How GDPR is a Prime Opportunity for Data Professionals
Thanks to everyone who’s participating today in the summit. I’m really excited to be a part of it.
I want to start off by hitting on something that was mentioned in my bio, which is where I started my career a few years back.
I think it’s interesting to think about how things have changed in the last decade and a half.
As mentioned, I started my career at ABCNEWS.com. it was in some ways a simpler time. Y2K was the big scary monster out there. This is the time where when I was a part of the team, we moved from log-based analytics to what today is the de facto standard in digital analytics, a stat-based or cloud based analytics solution. This is where it’s a giant leap for us as an organization because we were able to understand our users in a whole new way.
And we are able to understand them in the moment, as opposed to a week later, looking back and thinking what worked well, what article worked well, how we programmed what homepage based on certain stories or language. Instead of looking back a week or a few days to analyze what went well or what went wrong, we are able to do this instantaneously. In a matter of a few seconds, we could understand what was working well in the moment and we could adjust and we could experiment.
It’s interesting now that we are 17 years later or so, to think about how much this has become a standard in what we do every day, but also how much, in a lot of ways, we’ve taken this ability to gather information about consumers, some of us have taken this for granted.
I think when we start to look at how the world around us has changed, it’s not around accessing information via web browsers, but really about how I experience the world around me.
From requesting cars…
To anything that I do in my day-to-day life now. The business models that are around us require that they have ongoing access to data. Today I want to talk a bit about how that requirement, that business model today needs new regulations around the world or consumer behavior and requirements that come from our users that makes it important for us as data professionals to take a really hard and fresh look at how we’re handling data and how our organizations are making sure that we maintain access to this vital aspect of the customer experience.
We’re talking a bit about GDPR. I’m going to give you a little bit of background on what GDPR is all about. But I think the high-level approach that we want to be thinking about here is whether or not we think about particular regulations. We want to make sure we’re looking at how our organizations handle data. Are we making sure that throughout the organization we understand what’s going on? We also respect and are acting with purpose when we collect data, handle it, and act upon that data.
Before we dig into one aspect of GDPR, I think it’s important to take a step back and look at the different areas of concern, thoughts, and even regulation that’s impacting how we look at data and how we have access to this lifeblood for a lot of our business models, which is data. Consumers on one side are really demanding protection. Not a day goes by that there’s not some sort of a breach or concern out there that exists from some company who may not even be in your space, but is certainly upping the concern from consumers out there.
At the same time, we have providers in our ecosystem that are wanting to make sure they’re protecting their own users and walled gardens. And then we have governments, which are, quite honestly, taking different approaches here on where you live or where your users are. Most notably, which we’ll talk about today, being GDPR in Europe. But we’re also seeing a lot of state legislations here in the United States as well.
At the same time, businesses are taking it upon themselves to make sure that they are up to seed and putting in their own data governance programs as well to make sure they’re protecting their own mechanisms for collecting data. And making sure that they’re doing so from a secure standpoint that’s honoring privacy, as well as making sure they’re protecting data once it’s collected.
There’s an interesting set of data from Forrester that digs into the consumer side of this. I think, as we talk about regulation and different trends around the world, I think it’s important to always go back to what consumers are expressing. Because at the end of the day, that is what we are trying to make sure that we’re listening to and making sure that we are honoring what consumers really care about. But if we think about what’s going on with consumer concerns right now, this great study that looked at over 33 thousand online adults, comparing their behaviors as well as their feeling on certain topics between 2016 and 2017, shows that there’s an increasing focus here from the average consumer out there.
More consumers know that their online and mobile behavior can be tracked, that’s no surprise to us who are inside of the industry. But knowing that the majority of online consumers know that they’re being tracked, they know that their data could be permanently recorded and accessible to anyone, this is something that jumps out really quite dramatically between 2016 and 2017, from 58 percent to 65 percent.
Then I think the most notable one down below is to say that consumers are saying, “I do not understand who could have access to my data.” That one really sticks out to me, this jump between 45 percent and 52 percent. This lack of understanding about who’s accessing my data I think really underscores a lot of things that are going on in the ecosystems. Not just when we talk about how data is collected for analytics purposes between a consumer and a brand, and that direct relationship right there using a digital analytics solution, but the wider fuzziness that exists when it comes to how data is handled between companies, third-party data brokers, advertising world, etcetera.
I think there’s a real question that exists for a lot of consumers that certainly taints the way that they think about how they want to engage online and how important, and increasingly important, their online privacy is.
I thought I’d back up a little bit, since we’re doing a little bit of a throwback today to Y2K. let’s even go back a little bit before that. As we talk about GDPR, I think it’s important to think about some of the history that lead up to where we are today. In Europe, this started in the 90s. an EU directive on making sure that businesses were protecting personal data privacy and making sure that there were safeguards around how data was allowed to be handled and sent outside of borders.
So, in 2000, we had what was called Safe Harbor established, which was a way for U.S. and European organizations to have a framework for how they could operate with data across the Atlantic. It allowed U.S. businesses to comply with new laws that were popping up in the European Union and in Switzerland, but allowed us to have a framework and a way to self-certify so that organizations here in the U.S. could really operate globally, operate with Europe.
One wrinkle came into that with this gentleman here, an Austrian man by the name of Max Schrems, who really wanted to put that to the test in a lot of ways.
And in 2011 he requested his information from Facebook under an established European law that gave European users the right to access information about themselves. What he received back were compact disks that had over 1,200 pages of information about him that had been collected by Facebook. This was every friend that he had, friend requests, pokes, his sign-ons to Facebook from different computers, even deleted messages.
I think what sparked his further activism in this is his thought around the fact that this is just one guy and his information has been collected for three years on Facebook. Imagine when we take a step back and think about what could be collected over time from political rounds, more intimate conversations, maybe health information, and saw that this was an area that was really growing and growing.
And over the next couple of years, this became more and more of a topic as it related to how data is handled with a lot of the revelations around how data was being shared with government organizations here in the United States.
But that really lead to this Safe Harbor, or this self-certification framework that existed between the U.S. and the European Union. It invalidated that. And this lead to an upheaval of how organizations across the Atlantic were going to make sure that data was handled. Interestingly, an EU lawyer involved in this was asked around how he might protect his own data from U.S. authorities and he said, “You might just want to consider closing your Facebook account.”
Here we a couple of years ago with 3.2 billion internet users. The iPhone and Facebook are alive and well. You’ve got over a billion users on Facebook and almost a billion iPhone are sold there. And we’ve really have one gentleman through his activism call into question how we’ve all been trading and sharing and transmitting data across borders. It really shows the power of an individual to step up and say, “Look, how we’re doing things are not in the spirit of the law, are not in the spirit of what users are looking for.”
I think that becomes increasingly important when we think about the pervasiveness of internet connected devices that are existing in our world today and will continue to explode over the years to come.
This long road of several years lead to a new regulation, which we’re not going to dig into the individual details today, but there’s a lot of great information about both from what Tealium has shared in webinars and white papers, as well as from ObservePoint. But this lead to a new set of regulations being adopted called GDPR. The emphasis of this, when it was adopted last year, and it will go into effect next year, was really safeguarding and protecting personal data and putting first and foremost that companies have to focus on privacy from the get-go. They have to be clear and transparent with how they’re handling data. They have to give rights to the consumer on how they can access information, how they import information, and also how they can amend and erase information.
This really moves the ability for individuals to have more power and more of a say over how their data is actually handled. Some categories of business must adopt a data protection officer, someone who is solely tasked with overseeing how the organization is complying with GDPR and the principles within it. And it encourages organizations to really think about—once they’re collecting information—how they’re anonymizing, how they’re pseudonymizing, and also building in encryption along the way.
What’s interesting here as well is this is privacy regulation that has some teeth, that has significant penalties that exist here, that focus on making sure that organizations are compliant with the spirit of these laws. And making sure that it has a penalty which can reach as great as 20 million euros or four percent of a company’s annual revenue. This equates significant focus that organizations will be approaching how they think about privacy.
What’s interesting here as well is that the burden of proof lies with the controller or the processor of data to make sure that they are doing what’s right by the law as well as doing what’s right by their consumers as well. This makes it really important for organizations to understand how data is handled inside of their organization and making sure that they know what’s happening every step along the way. That includes how data is handled with third-party vendors.
I’ve just spent a few minutes talking about Europe here. Is this all about Europe? Well, first and foremost, this regulation, GDPR, applies to any business that has European users involved in their business. This could be information that’s being gathered from users, European customers, etcetera. As we are a global economy, pretty much every one of our businesses have European users involved in some way, shape, or form. So, this is not just something that applies to European businesses, but applies to almost all global businesses.
For those of you who may be thinking on the phone right now, “Well, I’m a U.S. organization. I don’t really focus on any users outside of the U.S.” at the same time there are about 11 states right now that are proposing their own privacy bills that are in a lot of ways complicating the regulatory landscape because we don’t have federal legislation in the U.S. that matched GDPR. So, states are taking it upon themselves to introduce their own privacy bills that are, in a lot of ways, taking a page from what GDPR has lead the way with.
That leads us to a statement that you might not have expected to be the next slide in this presentation, but this is really an awesome thing for a couple of reasons. One, we’re all also consumers and internet users and these types of frameworks are fantastic at making sure that there is an acknowledgement of the pervasiveness of data collection that exists out there. And the need for there to be more regulation and more focus on how data is handled, so that businesses take this seriously.
At the same time, a lot of us, or most of us today on the phone, are data professionals. And as I mentioned when we started off our conversation today, data is becoming the single most important aspect of customer experience because it really describes our customer relationship. Our business models are dependent on us understanding our consumers because our interactions happen increasingly, or entirely, digitally between our brands and our consumers. So, we need to make sure that we’re understating what’s happening. Make sure that we’re able to optimize the experience, learn from it, build new experience, and uncover opportunities. All of these things require data.
So as data professionals, this increased focus on regulation, as well as consumers trends, that are making sure that privacy is at the top headline for all of us to be thinking about, this is a great opportunity for us to think about how we make sure that we put data responsibility and privacy as more of a core to what we do, which can help with things like data quality and data governance within an organization.
If we look at what some of us have access to from a technology standpoint—I don’t know if you have an Amazon Echo in your house, I do, and it’s something that I really enjoy. But at the same time, these types of things are certainly making me think about how data is handled, how data is collected, and how data is used within an organization.
If we’re going to have access to amazing Dick Tracy watches and keep elevating customers experiences, further and further…
We need to make sure we are aligning with our customers. Not only is this something that’s great for consumers, great for data professionals, but it’s going to make sure that organizations are thinking about their consumers in a much more thoughtful way when it comes to how data is collected. We’ve all been talking for years and years about being customer-centric, well there’s no better way to be customer-centric than to make sure that if you’re collecting information from an end consumer, that you are making sure that you’re putting in the safeguards and building the framework from the ground, up. To make sure that you’re collecting data responsibly, you’re honoring user preferences along the way, and your organization is thinking thoughtfully about how data is transmitted across the organization and to third-party vendors when necessary.
Let’s talk a little bit about why GDPR, as a framework, is really a blessing. You’ll notice I didn’t say blessing in disguise, I’m going right out here and saying this is a blessing. Because one of the things that GDPR does is it gives a framework to businesses that they can strive for and they can focus on. So, whether or not you think GDPR applies to you, this is a fantastic framework that starts with concepts like privacy by design. Meaning that I need to, as I build my product, my digital experiences, etcetera, I need to do so starting from a place of privacy because that is the foundation that I build my experiences on.
If I think about that, that is absolutely customer-centric and is aligning to what my customers want. And it’s going to make sure that no matter what regulations or shifts that may happen in consumer behavior over time, this is going to follow that best intent for what customers want. If I think about privacy from the get-go as I start to design experiences, I’m going to be in a great place, whether or not I think GDPR applies to my business.
But also for data professionals, GDPR allows me to have cross-team alignment around data. If we think a lot of the time, organizations are siloing data in one part of the house or another, this becomes a major headache for data professionals that really want to make sure that they’re getting a single view of the customer, there’s data that’s being collected for a reason, and it’s being enriched and transformed across the organization to better describe a user. Without working across teams or cross-departmentally, you’re not really able to understand how data flows, so one of the requirements of GDPR and a lot of this legislation is requiring that organizations understand what data is collected, how that data is transmitted across the organization.
This gives the data professional a key opportunity to work hand-in-hand with the legal and compliance team to build in that foundation for understanding an inventory of data, understanding a map of how that data is handled, where that data is transmitted to. This solves a lot of compliance and legal needs, as well as making sure that the data professionals are also aware and in the driver seat when it comes to how data is handled and therefore giving them access to that entirety of the organization’s’ data as opposed to siloed information that doesn’t really help anyone.
The fascinating things that this will do as well is, as you saw, there are financial penalties, which should frighten an executive in an organization. This gives data professionals the ability to find and encourage executive involvement and sponsorship. If I want to make sure that data quality and responsible data handling and this ability is the core to how my company is going to approach GDPR, I’m going to need an executive generally to help bridge some of the siloes. I have one part of the organization that may be keen to work together, but maybe I don’t have another.
Going up in the organization, and having a reason to go up in the organization, around pending regulation and penalties and scary things like that can really light a fire to encourage executives, that might not otherwise see this as a priority, really get involved. Therefore, I can take the first point and marry it with this one to say there’s a common goal in great data quality and cohesive understating of data as it relates to an individual. There’s an alignment between that from an insights standpoint, as well as from a privacy and data protection standpoint.
This also—I mentioned before we got into this slide—the concept of privacy by design, but also having purpose behind data collection. GDPR and regulations that are similar to it, require that you are collecting data for a purpose. There’s a reason that you have done all this work to collect information. You’re not just collecting just to collect. Because of the liability that exists there. This allows the organization to take a moment to think back about what data has been collected to date and what data is really important to collect on an ongoing basis.
Often times we can see that data might be collected throughout our organization for different purposes, maybe campaign purposes or marketing purposes, that may no longer be necessary. So, this allows a data professional to be in the driver’s seat to make sure that data is collected with purposes, but also making sure that data is collected and visible understood for that purpose. So, if it is a short-term campaign need or a particular marketing program that may just last 90 days, being about to tie a particular data strategy to what the purpose of this particular campaign or marketing program is, allows the organization to understand when they can turn data collection off or stop running reports.
For many of us who have been in the analytics field for a while know that sometimes we have reports that just run and data that’s collected and no one knows why. This is a great time to take inventory of that and stop collecting and stop reporting on things that don’t have executive sponsorship and don’t have a purpose behind them.
Finally, in a lot of ways, if you think about these other areas coming together, this actually underscores the need for data quality to become key throughout the organization. Otherwise, I can find many people inside of an organization that may care about the quality of data as it relates to them, but if I think about more holistically way to make sure that the data we collect has purpose, has ownership, isn’t duplicated across the organization. This really makes data quality—which is beneficial to us from the analytics and insights world—it becomes something that other parts of the organization have invested interest in ensuring. Because now I’ve increased the visibility of data collection and data handling, I can make sure that my organization is hopefully collecting and approaching data collection with purpose.
Then my favorite one is it allows us as data professionals to ask the very important question of why, more often. Often times, I think we are told to do things or an executive needs access to something, or new need to collect this, or we have this vendor’s tool up and running—GDPR is a great arrow in our quiver to make sure that we’re reminding our stakeholders and other parts of the organization to think about why we’re doing something and how it relates to the greater good and how it correlates to the individual customer.
To start today, what do we want to do and takeaway as some next steps? Hopefully many of you have started your GDPR compliance and have a roadmap in place for the next six months. For those of you that haven’t or those of you who are looking for other ways to instill a cross-team collaboration and support around making sure that there’s a single approach to collecting data, handling data, and acting on data.
Some of the first things that we can do is focus on building alliances between our business team and our technology team. We have some common goals here when it comes to understanding what vendors are in use from the business side. Aligning how data is being collected with the contracts that I have in place, allowing me to take a really close partnership with the legal team, and making sure that we’re aligning how data collection and how our contracts and how our legal requirements all relate to one another.
And allowing our technology teams to be a part of this process when it comes to auditing vendor technology, how data is collected, making sure that we understand our vendor policies that exist, and making sure that we have a mechanism in place to remove vendors and data collection mechanism that are either not compliant with our organization’s needs or requirements or are maybe not useful anymore. As I mentioned, a lot of the data collection that we do sometimes in the organization are time-based and they might have expired or they might no longer be as useful. This leads us to making sure that we understand at an organizational level how data flows.
This is something that I think requires the most amount of time when it comes to documenting inside or an organization for those that may not have done this before. There is that partnership that exists between the business legal and the technology teams to document and build an understanding of the data flow as it related to the entire customer journey. And making sure that it’s clear where documentation is stored and how the compliance checkpoint with both our internal and external policies and requirements, how those are checked along the way, and how we make sure that our vendor partners are a part of this as well.
Finally, this allows us to more formally establish a working relationship across the organization. As I mentioned, GDPR and related regulations gives an ability for executives to play a much more proactive role in making sure that their teams are working together. But it also allows a common ground to be established, maybe between the needs of the marketing and customer experience teams with some of the other part dot the organization, such as the data professionals and the technology and legal teams. Make sure that there is clarification on the expectation and inputs and outputs that are required of all those teams. And it establishes a communication framework that allows teams to share best practices, share information on how data is being collected and handled, and make sure that you can learn internally from what does work well and what’s already at your disposal from an organizational standpoint.
With that, I encourage you to both explore more about GDPR as it relates to the overcharging framework as well as how it relates to your business. And I encourage you to learn and think about these same topics as you enjoy the rest of today’s summit.