I’m really excited to be here today. All the sessions that have been shared so far have been fantastic. I’m very appreciative to be a part of the event. Hopefully everyone’s having a great day and learning a lot.
I’m going to talk a little bit about balancing customer experience with data governance and give you five tangible things that you can start with. But before we talk about that, I want to talk a little bit about how we got here.
In particular, I want to talk a little bit about the changing landscape from an industry perspective, and then we’ll get into the legal implications.
To kick things off, I want to get some concepts around marketing out of the way. Traditionally, marketing has been very focused on putting content in front of people that are looking at similar content. Magazines have content that’s relative to the magazine itself. You’re going to put in a razor blade ad into “Sports Illustrated,” for example. You’re going to put in Palmolive dish soap in “Good Housekeeping.” But, the digital space has completely broken that model because now we can focus person or the people and we target those individuals with content that’s relevant to them. That’s really created an arms race that’s focused on building more and more niche solutions to take advantage of this new landscape and take advantage of the data that it’s generating.
According to Tealium, we did a study with Econsultancy and we found that within our user base, every company that is running Tealium has about 20 or more vendors installed. In fact, I’ve seen a couple that have about 50 to 60 different vendors. Out of the 3,800 that are actually available today in the market, you can imagine that all of these vendors have competing needs and requirements. But, they’re a good thing, right? They bring in what we call the vendor mix.
The vendor mix is essentially a concept within the organization to have vendors that focus on providing specific areas of expertise in your data stack or areas of content and expectations for you customers. Technology is a competitive advantage and these quick solutions are a reality. But unfortunately, the change of cost is lower than it’s ever been. And that means more and more are getting installed and there’s more and more change in terms of adding and removing these vendors which create a lot of concerns around privacy and experience.
Sometimes it feels like you’re just out there on a lost boat in the water. It’s not really easy to understand what vendors you have, and what they’re being used for, but solutions like Tealium and a few other products in the market today, they can help you to get a handle on this, but it doesn’t necessarily mean you have a handle on the data governance.
Data really is an organization’s greatest competitive advantage. It requires some thoughtful and meticulous planning and strategy around it. So far, all we’ve been talking about is experience, building experience for customers, building experiences so that we can sell our end products or provide the marketing message that we want.
But we really have to consider privacy. Privacy because it’s not only an ethical matter, but more importantly, it’s a customer trust problem.
When you’re customer come to your brand, they have expectations that you’re going to treat them within the correct means. While you got these 20 vendors and you’re installing tags or you’re sending data files, or what-have-you, to these different vendors. It might seem obvious to you what you’re using those solutions for. It’s likely not obvious to your customers, and moreover, it’s typically even difficult to predict internally, what’s happening with that customer’s data.
That’s a big problem because it has implications that are far reaching…
Such as: where is this data going? Who has access to this data? Where is it being stored? And sometimes, it becomes risky because where it’s collected and where it’s stored needs to match. When we talk about experience, we understand why there’s an arms race. We understand a need to add these layers. But we have to consider privacy and we have to consider this privacy, not in the terms of the legal and the regulations, but also in customer trust.
So let’s dive in a little bit and talk about where we are with some of these major legal components, and then we’ll talk about five steps we can take to start getting a handle on this today. The first one I want to talk about is Privacy Shield.
I’m not going to go through this in detail, but I do want to have everyone understand exactly what Privacy Shield represents. In particular, it is a self-certification or self-compliance process that enables companies to move data from the US to EU and vice versa. The big one is to move EU to the United States. You can certainly work with your legal team to understand it. It is a replacement for Safe Harbor, but it has some new provisions and it’s quite a bit more robust than Safe Harbor was. The few that you can see here today are the most important: notice, choice, accountability, security, integrity, and access. What this focuses on in ensuring that any data that is moved from the US to the EU and from the EU to the US, follows into these six buckets.
The GDPR does apply to you. We’re here sitting in San Diego today, having this presentation. But even now, the GDPR will apply to Tealium, it will apply to your business and May of 2018 is the running date. And it’s focused on personal data protection for any EU citizens. If the EU citizen or what they call the data subject is monitored, then it applies. It does not matter where the controller is, or the processor. The controller being specifically the brand, and the processor being the vendor. We’re going to talk about two or three very important components of GDPR in a minute, but I just want everyone to understand that infringements, both minor and major, have significant impact. Major infringement, something like not obtaining explicit opt-in of a user, a citizen in the EU, even if you’re sitting here in the United States, could mean 20 million Euros or 4 percent of annual take. The EU has made it very clear that they will be enforcing and pushing this regulation.
A couple key components of the GDPR—and by no means is this a comprehensive list—the first being explicit consent and transparency. As core, the EU wants its citizens to be informed, and have choice. They want to be informed on what’s being collected, what it’s being used for, and have transparency on where it’s going, and they want their citizens to be able to opt-out—what they call the data subject—the right to be forgotten from those sources. This means that we will be seeing a space in the next 18 months to 2 years where as a reason for over-regulation—probably the wrong word for it—we’re going to have more and more explicit options.
The right to be forgotten. There’s several rights of the data subject, but I wanted to talk a little bit about this one just because it’s probably one of the more challenging to execute technically. What it essentially enables is: at any point in time, an EU citizen can choose to have their personal data erased without undue delay. Typically 24 hours. They also have the right of opting-out of automated decision making. We all use lead tools or biz-management tools for display targeting, they can opt-out of those as well. Not only do you have to be clear and transparent and provide explicit consent to your subjects; give them the function ability to be forgotten. And the proof of burden of all of this will lay on you, as the data controller.
That’s a lot about the EU. Hopefully you recognize that this does apply to you even if you’re a US company. But here in the US, the time is changing as well. Most recently, there was an FTC panel that discussed probabilistic matching, deterministic matching, they also discussed personally identifiable information. Essentially, the director came out and said that any persistent identifier which includes: device IDs, cookie IDs, IP addresses, meet the test of a PII component. The reason that that’s really interesting is—it’s not necessarily a regulation, and here in the United States we don’t have an official PII legal precedence in terms of whether or not this data is sensitive and has to be treated as such, it’s kind of done on a company-to-company basis—but the legal landscape in the US is starting to take note. They’re taking note of what’s happening in the EU, and most recently with the lawsuit that was brought against Verizon, there’s starting to be some legal ramifications for not having proper data governance and data privacy in place around these customers.
Again, we all understand why we do this. We have a variety of tools to provide really good experiences so that we can target users and have a personal message with them. We have to really consider them in terms of their trust with us. And of course now the legal landscape is going to force these issues further where they’re going to have regulation processes and, what’s worse, repercussions to not providing this.
Not all is lost. There’s some pretty straight-forward things you can do today to get started and we’re going to talk about those.
The first thing we’re going to talk about is getting ready and talking about due diligence, to understand what exactly is happening with your data, and who has access to it. We’re going to do that by building up a data inventory, so we’re actually going to understand the data types we have and whether or not they’re required. We’re going to build controls around both the process, and the data sets, so that we can do internal auditing as well as notification out—that’s that transparency component. We’re going to have a team. A team that’s going to enable the business to move forward within those constraints. And of course, once those are complete, we’re going to build a repository of documentation to ensure we have clear and accurate notice.
So let’s talk about each of these and the first I like to talk about is to know your vendors. If you’ve done your due diligence, you should know you vendors. This has to be done by both our business, as well as our technology groups within an organization. This is not something that is strictly done by marketing or strictly done by IT, it has to be done together. Business teams have to identifying the vendors that they’re using, validate whom has access to those, and of course, help to review the current contract to make sure that the vendors themselves are in compliance. The technology team needs to do the audits and inform the business on what they need to look for. They have to review the vendor’s policies as they’re provided and, of course, if there’s vendors that are unused or non-compliant, they need to get them out of the data flow.
Let’s talk about that data flow. Great representation here where if you understand and you talk to your vendors, what they’re doing with your data each step of the way, you can clearly answer and understand the due diligence aspect of this first step. Understand what it is that they’re collecting. What it is they have access to at that point of collections. How is the data transmitted? Is it secure or is it unsecure [sic]? Is it done in files? Is it done in real-time? Where is it processed? How is it processed? Is there an automated process? Can the user be opted-out of that process? And of course, where is it stored? Do we store this in the region of the user? Do we store it in the US? Finally, from an execution and visualization perspective, who has access and what is it used for—because of course, part of that transparency—and notice, we have to tell a user what we need the data for. Let’s talk about the data and build an inventory of this. Again, business and tech have to work together.
The business team should work to agree on data sensitivity levels. They should understand, based on the experience they want to provide, what type of data they need to have access to. And they should also understand, once they’ve done this, how to break up the difference between a marketing dataset and an operational dataset. Just because the marketing team wants to target users, doesn’t mean that we need to have the marketing team having access to the user’s full profile history. The business also needs to document for the technology team the data that it needs to run its business. In today’s modern world, we’re doing more and more email based targeting. Targeting on email addresses within display, as an example, with customer match and Facebook custom audiences.
If the business is properly documenting that need and clearly communicating to the technology team what it is they needs email for—something that would typically be considered PII—then you have a communication path between the two around this data inventory. And the technology team, of course, need to document where all of this data is stored, what it is, who has access to it. And they need to ensure, through again, auditing, that both the business as well as the vendors are within compliance of those policies that they’ve created together, and/or any legal requirements. And of course, if they’re working this close, hand-in-hand with the business team, they can check the actual integration themselves to make sure only the right data is sent to the right vendor. One thing that I always like to talk about when I talk about data inventory is what types of data we have. There’s different levels of data in terms of: is it private? Is it sensitive? Is it not?
I like to think about it in terms of just simple: first, second, and third. Is it first-party data collected and owned directly by the company? Is it second-party data that is controlled, but it’s shared? And of course, is it third-party data which we don’t actually own, we may license the data, it’s aggregated by a third-party and it’s sold or packaged out for me. Understanding the data types that we’re looking at, will quickly help in the communication with the IT team as well as the policies in terms of where this data is coming from and where’s it’s going to.
So we’ve done our due diligence. We know who we have installed. We know where they’re installed. We know what data we have and what we’re sending. We need to build some processes and procedures around this. The business team should verify once these policies are in place with these current vendors, what it is that they’ve done. Make sure they’re in compliance. Of course, they need to create data governance within their own teams to make sure the policies are followed and update both the internal and external communications to their partners of their policies. This technology team needs to help configure the access. That should be a policy that is in place for most business. They should create guidelines and tests for new vendors. And of course once again, IT is stuck with the auditing—as being the technology group and the team that has the closest sense of how these technologies work—and it’s a great place for them to actually test this compliance. None of it matters unless you’ve done training. The company needs to be trained on policies, it needs to be tested on policies, and you need to ensure that the employees are following these policies.
When building a policy, and when considering what type of data a vendor should have access to, I like to think about the WIIFM. Typically what it means is: what’s in it for me? But you can think of it as: what’s in it for the business? What’s the service? What is the vendor’s participation in your marketing program? What are the features that your organization are actually using? Some of us buy software and tend to use 20 percent of the software out there. So what are the features you’re using? Consider what data is critical for that service. If we know where it fits in the stats, we know exactly what features we’re using, what data it needs to actually execute. Again, do they need to have third-party trackers or other third-party data points, either from collections or from installation, to provide that service. Ultimately, what’s in it for the customer? If your customer asked you why you were using that vendor, how would you respond? How would you do it in a way that you could explain value to the customer? If you can’t, that should be a red-flag.
Step number four. Now we have to provide clear notification. We have to make sure we work across the organization to make these decision. If the business team is communicating to technology on what they need to drive experiences, legal ramifications of noncompliance for the business, and of course any expectations that the business has of the tech team. The tech has to communicate back to the business on best practices because they’re close to these technical challenges, and they need to talk about being the protector of data from the bad players—that might be internal, might be external, might be the partners themselves. And ultimately, they need to enable the business. We need to work together on this. So how do we do that?
We suggest to build a collection directive. Essentially, a data panel that consists of IT helping to understand what level of control around the data is necessary. The legal team understanding what accessibility the organization has for specific data types within legal ramifications. And marketing or the business side explaining impact. This panel can come up with data grouping. Everything from something that needs high control with low impact and no one needs accessibility to it. We’ll treat that as an untrusted vendor, a non-critical vendor, the data should be scrubbed or batched so that we can make sure that we don’t send data that we shouldn’t in real-time. Lifting up to highest access, which would be trusted vendors, client-side access, with tags or SDKs, and of course, the data is real-time and there’s no limitation on the data that can be collected by the vendor.
Building this model—and this is just one of many that you can develop—will help the business, tech, and of course legal, which have a stake in this, discuss the reasonable risk area, or tier, for the business to implement a specific vendor and/or to enable a specific dataset to build strategy around.
So we know what we’ve got. We’ve built our inventory. We’ve developed our processes. We have an organization that is willing to work together to provide both compliance and experience. Now we need have to communicate. The business teams have to update their policies, their external policies like their privacy policies. They need to provide policies for opt-out, to be forgotten. And they have to communicate as they develop and evolve with the technology on that usage. The technology team, on the flip-side, has to provide and enable the business with those opt-ins and opt-outs, ensure and track and audit that the right to be forgotten and other general data deletions directives are withheld. And of course, communicate back to the business and the vendors of compliance, the lack thereof, or changes. The technology team shouldn’t just be telling everyone to turn off, they should be saying, “This could be better if done X, Y, and Z.” We talked about the GDPR ensure opt-in; it’s a great way to have clear and transparent consent and notice. If you get that done, you’ll be a lot further ahead of the curve.
If you can, something that Tealium provides, visibility into the usage, either at a category or vendor level and even if available, enable your customers to opt-in and out of these categories, instead of them just saying, “I’m just going to turn of everything. I don’t want to be tracked for advertising. But maybe I’m ok with web analytics.” This will enable you to keep more customers engaged, but still meet any regulatory environment out there.
It really is everybody’s responsibility within the organization. This is not something that can be in a silo, it can’t just be the IT team, it can’t just be the business team, it can’t just be the legal team. The business has to drive IT and IT has to enable the business. This has to be a partnership, and has to be an evolving one, and an open dialogue within the organization. In doing so, you’ll provide great experiences, but also make sure you have proper data governance.
Thanks so much for joining me today, I hope you stick around. There’s some great panels coming later on in the afternoon. And of course, reach out to Tealium if you have any questions or would like to learn more. Thank you.