Marketing in the Time of GDPR
I recently attended Gartner’s Digital Marketing Conference in San Diego. It was a wonderful event full of practical insights and usable frameworks. One of the more interesting parts of the conference for me, however, was the causal conversations among attendees. What was everyone talking about? GDPR.
Despite GDPR being the hottest topic on the Internet (at least on browsers like mine), there’s still a ton of confusion over what it actually means. And how is that possible? Because, like any law or regulation, so much of its impact depends on how it’s enforced.
In light of this, I sat down with Travis Ruff, Amperity’s extremely knowledgeable Chief Information Security Officer, to get his take on the burning questions about GDPR. Only time will tell how this will all play out, but Travis’s recommendations and spot-on insights should help us all get through this with as little damage as possible.
Rebecca: So the more frequent question I heard at the Digital Marketing Conference was: if I don’t have any stores in Europe, I can ignore this whole bad dream, right? Thoughts?
Travis: A number of organizations I have spoken with are trying to take this approach. While I appreciate their desire to scope themselves out of GDPR compliance, this isn’t as straightforward as something like PCI and identifying if you have credit card numbers. With PCI there is a specific check that can be run against any 15 or 16 digit number to at least identify if something could be a credit card number. With GDPR, there is no definitive check that can be run against an individual’s name, address, email, or any other piece of identification to determine if they are an EU citizen. This is important because GDPR applies to all EU citizens, regardless of where they reside, where they visit, and where the organizations they share data with are located. I strongly advise any organization who believes they can distinguish an EU citizen from others to reconsider that position. All personal data should be treated as though it falls within scope of GDPR.
Rebecca: Ok, that all makes sense. But will they really pick on the smaller guys? At the end of the day, it’s about enforcement, right? Which brands do you think will be singled out and made an example of?
Travis: Traditionally the Data Protection Authority (DPA) has gone after the bigger players, specifically large multinational brands. With the influx of data, analytics, marketing, personalization, and targeting services, even small “mom and pop” shops are collecting, processing, and sharing a significant amount of personal data. I think that the DPA will target a broad range of types, sizes, scopes, and locations to ensure that the message of compliance being taken seriously is delivered loud and clear. While the examples covered in media will be the ones with fines in the millions or billions, fines of thousands can and will be catastrophic for small businesses.
Rebecca: Wow, got it. So assuming we do implement GDPR across all our data systems, can you give us any tips on how to make this easier (hint: now we need some good news)?
Travis: There are a couple of compliance issues required by GDPR that will consume large amounts of resources.
First and foremost is the ability of an individual to request a copy of all information held by a controller. Imagine you are a typical eCommerce and brick & mortar retailer. You have a web presence, a web store with online ordering, an app with ordering, in-store order management, an email marketing campaign manager, a postal campaign manager, social integrations, and literally dozens or hundreds of other systems. When an individual makes a request you must get the information from all of those systems, quickly and accurately. If you have minimal connectivity between these systems, this is a very manual process. If instead you aggregated all data into a CDP, this is a straightforward problem to solve as the answer is provided from a single source.
The other time consuming activity will be honoring right-to-be-forgotten requests. This is a complex problem to solve. How will you know what systems have data? Should that data be deleted or is there a valid business case for maintaining it despite being asked for a deletion? Again, centralizing customer data within a CDP allows you to quickly and easily determine all of the systems where deletion or modification of the data being retained must change, and also identify those systems (such as a billing or invoicing system) where data should be retained.
Rebecca: So to recap, the good news is that a solution exists that makes this whole set of challenges much easier. It’s called a CDP and anyone reading this article already knows where to find a great CDP (hint: Amperity).
Now let’s switch gears a little. My dad always says that a good defense is a good offense (and he plays a mean game of table tennis to prove it). If approaches like 3rd party data usage are getting riskier, how can brands invest in safer strategies that they can rely on in the longer term? Do you have any recommendations for how to take on offensive strategy here?
Travis: First and foremost, the important thing is that brands need to get ahead of GDPR compliance. The time to start compliance initiatives is not the first few hours after the Data Protection Authorities have sent notice of an audit. Compliance will be expensive and time consuming for every brand, however not nearly as time consuming and expensive as when you are unprepared for an audit. Ensure you have addressed the contractual and data sharing requirements. Know what your 3rd parties are doing and why. GDPR certainly restricts data use and puts its ownership in the hands of the individual, however if brands are transparent and can make compelling arguments as to why data sharing and processing is beneficial to the individual, this will only help a company succeed, vs. being hurt if they try to hide what is truly occurring.
Rebecca: Alrighty Travis, thanks so much for your time. Now get back to keeping the world’s data safe and secure!
Travis: My pleasure Rebecca, however security is everyone’s job so I’ll need your help along the way. Make sure to reboot your Mac once those latest patches are installed.
Rebecca: Will do, Travis!
Clearly this is a discussion Travis and I will continue to have as GDPR enforcement becomes a reality and our burning questions begin to get answered, for better or for worse. Check back soon for more great content on data security, privacy, consent-based marketing, and more. If you want to ask Travis any questions directly, he can be reached via Twitter @travisruff.