BYOD, data security and the BlackBerry Experience

I am moderating what will almost certainly be a fascinating discussion about BYOD, enterprise data security and device management at the BlackBerry Experience event at Montecasino in Fourways, Johannesburg today. The event is hosted by BlackBerry in partnership with ITWeb Events and will also take place in Durban and Cape Town later this month.

The speakers at the event will include Nader Henein, BlackBerry’s Regional Director for Product Security; Izak Meyer, Director for Enterprise at BlackBerry South Africa; Wikus Viljoen, a systems analyst at Nedbank and Andy Swanepoel, a technical specialist and manager at Nedbank.

We are going to talk a bit about BYOD trends (and the growing tendency towards more managed deployments), a better strategy for securing data on mobile devices and more. I don’t want to say too much about the content attendees can expect but I find much of it fascinating. You can follow the discussion on Twitter using the hashtag #BBExperience if you aren’t attending the event.



Disclosure: I am being paid to participate in and moderate the panels at these events. That said, I make a point of only promoting products and services that I am interested in.

Your future digital government

I had to apply for unabridged birth certificates for our children the other day so I sat down in front of my laptop, browsed to the Department of Home Affairs’ website and logged into the secure Civic Services portal to start the process. I used my new ID card with its embedded personal digital certificate and a one-time code from my smartphone to authenticate myself.

As you can imagine, Home Affairs has all my details and who our kids are so all I really had to do was select the option for the unabridged birth certificates and place the order. The system informed me that because this was the first time I had requested these particular birth certificates there wouldn’t be a charge. I received a confirmation of my request along with digitally signed and locked digital versions of our kids unabridged birth certificates about five minutes after I concluded my request.

The birth certificates were in PDF and I quickly verified that they were signed by Home Affairs using the Department’s current public key (they were) and then forwarded them on to the service provider that requested them from us.

At this point you are probably wondering how I managed to do all of this? You probably had to drive out to your local Home Affairs office, fill out the forms on paper and wait in line to hand the forms over to the person behind the counter and be told you’d have to wait six to eight weeks for the birth certificates to be printed out in Pretoria and delivered to that office. You would then have to return to the office with your receipt so you could collect the pages.

My story is completely hypothetical. That process is not currently possible at the moment. This isn’t because the technology doesn’t exist, it does, or because the law doesn’t currently cater for it, it does. Implementing processes like this requires a different approach to digital government services. In this particular case, the starting point is likely a combination of a number of factors:

  • A secure, complete and accurate citizens’ and residents’ database;
  • A secure portal through which citizens and residents can access government services using a unique digital identity which is linked to the data the government has about them;
  • Digital certificates issued to each citizen and resident along with each person’s national identity;
  • A convenient means of both securing and using a digital identity to authenticate each citizen and resident that has a cross-platform mobile as well as conventional desktop interface.

The Electronic Communications and Transactions Act provides a broad framework for much of what would be required, including digital signatures, digital documents and data retention and evidence. The benefits could be to radically streamline government services and empower citizens to transact more securely and effectively with each other. These benefits are not reserved for government services, they extend to private services too. In fact, a single secure and digital identity for South Africa’s inhabitants could serve as a platform for a variety of providers to develop engagement models that could transform how the country functions.

So why isn’t such a system being developed (or in place already – much of the technology required has probably existed for some time now). The Verge has an interesting post on this topic titled “Our future government will work more like Amazon” which has a few relevant observations, including this one:

The problem is logistics. Sure, the Postal Service would probably love to have some fresh resources to boost up these facilities. But consolidating many offices into one is never easy. And reappropriating human resources would definitely be controversial. But with good digital systems to reduce paperwork, remember previous encounters with citizens, and greatly reduce the need for people to visit brick and mortar offices in the first place, it’s certainly feasible.

From a legal perspective there are very few barriers to this sort of future. Aside from logistics, the challenge is that our culture is still heavily invested in paper and paper paradigms and the change to digital workflows seems to be prohibitively complicated. That said, there are many benefits to going digital including cost savings, better security and improved redundancy (if you work with paper files, how much redundancy is built into your filing system?).

Simply adopting the necessary technologies isn’t going to solve the problem either. Effective implementation is essential and failing to do this has led to controversies such as the SANRAL consumer data exploits we read about recently. I came across another example of poor implementation when I began writing this post this morning, somewhat ironically from the South African Post Office’s Trust Centre which is charged with delivering trusted digital identity solutions:

SAPO_Trust_Centre_screenshot_-_authentication_problem

Leaving aside what must be an oversight, the Trust Centre delivers a key component in this future digital economy. An advanced electronic signature, for example, opens the door to a range of digital transactions otherwise reserved for paper-based transactions. One of the things I would like to do, as an attorney, is commission affidavits digitally. That is only legally possible if both I, as the attorney, and the person who wants to have an affidavit commissioned have advanced electronic signatures. At the moment this has to be done in person but when both parties have advanced electronic signatures (and have been authenticated by the Trust Centre), this could probably take place remotely. That, alone, represents a cost and time saving. Other transactions which become possible include digital contracts to sell land and even truly digital wills.

Going digital can transform how we function and how businesses and government operate. It just takes vision, an understanding of the legalities and risks and sensible technology implementations.

4 tips for developers selling software

Say you’re a software developer and your customer wants to buy your app, do you know what you should be thinking about when selling software? Here are a few contract tips:

Can you legally sell your app?

Unless you have developed the code for the app from scratch and haven’t used any previous code of your own or any third party code, your app is likely to be a composite of code you’ve written in the past for other projects and which may even form part of your general toolkit.

You may also be using code from other developers which could be licensed under a variety of licenses, including open source licenses like GPL and BSD.

When you sell something, you generally transfer all the rights in the thing to the purchaser. You have to have the rights to transfer in the first place and if you don’t own all the rights in that thing you are selling, you can’t really sell it to someone else. If you attempt to do that, you’ll find yourself with a contract you are legally unable to comply with and that is a problem.

Tip 1: Check the rights you can transfer in a sale first.

Know what you are selling

This sounds pretty obvious but it’s a more complicated question that you may have thought. From your perspective you’re selling your app but what is that app, really? Are you selling the finished product alone or does your customer want the source code too?

Many software purchasers want the source code because they are concerned that if they don’t have the source code, they could find themselves in a pickle if the app breaks and they can’t reach you to fix it. It is basically a business continuity concern and the more your customer relies on the app to operate its business, the more important have access to the source code will be.

The challenges with selling the source code include disclosing your secret coding sauce that makes your code so valuable. Those trade secrets could give your customer or even a competing developer who encounters the code later an additional competitive edge over you. Another challenge is that selling your source code outright could have an impact on other projects which leverage elements of that source code because you will have far fewer rights to use that code once it is sold. This means you have to consider the impact on your obligations towards existing customers too.

Tip 2: Carefully consider precisely what you are selling and what the implications are of selling it to your customer.

Clearly define what you are selling

This also sounds obvious but it isn’t. In your mind you are selling an app but how would a person outside the deal be able to identify what you are selling, objectively? Is the app totally self-contained and in a box that can be easily identified? Chances are it may be a bit more complicated than that.

The reason why you need to be able to clearly define what you are selling is twofold: your contract needs to be clear on this and your customer’s expectations of what it will receive from you must correspond with your understanding of what you are selling.

How you define your app may depend on the nature of the app but here are a couple ideas:

  • Include detailed and app-specific functional specifications;
  • Depending on the app, possibly use a hash derived from the app’s code as a sort of fingerprint to identify it;
  • When describing the software’s functionality, avoid generic descriptions that could apply just as easily to software you are not selling;
  • Consider versioning your software and referencing specific versions being sold, if appropriate.

Tip 3: Define or describe the software being sold very clearly to avoid any confusion later.

Consider alternatives to an outright sale

A sale may not be appropriate because of its implications. Often a license agreement meet your customer’s requirements and help you avoid the problematic consequences of a sale so don’t be afraid to suggest that instead.

Licenses can be customised to suit most requirements and can, for example, be exclusive to the customer. The benefit of that sort of license is that the customer has the comfort of knowing you won’t make that software available to someone else and you retain enough rights to meet your other obligations.

If you go ahead with a sale and your customer insists on source code too, consider placing the source code in escrow with a trusted escrow agent with specified conditions which would trigger the source code’s release. Those conditions may include your business closing, you and your team failing to respond to requests for support for a period of time or some other set of conditions that would address your customer’s concerns.

If you sell your source code along with your app and you require elements of the source code to meet existing obligations to other customers or based on other licenses you agreed to, you may want to make sure you either withhold certain rights for yourself or license what you need back from your customer as part of the deal.

Tip 4: A sale may not be the best deal type and even if it is, this isn’t a one size, fits all approach. Customise the deal to suit everyone’s requirements.

Law is code too

Just because your sale agreement is a legal construct doesn’t mean similar rules you apply to your code don’t apply. Work with your lawyer or legal advisor to develop a contract that works properly and doesn’t leave you with bad dependencies and worse consequences.

Look at your contract as an app in its own right. Does the code make sense and does it function effectively given all the constraints and requirements?

Update (2014-06-10): Something else to bear in mind is the new VAT on digital goods sales. Developers who make more than R50 000 will have to register with SARS to pay VAT. It’s a pretty low revenue threshold.

Take a look at this article on MyBroadBand titled “Get ready for VAT on e-books, apps, digital music” for more information about how this affects you.

Reasonably practicable compliance with POPI is not enough

When considering how much you should do to comply with legislation like the Protection of Personal Information Act, you have three choices:

  1. Do as little as possible and see what you can get away with;
  2. Calculate the degree of “reasonably practicable” compliance required and stick with that;
  3. Adopt a more holistic approach to compliance.

Of the three options, the first is clearly a recipe for disaster. The only questions are when disaster will strike and how devastating will it be?

The second option is a popular one. To begin with, it is a practical solution because it takes into account what the law requires of you in order to meet the law’s standard so you limit your potentially significant investment in a compliance program without a corresponding quantitative benefit. Makes sense, right? In a way, yes, but what it doesn’t take into account is that your primary compliance risk is increasingly not regulators (at least not in South Africa where regulators often lack the capacity to respond very quickly), but rather the people who are directly affected by your decisions.

In other words, complying with laws like the Consumer Protection Act and Protection of Personal Information Act is not a quantitative exercise where you empirically (or as close to empirically as a legal compliance assessment can be) calculate your desired degree of compliance and work to that standard. Instead compliance is qualitative.

John Giles published a terrific post on the Michalsons blog titled “Only do what is reasonably practicable to comply with POPI” in which he explains POPI’s baseline compliance standard which is based on reasonableness and how this translates into what is likely an effective quantitative approach to compliance. It is worth saving the article because it is a handy reference for when you need to understand what the law means by “reasonably practicable”.

I don’t believe that this is enough, though. If anything, the question of what is reasonably practicable should only be part of your assessment of what you should do. The next, and arguably more important, question should be “What should we do to ensure not only compliance with the law but also to earn our customers’ trust?”. No, I’m not suggesting you drink the “rainbows and unicorns” energy drink and incur real money complying with some nebulous standard because your customers will like you more. Well, not entirely. What I am suggesting is that there is another dimension to compliance with legislation that affects people in very personal ways.

When you look at recent privacy controversies involving services like Facebook, Google and SnapChat, one theme that emerges from each of these controversies is not that these companies handled users’ personal information in ways they necessarily concealed from users. Their privacy policies describe what they do with users’ personal information in varying degrees. What really upsets users is that they weren’t expecting these companies to do the things they did because users tend to develop a set of expectations of what to expect from their providers which is typically not informed by privacy policies (because few people read them). These expectations are informed by what these companies tell them in marketing campaigns, what other users and the media tell them, what their friends share with them and their experiences with the services themselves.

When a provider steps outside its users’ collective expectations, mobs form and there is chaos in the metaphorical streets. The fact that these companies stuck to their published privacy policies and terms and conditions is largely irrelevant because users are not wholly rational and analytical. They don’t go back to the legal documents, read them quietly and go back to their daily lives when they realise that they mis-read or misunderstood the legal terms and conditions. No, they are outraged because the companies violated the trust users placed in these companies based on users’ expectations.

You may not have the same number of customers as Facebook, Google or SnapChat and your business may be different but if you are considering Protection of Personal Information Act or Consumer Protection Act compliance, you are dealing with the same people: consumers who have expectations and perceptions which you influence but certainly don’t control. If you violate the trust they place in you, the response will be swift and the consequences from a reputational perspective could be severe.

Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Tyler Davidson Fountain 05/1973

When you develop your compliance program, assess what is reasonably practicable and set that as your commercial baseline. Then, consider how transparent you can be with your customers about what you intend doing with their personal information?

I remember reading a discussion about partners cheating on each other and at one point in the article the writer said that cheating isn’t just about the act but also the thoughts that precede it. If you have thoughts about another person which you don’t want to share with your partner, that is probably a good indication you are contemplating something you shouldn’t be doing. Apply that to your compliance program and ask yourself if you are comfortable disclosing what you intend doing with your customers’ personal information to them? If you are, be transparent about it in your privacy statement/policy and in your communications with your customers.

If you don’t feel comfortable being transparent about how you intend using your customers’ personal information and, instead, intend hiding behind technical legal compliance with the law to justify your data use, you may be setting yourself up for a bitter divorce and a costly battle with your customers. By the time the regulators arrive to assess your compliance, the damage will already have been done and the reasonably practicable thing to do will be to pick up the pieces of your reputation (and possibly your business) and start earning your customers’ trust again.

POPI compliance and your plan to fail

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Nokia Lumia launch-9 railing

The Protection of Personal Information Act has been in the pipeline for so long I keep expecting someone to develop a drinking game around “POPI” mentions in conferences (every time a speaker says “POPI”, everyone takes a drink). The Bill was passed by Parliament and the President has signed it into law as the Protection of Personal Information Act (No. 4 of 2013). The next step is POPI’s commencement date in a government gazette and the final countdown to its implementation and a compliance deadline. A copy of the Act is at the bottom of this post for your reading pleasure.

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Something else to bear in mind is that a data gold rush before POPI comes into effect may amount to a waste of time, money and effort. Some of my colleagues have advised their clients that POPI will not have retrospective effect so anything done before POPI goes into effect will not be affected by POPI’s more stringent restrictions. They are likely correct about POPI not having retrospective application but POPI’s compliance requirements will almost certainly not be waived just because you collected personal information before POPI’s implementation date. If, for example, you don’t obtain adequate consent for your intended personal information uses before POPI is implemented, I doubt very much that this will be excused once POPI goes into effect and you could find your shiny data treasure trove is tainted, must be discarded and you will have to start again and do the work you should be doing now (if you haven’t done it already).

The bottom line, so to speak, is that if you haven’t prepared for POPI you may not have much time left. As the saying goes, your failure to plan for POPI is, effectively, your planned failure to comply.

That said, here are a couple next steps in your road to compliance:

  1. Review your processes which touch on personal information collection and processing. The best data protection policies are useless if your underlying processes are not going to comply with POPI’s requirements. Your marketing teams, in particular, need to understand how POPI affects them and must assess their databases, marketing initiatives and other personal information-related activities. Don’t forget to include internal data processing in your review. You will have to apply similar principles to the personal information you process internally so your human resources people need to be involved too.
  2. Align your marketing initiatives with your organisation’s compliance requirements and your underlying processes. Marketing campaigns rely on personal information and they have to be supported by the day to day data processing workflows and, in turn, support essential policy frameworks. Don’t just leave this up to your marketing teams, you need people who understand POPI’s impact and can mediate between Marketing/Communications and Legal/Compliance imperatives.
  3. Take into account industry regulatory frameworks like the WASPA Code of Conduct. It is now backed by a law and could have a fundamental impact on any mobile initiatives you are running. Failure to comply with WASPA’s Code and its Advertising Rules can behead a mobile campaign that relies on mobile short codes, for example.
  4. Develop and implement clear and practical privacy or data protection policy frameworks. These policy frameworks must be supported by the practical realities of how your teams handle personal information every day. A policy framework in a process vacuum is pretty ineffective and a pretty short road to reputational harm and regulatory attention.

Preparing for POPI is not a quick and easy process and I’m not saying this because this is one of my focus areas, the more you delve into the law the more you realise what a mammoth undertaking it is. Call me if you could use some help. Alternatively, read the Direct Marketing Legalities Survival Guide I published earlier this week. I explain many of the compliance requirements in POPI and other legislation like the Electronic Communications and Transactions Act and Consumer Protection Act as well as WASPA and ISPA Hall of Shame considerations.

The @Woolworths_SA hummingbird: a parable

One day, not too long ago, a young artist named Euodia was invited to contribute some of her work to a product range a local merchant called Woolworth was putting together. The two met frequently and Euodia was pretty excited about the prospect of her work being added to Woolworth’s inventory, he was well regarded in the area and all the local farmers saved for months to buy his goods.

One day, not too long ago, a young artist named Euodia was invited to contribute some of her work to a product range a local merchant called Woolworth was putting together[1]. The two met frequently and Euodia was pretty excited about the prospect of her work being added to Woolworth’s inventory, he was well regarded in the area and all the local farmers saved for months to buy his goods.

Euodia shared many of her ideas and artworks with Woolworth including a painting of a hummingbird she was selling in her store. One of the ideas they discussed was a pillow with her hummingbird printed on it. That would surely be a treat!

Sadly, Woolworth decided against continuing with Euodia and he sent her a note a few months later letting her know. She was disappointed and went on her way. A short while later, she happened to come across a store selling Woolworth’s goods and noticed a pillow with a hummingbird on it that looked remarkably like hers. She was shocked! The pillow size looked about the same as the one she discussed with Woolworth and he even seemed to take words about hummingbirds from the legendary Book of Wiki and used it as a background on the pillow and there was no mention of his source at all[2]. Shameful!

She has heard stories about Woolworth doing something like this to other artisans in the land, including a young fellow called Frankie who came up with an idea for some old-style cool drinks which some locals seem to favour. She was horrified to discover that she seemed to be next in line. She felt compelled to share her story and published her sad tale in her newsletter. Soon, it seemed even the birds were twittering about it. Everyone was shocked.

When Woolworth heard the story from a number of little birdies, he was dismayed and published a notice of his own. He said he had been talking to another talented artist in a coastal town some time ago about a similar concept and didn’t steal Euodia’s idea. It was all a bit misunderstanding and he had sent many messages to Euodia in an effort to meet with her and sort this whole thing out.

The people weren’t convinced. They heard about poor Frankie and were outraged that Woolworth had stooped to this level. They quickly came together and decided to petition Woolworth to stop taking advantage of local artisans.

A young writer read a story in a local paper and gave this all some thought. He hadn’t worked with Woolworth before but something about the story and what everyone was saying about Woolworth seemed to miss a possible explanation. He decided to investigate whether Woolworth really did pull the wool over everyone’s eyes or whether something else was afoot.

In the meantime, some intrepid journalists discovered that Euodia’s hummingbird may not have been completely original work either. This just fuelled our young writer’s curiosity so he set off for his local thinking spot under a shady tree and conducted a thought experiment.

Certainly, he thought, Woolworth could be the devious and unprincipled trader many accused him of being and if he had stolen Euodia’s idea like he seemed to have taken Frankie’s, he deserved the scorn he was receiving. In addition, given how closely other traders listen to messages carried by birds, Woolworth would almost certainly discover that a black reputation could have dire consequences for his value on local markets.

Perhaps, he thought further, there was another explanation. He had dabbled in laws and had noticed that most talented and persuasive business people like Woolworth tended not to consult with their lawyers. Their business was dynamic, exciting and full of potential and lawyers just seem to suck the light and colour out of the room when they speak. Perhaps Woolworth didn’t consult with his lawyers in their dungeons when he came up with his plan to work with Euodia.

Or, our young thinker thought, Woolworth did speak to his lawyers and they gave him a deed or some sort for Euodia to sign and which gave him permission to use her art in some form or another? She didn’t mention anything about that but it has been known to happen[3].

Exploring his first hypothesis a little further, our writer found himself wondering whether Woolworth, mindful of the Frankie story (and other similar stories), shouldn’t have adopted a different approach. Imagine Woolworth approached Euodia to contribute to his new artisan range not merely as a muse or supplier but as a creative partner of sorts. The world is a competitive place and you can’t help but hear stories about young creative people like Euodia outdoing established business people like Woolworth. Certainly, Woolworth’s products seem to bear that out. He certainly seemed to believe that Frankie was on to something great when he styled his drinks after Frankie’s. Similarly, Woolworth seemed to draw considerable inspiration from his discussions with Euodia in producing his hummingbird cushions.

Perhaps the problem here is that Woolworth didn’t challenge the usual relationship between traders like himself and young artisans like Euodia and come up with something that could clearly and transparently have benefitted both of them. What if he approached Euodia to publicly collaborate with him to produce the hummingbird product range using her designs[4] in his aptly named “Artisan” range. She would work with him to create wonderful designs for beautiful products and they would share the credit for the work. Woolworth could use his Artisan range to draw attention to the wonderful local talent Euodia and others represent and perhaps even have them sign their designs. The message he would send would be clear: Woolworth appreciates and supports wonderful, creative and, importantly, local talent and perhaps even goes so far as to create a platform for a select few to represent and uplift their communities.

The lawyers, if they are imaginative enough[5], could construct deeds to support this community upliftment initiative and enable Woolworth to go far further than his competitors in sustainably creating products that bring his customers even more joy. Most people know Woolworth is passionate about supporting schools and communities. Wouldn’t this be a remarkable way to do even more to support them and create opportunities for rich and diverse creativity to fuel it all?

Our writer stood up from his shady spot and ambled back to his small office. He smiled to himself at the thought of a progressive Woolworth. Imagine what he could accomplish. The people would be even more inspired to buy his goods because they would know they would be supporting local, amazing and creative talent.


  1. Disclaimer: This is partly fiction and mostly derived from reports about the so-called #HummingGate controversy which erupted online recently about Woolworths’ dealings with Euodia Roets. It is not based on any actual insights into anyone’s or any company’s methodologies and business practices (because I don’t have any actual insights). This is essentially a “what if?” story.  ↩

  2. As all in the land know, text in the Book of Wiki is available to all under a Creative Commons Attribution-ShareAlike 3.0 Unported license which allows many uses but also imposes attribution and license annotation requirements.  ↩

  3. Well, if this was the case, what Woolworth could do with Euodia’s work would depend very much on the wording of that document and he could have the right to do what he did after all, assuming he did what he stands accused of doing.  ↩

  4. Of course this assumes that the hummingbird in question was, in fact her design, and she didn’t draw direct inspiration from another artist. That would complicate matters considerably and our writer could just imagine groups of lawyers rubbing their grubby hands together in glee at the prospect of that.  ↩

  5. A big if but there are some pretty innovative lawyers out there these days.  ↩

Digital strategists’ glaring blindspot

Strategists have a glaring blindspot – they don’t factor structured legal and compliance risks into their planning and modelling. I imagine there are many reasons for this which likely include strategists’ ignorance of what these risks are and that they may even find the frameworks designed to address them intimidating or downright inscrutable.

The result, unfortunately, is that digital strategists tend to ignore legal and compliance issues in their analysis, leaving their organisations and clients exposed to potential risks they don’t understand and perhaps don’t even realise exist.

Strategy in the digital marketing space fascinates me. Some of the smartest people I have had the privilege of meeting work in this dynamic space and have remarkable insights into human behaviour and how that behaviour influences and is influenced by the social Web and great content. What I’ve noticed is that even these strategists have a glaring blindspot – they don’t factor structured legal and compliance risks into their planning and modelling. I imagine there are many reasons for this which likely include strategists’ ignorance of what these risks are and that they may even find the frameworks designed to address them intimidating or downright inscrutable.

The result, unfortunately, is that digital strategists tend to ignore legal and compliance issues in their analysis, leaving their organisations and clients exposed to potential risks they don’t understand and perhaps don’t even realise exist. The law is complex and it becomes more and more complex each year due to new legislation (lately, increasingly poorly drafted legislation), new developments and trends and changing norms which require a lot of skill, experience and focus. We live in a society that is structured using a dizzying array of laws and regulations. Those laws may be unfair, unjust or even applied poorly but law informs the underlying structure of virtually everything you do. You are probably not aware of most of it but it is there nonetheless.

Developing a digital strategy with the goal of improving engagement with a target market, for example, is a tremendous thing and the more skilled the strategist, the more likely the end consumer will see value in a product or service and take advantage of it. Strategists are comfortable to continue like this for as long as disaster doesn’t strike (and, frequently, when it does strike, the response is damage control) but this isn’t a sustainable approach. I wrote about how diabetes is an interesting metaphor for this approach in my post “Is your marketing strategy diabetic” a few months ago and explained my thinking about this. Here is an extract:

So what does this have to do with social marketing? It occurred to me that what most marketers are doing is analogous to what I did for years. I see the big contributor to my diabetes onset as being unrestrained consumption. In a sense, this is what marketers active on the social Web are doing too. They work in a fascinating and engaging space and often do so with little regard to the legal consequences of their campaigns. Marketing online seems to be perceived as being immune to conventional risks and I often read advice from prominent agency “gurus” who speak about how various forms of engagement can address discontent and cure a brand’s problems. I’m too young to remember much of the 70s but when I think about what the hippies of the 60s and 70s must have been like, I look at some of these apparently authoritative marketers and social media strategists because they may as well have flowers in their hair when they talk to their clients.

That said, there are many instances where positive feedback on Facebook or a “Hi Bob, please DM us your email address and we’ll resolve your complaint” direct message on Twitter can defuse a sticky situation but the world is more complex than that and so are the people who have varying expectations of brands. Sentiment in a tweet can ravage a company’s share price and this can literally happen in seconds as many traders increasingly rely on artificial intelligence and automatic sentiment analysis for share trades, let along human traders reacting to humans coming together under a share #Acmebrandsucks hashtag. Reputational risk is only one of the many risk factors marketers need to be mindful of and they just don’t have the knowledge to anticipate and cater for a growing number of legal and compliance requirements and considerations that apply to their work as much as a traditional offline marketer (if such a beast still exists in large numbers).

Put another way, not taking an active interest in the legal risks and possible consequences of their unrestrained consumption could leave companies and their agencies unnecessarily exposed to liability, monetary losses and reputational harm. This is a case where, like diabetes, prevention can be more effective than the cure but it requires diligence, entrenched processes and educating yourself (or even taking good advice from experts in the space). Taking steps to manage the fallout after an incident may be enough to keep a company standing (and often provides fodder for revealing case studies) but is it enough to say “We’ll just take our medicine if this goes badly, not that it will because we know what we are doing”?

A digital strategy that doesn’t factor legal and compliance risks into the mix is incomplete. In many respects it glosses over a series of risks and constraints which generally pose substantial threats to an organisation and its activities. It may sound like I am exaggerating the threats but consider a failure to implement an adequate privacy policy framework in the context of a campaign which hinges on a company’s ability to use consumers’ personal information in innovative ways. A privacy policy establishes a consent framework that enables this sort of campaign. If you don’t have an effective privacy policy in place, the underlying consents won’t be sufficient and you will have violated consumers’ right to privacy, potentially on a large scale. This exposes the company processing that personal information to penalties under the applicable legislation (POPI has been passed and could be signed at any time), by self-regulating bodies as well as a variety of civil claims. The biggest exposure would probably be reputational harm which could have a more substantial impact on a company’s bottom line than any fine and the effects will be felt in a matter of hours and days.

An effective digital strategy simply has to take these risks into account if it is going to be sustainable. Strategists have to either expand their scope or supplement their efforts with this increasingly specialised knowledge and insight.