What Are the GDPR Most Wanted?
GDPR’s May 25 deadline has come and gone. And guess what? The world is still turning, businesses still operating, and digital operations haven’t collapsed into utter oblivion.
You’re sick of talking about GDPR. We get it. But the conversation isn’t over yet. Forthcoming legal action will reveal the implications of this regulation, and it’s better to apply an ounce of prevention and avoid paying the price.
So what are the most pressing needs?
This post addresses the GDPR Most Wanted, which are the most pressing organizational and technical issues that data-dependent professionals (marketers, analysts and the data roles that support them) have to address to meet the standard of compliance.
While security and privacy professionals should head the internal GDPR endeavor, marketers and analysts play an important role in this initiative, as they are:
- The most active users of data
- The most closely connected to the customer whose data is at stake
- The most likely to cause an infraction of GDPR and incur a massive fine
Amidst the sea of legalese and scare tactics, here is a collection of what we feel could be the most impactful principles, practices and mindsets to make sure you stay on good terms with GDPR regulators and, more importantly, with the customers who expect you to protect their data.
And now, the GDPR Most Wanted:
- Collection and Use of Personal Data
- Fulfilling the Rights to Access, Erasure and Data Portability
- Transmission of Data to Other Countries or International Organizations
Collection and Use of Personal Data
The cornerstone principle of GDPR is the protection of your personal data. According to GDPT, personal data is:
- Any information relating to an identified or identifiable natural person (“data subject”)
- An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Chapter 1 Article 4.1)
The regulation hopes to protect consumers on all levels of identity. Protect from what? Unauthorized or insecure use of personal consumer data.
This principle applies to both first- and third-party data—you are responsible for compliance both in-house and amongst your vendors.
“The controller [your company] shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject” (Chapter 4 Article 28.1).
There is a healthy list of requirements of these “technical and organizational” measures, which you can view in the regulation (Chapter 4).
There are few different provisions within GDPR that allow you to use personal data, but the safest one is explicit consent. Explicit consent is safest not just because you can avoid getting the book thrown at you, but also because you will be applying good principles of transparency, earning brownie points with your customers.
What does use of personal data include? Of greatest concern to marketers and analysts are the following:
- Combining data to build data profiles
- Marketing to natural persons using data without consent
Combining Data to Build Data Profiles
Combining data points in such a way to identify a natural person (such as combining email and IMEI code) is considered personal data. Generating and using this personal data without consent is illegal.
Marketing to Natural Persons Using Data without Consent
Access to data does not signify consent or the right to use that data. No matter how ingenious you think you are, you can’t market with data just because you have access to it, unless you meet the requirements under GDPR. As stated before, there are several provisions for consumer data use, but explicit consent can remove ambiguity altogether.
The above requirements present a few different challenges, including a breakdown of core analytical and marketing processes, as well as a requirement to ensure vendor compliance for a hefty technology stack. We’ll talk about each.
Breakdown of Core Analytical Processes and Marketing Techniques
Under GDPR, companies will not be able to use data, aggregations, segments, insights or processes that generate the possibility of identifying or targeting an individual without consent (or some other provision under GDPR). Many companies will have to re-architect how they gather, store, transmit, process and analyze consumer data.
Internally, within your organization, you likely employ many third-party technologies in your marketing stack, including analytics, advertising, A/B testing, social tracking and other technologies. Verifying that each and every one of your vendors complies with GDPR is going to be one of the greatest obstacles towards achieving full-blown compliance.
The following steps will help you with the challenges of collecting and using personal data, as well as with addressing the remaining GDPR Most Wanted.
1. Define what your data organization uses to conduct business
Look at each process at each phase of the company and ask, “What data do we need to make this process work?”
This will be one of the most time-consuming tasks of GDPR preparation, and one of the most necessary. Below is an example of how you could document your data requirements:
As you look over each data requirement, ask yourself:
Do we need this?
Has the consumer given us consent to do with this data what we’re doing with it?
2. Identify what data is currently being collected and used on your site app
Your team will likely perform this step in tandem with step one. You will need to perform a comprehensive audit of your website or app to identify each piece of data your company is collecting (both first- and third-party data).
The documentation of this audit will look similar to the documentation in step one. Once you have completed each step, compare the two documents to identify what you actually need versus what you are collecting.
ObservePoint can help in this step by scanning your site and returning a list of all technology deployed on your site.
3. Identify whether or not the appropriate data safeguards are in place
Pretty much all data collection is affected by GDPR, including:
b. Any raw data, including navigation history, likes, etc.
c. Any aggregated data that include an ID (IP address, IMEI code, email, face recognition, etc.)
d. Any insight generated by algorithms applied to raw data
What you’re interested in knowing is whether or not the appropriate safeguards have been put into place to ensure each piece of data meets the regulation’s standards. Below are some substeps to consider.
3a. Verify there are no custom variables in your analytics tool collecting personally identifiable information (PII)
No data in your analytics tool should be personally identifiable. Beyond going against the terms of service of most analytics tools, GDPR strictly prohibits gathering PII without consent.
3b. Verify all unauthenticated data is 100% anonymous
Unauthenticated data refers to any data the user did not actively provide via a form or other means. Make sure you don’t have any rogue technology circumventing consent mechanisms by skimming data from other vendors’ cookies or by other means.
3c. Verify transparency and consent for enriching data from a third-party
Some companies enrich their authenticated data with data from a third-party. If you’re one of these companies, you need to make sure consumers are aware of this process and have given consent.
3d. Determine which data could be used to identify a natural person when combined
The general principle here is that you cannot use data you have collected to turn around and generate data you do not have consent to use.
This means you have to be very careful about how you’re combining data sets, for any reason. Here are some examples:
i. You cannot aggregate email addresses with IP address, IMEI code or social security number, for that matter
ii. You cannot aggregate any address or ID code with another one (e.g., IP, SSN, IMEI)
iii. You cannot segment or transform data into further insight with algorithm processing
3e. Look for vendors who are GDPR compliant
Be picky about your third-party tech. Your third-party technologies will be the #1 thing you’ll be zinged on.
Some vendors are already putting out statements of GDPR compliance, including what they have already done and what they’re planning to do to meet the requirements. Here are a couple statements from Adobe and Google:
3f. Maintain compliance on your implementation
GDPR compliance is a sprint, followed by a marathon. You will need to continually verify that your vendors are only collecting the data (and combinations of data) consumers have consented to give.
Automated solutions like ObservePoint can help continuously audit your site to verify which technologies are present on your pages and what data you’re collecting.
Fulfilling the Rights to Access, Erasure and Data Portability
The rights to erasure and data portability are each defined as follows:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data,” along with a list of specific details you will be required to offer (Chapter 3 Article 15.1).
Erasure (Right to Be Forgotten)
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay,” followed by a list of conditions under which this right must be fulfilled (Chapter 3 Article 17.1).
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided,” followed by a list of conditions under which this right must be fulfilled (Chapter 3 Article 20.1).
These rights are all linked together by a common requirement: the data controller needs to know every instance where the company stores and processes consumer data.
The greatest challenge? Knowing where all the data is.
Data democratization has been the mantra of data-driven companies over the last few years, and now GDPR comes along and requires you to know where every single piece of data goes, how you process the data and how you use it.
If you don’t know everywhere your company uses data, you have no way of sharing, erasing or relocating all data points relating to the customer. Companies will be hard-pressed to fulfill each of these rights.
What are some ways to keep data and technology available to your employees, while still meeting the requirements for compliance? Here are some thoughts:
1. Get rid of unnecessary data
You’re likely collecting a lot of data you don’t actually need, known as data debris. According to Heidi Maher, Data Privacy Officer at IBM, “estimates put the amount of digital debris at 65% of enterprise data.” For every data point you can eliminate while still making business run smoothly, there is less data you have to worry about taking care of for each customer.
Institute a periodic data debris cleanup. Remember, GDPR compliance is a sprint, followed by a marathon. If you can continuously scan all your data points and verify which data is required and which is not, you can get rid of the clutter and keep only what you really need.
2. Get rid of unnecessary vendors
The more vendors you use, the more places you send data—which means more places to access, delete or move data, if at any point the consumer exercises her rights of access, erasure or portability. Below are some substeps to help you deal with too many vendors:
2a. Consolidate vendors where possible
Go through a complete list of vendors and identify what data points you collect and where. If you’re collecting duplicate data across vendors for redundant functions, then you might consider choosing one vendor and nixing the other.
2b. Institute a rigorous vendor onboarding process
Identify and use only GDPR-compliant vendors, and institute a rigorous onboarding process for each new vendor. Your onboarding process might include asking the following questions:
1. What data of EU data subjects do we intend to collect/process with this vendor?
2. Could one of our current vendors fulfill this requirement?
3. Is this vendor compliant with GDPR?
Side note: Having too many vendors can also put you at risk of data breaches (another branch of GDPR compliance not directly addressed in this piece). Anna Mazzone, Managing Director at Aravo Solutions, recently said: “Third parties are often the weakest link in a company’s data security, and are implicated in about 63% of all data breaches.”
3. Implement all vendors using tag management
Migrating all your vendors to a tag management system (TMS) is a hefty endeavor, but well worth the effort. By requiring data stakeholders to deploy all tags using a TMS, companies can have a stronger grip on what vendors employees use and how they collect and store data.
Marketers and analysts would have to work with developers to implement a TMS, so there would need to be some cross-team collaboration. You would also need to appropriately govern your tags to ensure no one has installed any unauthorized technology.
4. Be wary of offline data
Data is not restricted to online formats. Oftentimes marketers and analysts will download data as a spreadsheet for further analysis. The question is, will such instances of data fall under the rights of access, erasure and portability?
That’s a hard question to answer, and we can’t really say one way or another with any level of certainty. However, this issue is one you will want to be aware of, and may want to include in your periodic data debris cleanup.
For example, marketers and analysts may need to periodically purge their offline data sets and replace them with updated versions. The same would be necessary for instances where offline data goes back online, such as with data visualization tools like Tableau or Domo.
Transmission of Data to Other Countries or International Organizations
As many GDPR pundits have already clarified, GDPR does not only apply to EU companies, but anyone collecting data from individuals within EU member states.
On top of that, the regulation states that all countries, territories or organizations receiving data coming from within EU borders must have adequate data protection regulation in place, either based on an adequacy decision or by complying to GDPR’s other requirements (Chapter 5). Otherwise, the data transfer cannot occur.
Now why should international data transfer be a concern for marketers and analysts? Because marketers and analysts are the business roles that interact most with consumer data. Having them actively participate in the compliance conversation is essential.
Companies in the US and Switzerland who have completed a Privacy Shield certification program can receive data across EU borders.
*Note: These adequacy decisions do not cover data exchanges in the law enforcement sector. For special arrangements concerning exchanges of data in this field, see the PNR (Passenger Name Record) and TFTP (Terrorist Financing Tracking Programme) agreements.
The requirement to only send data to properly regulated entities adds an additional element of complexity to GDPR compliance. Companies will have to worry about where data lives geographically.
Not to aggravate your distress, but as an example, one enterprise analytics firm collects and processes data in 11 data centers worldwide (as of the date of this publication). Thankfully this vendor is nice enough to make that location information publicly available, but not every vendor will be as helpful.
You could turn to your IT team to determine data center locations from IP addresses of server calls. But still. That would require the IT team to assemble a complete list of server calls, and associate the IP with a specific technology and location to determine which vendors you will need to remove from your stack.
No easy feat.
At some point you will need to create a comprehensive list of all your technologies, both first- and third-party. You can use the same list of technologies from the above two principles of the GDPR Most Wanted.
You would then need to append data center location information for each technology. A few ways you could go about discovering locations include:
- Perusing your vendor’s website to discover where they store/process data
- Reaching out to the vendor directly
- Tracking IP calls and corresponding locations for each vendor
Performing this process manually would take a hefty chunk of time (depending on how many vendors you have), and the information in your report would eventually expire.
An automated solution would scan your site, identify all vendors, collect their IP calls and automatically determine all the locations where data is being sent and stored. At that point, you would just need to:
- Look at the output spreadsheet of location information
- Identify locations outside of the EU member states/adequate states
- Verify that these vendors meet the requirements of transmission of data to international organizations
An automated solution would help you build this record the first time, and continually check that vendors don’t start sending data to new locations without you knowing.
The main reason we included the principle of transparency as one of the GDPR Most Wanted is that it is most wanted by consumers. Your digital visitors would like the benefit of knowing what you’re doing with their data. And since GDPR will require you to ask consent first, clearly disclosing how you use consumer data will be in your best interest.
Transparency According to GDPR:
“The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means” (Chapter 3 Article 12.1).
Historically, companies have had the benefit of using data however they wanted without revealing how creepy their background processes were. As a result, companies aren’t used to disclosure.
You’re accustomed to a data free-for-all—if you can collect it, then you can use it. Preferably without the consumer ever becoming aware of what you’re doing in the background.
But a “what the customer doesn’t know won’t hurt him” strategy isn’t just impractical, it’s soon to be illegal. So beyond just adjusting the data you’re collecting, companies will need to explain how they are using that data. Marketers and legal teams need to cooperate in this endeavor.
Now is the right time for companies to step back and think about the people that their technologies are interacting with. They should ask, “What are we doing with customers’ private information?” Here are some recommendations for marketers as they work with their legal team:
1. Make a clear request for consent
When requesting consent, simply tell customers why you want their data and what you plan to do with it. You don’t necessarily have to request consent and explain everything about data use all at once—you may only need consent for certain pieces of data at each stage of the customer lifecycle.
For example, on a customer’s first visit you may have a consent request to place a cookie. If later the same user provides personal information when downloading a piece of content, you can use just-in-time notices to explain how your company will use each piece of data.
2a. Write to your youngest audience
2b. Give definitions
Most consumers have probably heard of web cookies before, but couldn’t clearly explain what one does. Don’t take ignorance for granted: give as many definitions as necessary to cover your bases. Here are some words you might consider defining for your customers, depending on the type of data you’re collecting/processing:
- Personal information
- User data
- Web tag
- Aggregate data
2d. Explain what you do with customer data
If you follow the suggestions of the preceding GDPR Most Wanted, you will have gone to a lot of effort to understand what you’re doing with data. Now make that information available to your visitors—tell them the what, where, when, why and how of their personal data. Give visitors the details they need for them to know you have implemented adequate protection.
Register with the EU-US Privacy Shield
As stated on their website, the EU-US Privacy Shield “provide[s] companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.”
In order to transfer data from the EU, US companies need to be registered with Privacy Shield, thus opting to comply with GDPR.
Continuous Compliance Testing
The above mentioned principles aren’t the only ones you’ll need to ensure compliance. But for marketers, analysts and the data pros who make their jobs possible, these are the issues we feel most likely to cause fines, terminations and a lot of sleepless nights.
Getting your data house in order won’t be a walk in the park, but it’s possible. If you want to fast-track your preparedness (the correct answer is “yes”), then automating the process can drastically shorten your time to compliance.
Request a sample compliance audit to see how ObservePoint can help you get on the path of continuous compliance testing. Or reach out to an ObservePoint representative to learn more of how ObservePoint’s technology can help you get and remain compliant.
About the AuthorLinkedIn More Content by Clint Eagar