The Manufacturer’s Guide to Building Brand Loyalty and Trust: Part I

U.S. companies are legally bound to follow data privacy rules and protect customer data. However, upholding data privacy standards is more than just a legal requirement; it’s imperative to building brand loyalty and trust.

As data usage continues to increase for manufacturers, protecting customer data and privacy may prove more challenging. According to BDO’s 2024 Manufacturing CFO Outlook Survey, 35% of manufacturers now use advanced analytics, including forecasting and predictive models. They are also increasing their spending on innovative technologies, such as artificial intelligence and machine learning. Additionally, 30% of manufacturers consolidate their data in a central location and share it across the organization, which can introduce security vulnerabilities.

As manufacturers continue to enhance their digital maturity through Industry 4.0 initiatives, they will need to continually refine their protection and data privacy programs.

Key Concepts to Know

Building a strong program foundation depends on two concepts: Iteration and Data Protection ‘by Design’ and ‘by Default.’

• Iteration: Data privacy compliance is a journey, not a destination — it requires ongoing monitoring, testing, and improvement of the protection and data privacy programs that support it. Manufacturers should focus on developing an ongoing, overarching culture of compliance to enable the company to meet the demands of the evolving regulatory landscape. 
• Data Protection ‘by Design’ and ‘by Default:' Data Protection ‘by Design’ and ‘by Default’ approaches are critical to building a strong program foundation. These approaches integrate privacy and data protection practices into the organization’s activities from the beginning, which helps mitigate risk, close compliance gaps, foster trust with users and customers, and reduce the likelihood of privacy violations.

Ready to build the right foundation for your protection and data privacy program? Read on to get started.

Have You Seen Any of These Red Flags?

Before getting started with our checklist, take a moment to think about whether your company has experienced any of the following scenarios, which may be a driver for change.

• Consumers complain about a lack of transparency in the amount of personal data you collect about them, or the ways in which you handle their personal data.
• Your company receives a high volume of complaints or regulatory inquiries.
• Your services or products put you in the category of high-risk controllers or processors because of the amount of personal data you collect or process.
• Your company experienced a decline in user engagement, and it is driving a reduction in market share or brand recognition.
• Privacy activists are filing lawsuits against your company or your peers.
• Your industry is on the receiving end of frequent regulatory fines.
  • This is often a tell-tale sign that regulators are scrutinizing companies within your industry, so your business should work to shore up data privacy compliance processes sooner than later.
• Your company has incurred a regulatory fine.
• Your company has experienced a data privacy breach or cyberattack.

Common Gaps in Privacy & Data Protection Programs

While identifying privacy and/or data protection red flags may be straightforward, manufacturers need to uncover and address program gaps to strengthen their compliance. Here are four common compliance gaps to look for and address within your organization:

1. Tracking technologies: Companies continue to struggle with tracking technology (pixels, web beacons, and cookies) compliance. We regularly see companies fined for improperly using outdated tracking technologies, writing code that leaks data, and violating regulations. Data leakage can lead to a report of a data breach with regulators.
2. Data collection and consent: Companies must balance their need to collect personal data with clear and informed consent. For U.S. companies, this is a challenge since not all laws have caught up with consumer expectations. However, as data usage becomes more intricate and globalized, user consent is one of the most pivotal areas of privacy compliance programs.
3. Third-party data sharing: Most privacy regulations require companies to determine whether their vendors adhere to the same level of privacy and data protection standards as the hiring company. Vendor assessments and an understanding of inward and outward data flows allow manufacturers to identify potential risks and stop sharing data with a third-party if needed.
4. Emerging technologies: Integrating innovative technologies like artificial intelligence (AI), Internet of Things (IoT), blockchain, and biometrics while maintaining privacy standards poses challenges in understanding and mitigating risks. These technologies require manufacturers to continuously reassess and update their privacy policies and practices to promote compliance and protect users’ personal data.

Building the Baseline Program

This first checklist serves as part one of a three-part series to help your company develop a privacy & data protection roadmap and prepare for enhanced regulator and stakeholder scrutiny — especially for manufacturers in the business-to-consumer category.

The items below represent baseline best practices for privacy and data protection compliance programs. This comprehensive list, while not inclusive of every possible tactic provides a starting point to build the foundation prior to tackling more complex activities.

• Do you have buy-in to build or rebuild your privacy and data protection program? Privacy programs require a plan, budget, and buy-in at the highest levels of the organization. Build your business case, identify an executive sponsor, and get board approval to invest in consumer data protection.
• Do you know where your personal data resides and who has access to it? Organizing and knowing where personal data resides and who can access it or when it is shared is a hallmark of a foundational, compliant data privacy program. To start, develop a comprehensive data inventory and t identify personal or sensitive data. Key steps to take include:
  • Identify data sources
  • Categorize data into personal, sensitive, and other categories to evaluate its privacy significance
  • Map the data flow
  • Determine who owns each data category and is responsible for proper handling
  • Assess data flow, transfer, and other risks associated with each category
  • Record how data is collected, stored, processed, and shared
  • Identify current organizational data practices to align with privacy regulations
  • Define retention periods
  • Understand and update access controls
  • Establish a timeline to continually review and update the inventory
• Is data protection a priority at the top? To build a strong privacy program, data protection must be viewed as a priority. It is also important to educate the board and executive teams to ensure they understand the differences between privacy and security. Privacy and security standards and processes are both related to protection best practices but are inherently different. 
  • Security protects data from unauthorized access, breaches, and cyberattacks. It allows an organization to safeguard personal data and information from internal and external threats.
  • Privacy, on the other hand, focuses on the appropriate handling and use of personal data. Privacy measures focus on minimizing the collection of sensitive and personal data, obtaining consent to use that data, and ensuring that data is used for its intended purposes.
• Is the board engaged in privacy and data protection discussions? The commitment of the board is essential to drive reputation and trust. The board’s oversight of privacy practices helps maintain the company’s brand and credibility, reduce the risk of data breaches and their fiscal impact, and drive employee engagement in data privacy best practices.
• Is privacy and data protection part of your corporate strategy? Privacy considerations can influence strategic decisions about product development, partnerships, and data sharing practices. Building internal and external support channels to evaluate ways to promote privacy and data protection as a differentiator helps to build the program’s business case. Treating privacy and data protection as part of the organization’s strategy demonstrates to users and consumers that the company is serious about protecting their data.
• Are you transparent and do you share data practices with the public? Your policies around data collection and processing should be highly transparent. This means proactively sharing those polices and privacy notices with customers. Studies have shown that companies that are transparent with the public about how data is collected, processed, and shared are held in higher regard by customers and regulators.
• Do you destroy outdated and unnecessary data? Data retention is a critical component of every privacy program because it demonstrates that you are trying to reduce the risk of data leaks and unauthorized use. Establish retention schedules and policies to determine how long distinct categories should be retained and when they should be destroyed.
• Has your company established a breach response program and evaluated it? Data breach and incident response programs are required under every privacy law regardless of your location. Manufacturers must abide by regulations that dictate how to craft a data breach response program, from the detection of a potential breach to when  the organization must notify board members, employees, and customers after one has occurred. 
• Have you appointed a Data Protection Officer (DPO)? It is likely that a DPO is required in regions where you sell or operate. Review regulations to determine locations where you are required to have a DPO and identify regional or local in-country appointments. A common approach our clients find useful is to appoint a Global DPO with in-country or regional appointments to offset time zone, language, and cultural challenges.
• Are employees required to complete privacy, security, and data protection training at regular intervals? At this stage, it is critical that companies establish data privacy awareness and training for employees. Guarding customer data is the responsibility of everyone at the organization so it should be part of regular training, awareness campaigns, and individual goals.

Going Beyond the Groundwork

This checklist can help you build the foundation for a privacy and data protection program that helps restore trust with your stakeholders, employees, and customers.

In our next checklist, we’ll provide guidance on how to evolve the steps from the foundational stage, looking at tactics such as establishing a Data Protection Committee and finetuning employee training programs.

How BDO Can Help

Interested in strengthening your data privacy compliance program? BDO can help.

At BDO, we have deep industry experience and can help manufacturers get their data privacy programs on track no matter what stage they are in: foundational, mature, or optimized.

With a scalable and customized approach, we will work with your organization to assess your current program based on our 12-step modular framework. Our integrated suite of services can help you address every element of privacy, data governance, analytics, crisis management, insurance response, cybersecurity, and risk management, thereby strengthening your company’s compliance posture.

We use Privacy ‘by Design’ and ‘by Default’ and Data Protection ‘by Design’ and ‘by Default’ approaches so that you can feel confident in your organization’s ability to establish — and enhance — your program in a way that protects the integrity of the data you collect now and in the future.