and standards, such as HIPAA, HITECH Act and PCI-DSS Records disposition – keeping volumes manageable The more content you have, the more difficult it is to get your arms around it. Information security becomes more manageable and realistic when you reduce data volumes. If your organization stopped hoarding every piece of information it acquires or creates and adhered to compliant records disposition rules to archive or destroy records when retention schedules expire, this would make discovering, analyzing, and defending your sensitive information much easier. Perhaps the most important component of EIM is effective records management. These capabilities help organizations secure information through legal and records holds and sound information lifecycle management, ensuring that information can’t be accessed or destroyed when doing so would be contradictory to company needs or regulatory obligations. System of record – know where your information is and classify it The biggest mistake companies make when it comes to information security is the lack of understanding of where their sensitive data resides because they have not set policies to systematically and routinely classify their data. Consequently, they don’t have controls in place to ensure that all information types are handled appropriately. At the heart of EIM is a central secure repository for unstructured information. Here, content can have security classifications applied such as Top Secret, Secret, Confidential, Restricted, and Public. Without a formal data classification scheme, information that is considered highly valuable by third parties may not be viewed as such internally, thus may not be managed and secured accordingly. Without a tool to help identify where sensitive data is, an organization likely does not have a handle on it. If you don’t know what you have, where it is, and why you have it, you can’t expect to apply the appropriate policies and controls to protect it. EIM and information security – the balance between productivity and protection High-profile data breaches should be a wake-up call to enterprises everywhere. According to IDC, by 2016, security will be a top three business priority for 70 per cent of CEOs of global enterprises. Make EIM a core component of your Information Security Strategy. These solutions provide your employees with collaborative access to sensitive data and intellectual property within an approved access control model while preventing data loss and ensuring data privacy and client confidentiality to maintain regulatory compliance.

Read More

Compliance – Not Just a Necessary Evil, It’s Good for Business

Compliance gets a bad rap because it is immediately associated with laws, constraints, inspections, audits and penalties for those who don’t follow the rules. Most organizations understand the importance of regulatory compliance in preventing unethical conduct and violations of the law. It’s the necessary evil that is mandatory, but it also sucks up valuable time, effort and resources from folks who would much rather be working on projects that innovate, inspire, and motivate. The word compliance in itself often conjures up thoughts of what organizations must do rather than what they want to do.  And let’s be honest – doing the right thing isn’t always fun. Compliance, in truth, is about as much fun as going on a diet. Although eating healthy is an important part of a long and vigorous life, sometimes you just want to have that one cupcake and stray from the intended plan…even though the long-term consequences of repeated bad behaviour can result in an abandoned diet altogether. Well, it’s not all bad news and there are ways to resist temptation. Regulatory compliance means much more than just eating your greens. It can allow your organization to become a lean, mean, high-performance machine. In other words, having an effective Compliance Program is not only the right thing to do, it also makes good business sense. Establish Customer Trust and Brand Loyalty Reputation matters. Gaining a reputation as an organization that fails to meet its compliance obligations can jeopardize customer trust and loyalty. In fact, reputational risk was cited as the #1 main driver for regulatory compliance in a recent AIIM survey, and twice as big a driver as avoiding fines and penalties. Reputational risk is so important that being transparent—even about your faults—will improve customer perception and can lead to increased stakeholder engagement. Having a clear, effective compliance program makes it apparent to stakeholders that compliance is a top priority for your company. It shows your commitment to doing business the right way and to the highest ethical standards. According to Deloitte, top performing CSR (corporate social responsibility) organizations do not view ethical, social, and environmental initiatives as something that can be layered on to the organization. Instead, they make sustainability an integral part of their organization by integrating it into their brand. Many consumers seek out and want to do business with vendors and suppliers who share their values and compliance principles. For example, when a company can demonstrate a conflict-free supply chain, stakeholders are reassured that the company is compliant and will impart confidence among suppliers, customers and partners, which c an help establish lasting and trusted business relationships. Further, in addition to building a reputation as a good corporate citizen, having a well-documented and effective compliance program demonstrates your company’s expertise related to all relevant laws and regulations. Improve Operational Processes Regulatory compliance should not be viewed as simply a checkbox exercise but, rather, as something that can have significant, positive, secondary benefits on business operations: Foster Best Practice —Compliance can be used as a means of encouraging businesses to adopt rigour and best practice in areas where the inclination may be to cut costs and corners, such as privacy protection, good recordkeeping, and IT processes. There’s nothing like an upcoming audit or the possibility of a hefty fine to motivate an organization to review and improve its practices. Increase Supply Chain Awareness —Third-party compliance risk management is the most challenging aspect of an organization’s program for managing compliance risk, according to the 2015 Compliance Week Trends Survey . Regulations that mandate compliant supply chains force firms to take a hard look at their third-party community, which is a good thing. For example, KPMG points out that the Dodd-Frank Conflict Minerals rule could yield significant business benefits for companies that use it as an opportunity to better manage their supply chain ecosystem. Establish Better Information Governance —Good record-keeping is central to a strong compliance program. Business records provide the evidence to demonstrate compliance to regulators, auditors and the public. Having an effective Information Governance program means a company’s information assets are consolidated, categorized, and analyzed, leading to better strategic decision-making. Attract and Keep the Right Talent —An effective compliance program can improve a business’ ability to attract and retain highly principled and higher quality employees, improving employee morale, job satisfaction and retention rates. Job seekers are not keen on working for companies that do not take ethics and compliance seriously. Boosts the Bottom Line A number of studies have found that companies with strong governance and compliance cultures perform better than their counterparts. That’s a bold statement, and if you are skeptical check out these compelling studies: Businesses with above average IT governance—that is, processes, procedures, and controls associated with how their IT systems and personnel comply with privacy and security regulations—realized 25 percent more profits than those with poor governance. On the day Apple announced it was 100% tantalum-conflict-free, the media was quick to jump on the story, featuring Apple on popular tech blogs, the New York Times and many other media outlets. What did this mean for its bottom line? At the opening bell, Apple’s stock price was $535 and come market close, it was $544. At the time, Apple had 892 million shares outstanding. Thus, the resultant increase in market cap was (892 million x $9 =)~ $8 billion! Companies that are able to link business risks with their strategic imperatives are more likely to achieve an annual profit margin of greater than 10 percent over three years, and better profit margin growth. Ten companies with the highest five-year returns were juxtaposed with the S&P 500 (chosen as the benchmark). In an analysis of the five year period, the top ten companies using compliance software had an average total return of 247%, equating to a 28% compound annual growth rate (CAGR). Over the same five year period, the S&P 500 had a total return of 85%, which equated to a CAGR of only 13%. Presumably, an organization that spends less time dealing with regulatory infractions has more time to focus on initiatives that improve competitive positioning and help gain market share. Another and perhaps more obvious conclusion to be drawn is that avoiding compliance penalties simply leads to a healthier bottom line. In the area of data privacy and protection, for example, it’s estimated that non-compliance costs 2.65 times what compliance costs. One study found that the average cost of data privacy compliance is $3.5 million per organization, whereas the average cost of non-compliance-related issues was $9.4 million which included penalties, business disruption, lost productivity, and legal and non-legal fees. Conclusion  It is all too evident to most organizations that, like it or not, ensuring regulatory compliance is not only a mandated requirement but getting more and more challenging. The regulatory landscape is constantly changing and compliance requirements are becoming more stringent. Like a strict diet, maintaining and following a compliance program can sometimes leave one yearning for more carefree (and tasty) days of past. However, there are many reasons why compliance is not only necessary but can also help ensure the longevity of the business. Because much like the adoption of a new diet regime, it seems that investing in a compliance program can be the start of an entirely new outlook on success.  

Read More