Solving GDPR's Data Subject Requests Big Data Problem - Ed Devine, Fandango & Glen Horsley, RIVN

GDPR changed the way companies operate in Europe. The massive growth in data collection and proliferation has not been accompanied by an equally matched effort in data management and governance. ‍

In this session, we'll discuss the creation and rollout of a privacy program that resulted in Four Recommendations for DSR compliance, plus the one thing you should never do.


Ed Devine

Sr. Program Manager, Data Privacy & IT Compliance


Ed is a Sr. Program Manager of Data Privacy & IT compliance for Fandango. Ed has developed a passion for privacy in the last several years. Before joining Fandango, Ed worked for the Walt Disney Company where he managed Disney’s privacy center and terms of use pages. In addition to privacy, Ed has a background in project management, consulting and quality assurance.


Glen Horsley

Co-Founder, CEO


Glen leads operations at RIVN including growth strategy, customer support and retention. His focus over the past decade has been around helping companies optimize their customer data to improve customer experience and grow revenue. Glen has been focused on helping to create lasting clients and partner relationships, and has the unique ability to quickly understand complicated problems and offer easy to implement solutions.

Glen Horsley

Hello everybody. Thanks for joining the the session today. We're excited to be a part of the ObservePoint validate conference. Today our session is going to be around solving GDPR data, subject requests, and how it's a big data problem. The presenters today are myself Glen Horsley. I'm a cofounder and CEO of RIVN, the data privacy technology company that helps companies with managing their data subject requests through an automated API platform. We also have Ed Devine, who is the Global Privacy Manager for Fandango and is responsible for implementing the technology to solve the the compliance efforts for Fandango globally. So he's been a big asset to the company and helping them get going.

Before we dive into the presentation, just a couple of little housekeeping things. We will leave time at the end for some Q and A. So please, if you do have questions throughout the presentation, don't hesitate to put those questions into the group chat. They will then be picked up --- we'll ask those or read those questions at the end, and then we'll ensure that those questions are answered for you at the end. Okay. So let's go ahead and get started.

So as we get into this, I'm not sure how many on this meeting are familiar with this little gif here. This is probably one of my favorite Saturday Night Live skits that has been out there. If you haven't seen it, I highly suggest YouTubing "More Cowbell - Saturday Night Live," but the premise of this was there was they were producing a music video and the producer kept asking for more cowbell because he was just really quiet and soft on the cowbell. And so it was forcing the actor here, Will Ferrell, to really get involved and engaged in adding more cowbell to the to the music video, a great video. But the reason why I wanted to talk about that and share that briefly is because we have within the data world this concept that we hear quite often, which is big data and more data. Back in 2005 Roger McGillis, he was part of the O'Reilly media group, and he coined the phrase "Big Data," that was really kind of this evolution that has taken place over the last 10 plus years, which is gathering as much data as we can within organizations so that we can better understand who our customers are and how do we optimize and convert customers at a higher rate.

The importance of big data does not revolve around really how much data a company's collecting in reality, but it's how the company is utilizing that data. And every company is going to use their data in a little bit different way in order to, to drive conversion and revenue to their customers. Just a couple of quick examples of this, and I think we all can relate to this when we think about our own consumptions throughout the web and the media and how how we want to be engaged with think about maybe you, you subscribe to streaming video services like Netflix or Hulu or all these others, or even if you are an avid YouTube watcher like myself, one of the things that these bigger companies like to do is they like to capture all of that browsing behavior, all of that viewing consumption, and then they will serve up video content that's relevant to you. And that's all being done because of the data they're collecting and how they're using that data, and I'm sure many of you that are on this meeting today are doing those same things for your companies.

So how do we do that, and how are you guys engaging and seeing that throughout your own companies and throughout your business as well? The chief MarTech publishes a report every year around the marketing landscape. And we've seen a huge evolution over the last 10 plus years on the number of companies that are part of this, but even more importantly, we're seeing a huge influx in the type of companies that are starting to enter into this space. So within this slide, you'll see here lots of different types of vendors. You have your advertising promotional, you have your social media and relationship management side, but the one that's grown the fastest since 2009 is data management software.

It's no surprise because data is so important for companies and how they use that data that we can totally understand why we're seeing more and more of these data providers entering the space to help companies perform at a higher level. Along with that, we have an influx in consumer control. So there's privacy laws taking place all over the world, GDPR really being the most infamous and the one that's most well-known that have really changed the way companies have to manage and view this data. And so, as you can see here on the right-hand side of the slide there is a sub category growth, and you'll see the second fastest sub category is around governance compliance and privacy technology. And so that is taking place because obviously companies have to, as you're collecting more consumer data, you have to be able to be more compliant and have better governance and oversight of that data.

And so it's really important to to see that and to understand that. Here's just a different view of what that landscape has looked like over the last little while. Many of you are probably familiar with this scale and growth back in 2011. I was at Omniture, I guess it was Adobe at the time we had just gotten purchased and really doing some great things from the data analytics marketing side. And I remember that there really wasn't a ton of marketing vendors in the space. Fast forward to 2020. And now there's over 8,000 different marketing vendors that are out there. That creates a couple of different challenges: Number one, which vendors are the right vendor for your business? And then number two as you onboard more and more of these these marketing and technology vendors, how do we ensure compliance across the organization?

Some of you are probably a little more analytical, probably like graphs. This is an interesting version of what we just looked at just from numbers. You can see this major spike, you can see how technology, how it's evolved with smartphones and with all these other social media channels how we've had to see this huge increase in the technology vendors, which ultimately creates a 5300% increase in technology vendors over the years. It's just astounding and crazy to see how that's happening. Dive into this real fast. When we think about the number of vendors that are that companies are using we're seeing on average companies using over a hundred different systems that are collecting and storing consumer data. So there's this huge data concern within companies now, and it's becoming a bigger problem. And how do we manage that, and how do we fulfill on that and ensure that our company is as we onboard and bring on new technology vendors, how do we ensure that we're being compliant?

Some of the consequences of not being compliant are pretty severe. You know, I talk with companies every day that have not done a great job with this that have possibly had data breaches they've been they've misused private data, this consumer data, or they've violated some of these privacy laws. And there's not only are you at this point, now I'm going to be liable and potentially find, for those by violating the new privacy laws. But the biggest, in my opinion issue that you're going to run run into is a loss of consumer trust. And as a company, as a brand, it's important that we look at our customers, what are they asking for? What do they want and building that trust so that we can then keep them loyal and happy. And that's really important.

A lot of companies really take a focus around data security, which is really important. But it's also just as important to be thinking about consumer privacy and how you're using consumer data within the accordance of the laws. So within a lot of these regulations, like GDPR and even CCPA here in the United States, they're forcing companies to respect these data subject rights. But achieving basic compliance does require companies to understand what personal information they have. Where is that information located throughout the organization? And what's the purpose of that data? Up until now most companies, they don't really know where that data sits throughout the organization. And what these new laws are forcing companies to do is to take stock and inventory of that data. And the most common way for companies today to do that is they're doing surveys throughout the company so that they can go out and they can track and understand where that data sits within the organization.

As we go through and as we do these data inventories one of the things that we really need to try to understand is what PII or personal identifiable information we have within the company. And so the last thing that I want to talk about is what is that? And then how do we identify where that data resides? So personal data means any information relating to an identified or identifiable natural person, which is considered a data subject. Identifiable natural person is one who can be identified directly or indirectly. And that's really important in particular, by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to physical, psychological, genetic, mental, economic, cultural, or social identity. So that's really important as I because this is the space that I live in every day.

And I talk with companies, one of the things that companies are not working to solve within their organizations is really this marketing landscape. And recognizing that as we are tracking, we have our cookie identifiers that we're capturing and storing and do using that data for personalization, we are capturing IP address and we're using all these pixels to do that, which is exactly where OneTrust is a huge asset and partner of RIVN. We need to have a plan in a way to be able to go out and support and manage the data subject requests for all of these marketing vendors as well, not just for your internal systems like your databases. So as we think about this, I'm going to stop sharing real fast and let Ed take over. But as we start to think about what that means and what does that mean for our business, Ed's going to now take over and he's going to start talking about, what did that look like for Fandango? How did Fandango go about this process and what were the key things that were really important for them? It's specifically around all this consumer data and the data that these companies like Fandango are using to improve customer experience for their customers.

Ed Devine 

Hey everyone. Yeah, so hopefully you guys are able to see my set of slides that we have up here now. So from, from my perspective, so what we've done at Fandango, and I'll just give you guys a brief history on me really quick. I've been in the digital space for a long time. Privacy ended up being something that was more recent for me, but you know, that's something that just developed over time as both a personal interest and just, it seems the way that the industry was going towards that this was becoming such a big space. What I found interesting is how the public is starting to get up to speed with how things are. I think that at this point, like customers are really being able to see what's behind the curtain. So like my first example here is the Cambridge Analytica scandal.

Cambridge Analytica was really the first time that consumers had an idea of how their online behavior was being tracked. And I think a lot of people were really shocked by it. You know, they had, there's so much that consumers don't realize is going on behind the scenes because it's not visible to them. So knowing that all of their Facebook activity was being tracked in such a way, and then being utilized in ways that they never thought was possible was very alarming. And unfortunately, the trends with some of the giants and the tech industry has just been to not bring back that level of trust. I think that a lot of the Facebooks and the Googles, they started out really as these bastions of like what's possible in the digital space and creativity and all of these really light principles.

And unfortunately as time has gone on consumers are starting to feel less trustful about the entire space and that's a real shame. So that then has brought people into kind of what I call these conspiracy theories, where you know, the behavior surveillance that we have going on coupled with the hyper targeting has given a lot of people all sorts of conspiracy theories. I'm sure that you, at one point have encountered someone who said, I know for a fact that my phone is listening to me because I was talking about this thing, and then all of a sudden I got served with all of these ads. There is no other possible explanation. So, I mean, we all obviously know that there are other means by which all of that can get into their ecosphere, but for the average consumer they're just basically now starting to see corporations as big brother. Whereas they used to associate that with governments being able to surveil and you know, going a little bit off into the tinfoil hat realm. But that is now getting translated over to corporations where it used to be associated with the government. Ed Divine: And the social dilemma that the documentary on Netflix has really kind of, I mean, I've joked with people that there are elements of that documentary that are a little bit hokey, but I think it was important that they demonstrate exactly how the surveillance and the engagement algorithms interact with one another, how that couples with marketing technology. Because they made it so digestible for consumers, there is now this growing concern. So as I mentioned, this idea of surveillance oversight has become more and more popular. So a lot of you are probably familiar with most of these regulations, but I just picked a couple that have had some effect on the privacy space and on data protection.

Cal OPA really kind of brought personally identifiable information into the lexicon. That really made it a requirement for a lot of companies to start posting their privacy policy right there on the website. The PETA really kind of honed in on the idea that you needed to collect consent before collecting certain types of information and really driving home that if you intend to use it for another purpose, you have to collect that consent again. Obviously the big one that everyone here is focused on and concerned with is GDPR. It's probably been the most important privacy regulation to date, not just because of the entities that were involved, but the way that it was worded and the model that it created. Having the opt-in model is something that's very foreign to a lot of American companies. But for consumers is really something that they much prefer, at least in my own personal research I've noticed that people would much prefer to have the model where you ask permission before start collecting anyone's data.

I think that most people assume that they have a certain level of privacy to an extent. And unfortunately they're learning that because of the way the space is right now, it doesn't feel that way anymore. So that really brought a lot of drive to the California consumer privacy act which is something that we've had to tackle very extensively at Fandango because we are a mostly North American based company. More recently the CPRA has just passed a valid initiative that, basically it tried to build upon CCPA because CCPA was very focused on data sales. It was trying to prevent a lot of information being sold off to other companies. Well, unfortunately, a lot of the large companies such as Facebook and stuff like that, a lot of folks that said, "what we're doing is not a data sale." So CPRA is now including language for things like a sale or share of data. And what I thought was really important is that it's reclassified a lot of personal information as sensitive. So there's this new class of sensitive information that I'll get to in later slides. So now that we are in this space where customers are saying, "You know what, I want to have much more control over my data," and we've got all these regulations in play, how do we go about making sure that we're able to fulfill all those requirements and also be able to not make this the sole function or concern of our companies going forward?

So I like to, because sometimes privacy can be a little bit dry I'm going to get a little bit weird on you guys. I like to hold on to certain little things that make things interesting. If anyone has read any of the Marie Kondo books where she talks about the life-changing magic of tidying up there's actually one thing that I think that is very helpful and very translatable to this space. Which is, she talks about gathering all of the belongings that you have for a certain category, putting them all in one space and then one by one, going through it and saying, what do you need? What do you not need? What is essential to you and what is not. I'm paraphrasing a little bit here and kind of adapting the model, but that's essentially the point here. And I think that that's very important when you're going through a privacy program. The most important part is this first step, because you're never going to know exactly what you have, where it is, what sort of things may have been lost a little bit here and there.

We at Fandango, like we were a company that acquired multiple businesses over the years. So we also acquired a lot of legacy systems. So what ended up happening and what was probably the most valuable thing that we did was I reached out to some partners and immediately started doing some audits and inventories. So we did a privacy impact analysis looking at the way that we store data, where it's stored, what kind of privacy controls we have in place, and trying to get a really good overview of the entire landscape of our databases, our systems, and even like our corporate systems, how we send and share communication with each other, you know, there's plenty of developers that will send line items of code. Well, unfortunately, sometimes that code is going to include pieces of information that we just can't share anymore, because that's going to leave gaps. Because no matter what solution you build, do you want to make sure that you're not letting data leak out in some other way.

I also really recommend doing the full inventory. Because in addition to knowing where everything is, you will identify things that you don't need anymore. There, there are definitely tables, columns within database tables of information that we had stored from ten plus years ago that were no longer collecting. It was just old information that actually was taking up a substantial amount of space. And by eliminating a lot of that, what we ended up doing was saving a lot on our overhead for our operating costs. Not just for our database administrators, but also like the storage space that we were spending. So we were able to condense a lot of that stuff down. So this step is always very important. When you get into the design phase, I think that one of the most important things to do is to future-proof, and to make it malleable because regulations are going to come out. They're always going to change the landscape they're going to change even themselves.

GDPR has kind of brought in the idea of personally identifiable information to personal information. CCPA also broadened that even further because of its sort of opaque or ambiguous language. And then in addition to that, CPRA now expands sensitive information. There's a subclass that's sensitive personal information that includes things like your protected class, gender even precise geolocation. That's now considered sensitive information and that's just within the last couple of weeks. So whatever you actually build, you want to make sure that it's something that will allow you to be able to make these shifts and to be able to build something to respond to different types of regulations. So for example, the solution that we ended up doing at Fandango, we built a backend system that would really handle a lot of the requests coupled with an integration to a front end. In this case, we decided to go with OneTrust. That would allow us to pull through information from all of our backend systems and respond to different types of requests. So we handle GDPR, we handle CCPA. Our business down in Brazil is handling , requests for LGPD, being able to have something that's malleable like that will give you a lot more flexibility.

Now, this is just my own thing that I want to go die on the hill for. I think that it's always, I think that it's super important to build your automation upfront. I know a lot of businesses that have said, we're just going to get a manual solution in place, and then we'll worry about automation later. I found that a lot of times when you say that it never ends up happening, or you end up having all of this extra work that you need to do. So my recommendation is always to kind of go through the efforts of doing the automation upfront. Put the effort in in the beginning so that you can have something that's very sustainable in the end. Because as we're finding now, the post pandemic mock economy, a lot of people have lost their jobs and we have a lot less resources to rely on. So having a manual solution is really going to put you at a disadvantage.

The automated solutions invariably there will be like one or two manual processes, like having someone approve the release of certain types of information. Sure. You're always going to have that, but by doing an automated solution, you're able to absorb that already. And then just finally the last recommendation I always recommend is just completely making it your number one priority for a short period of time. Yes, you may have slow growth, but what you will end up having is an opportunity to really focus back on your initiatives later. And in addition, like if you need to make it a company wide effort, because the more eyes that you have on this the more chance that you'll be able to pick up any problems that you have in the development phase, so that you're not having to worry about making adjustments later.

And like I said like you'll see here at the times of stress are best weathered with camaraderie. Things at Fandango, you know, there were definitely hard moments where everyone was very frustrated, but having that kind of focus and having that cooperation, the positive or the negative, it brought people together in a really great way. So I'm just gonna give one quick thing cause I know we're starting to run out of time here, but the one thing that I recommend that you avoid is being penny-wise and poundfoolish, and I apologize for that. There's just something about the idea of a robot, just not being able to do what you hope it will. And that, that really translates because your solution will have to be adjusted over time. Databases change because of the information coming in and going out, so you want to make sure that you have at least some semblance of staff to sure that you are able to keep that solution going.

Glen Horsley

At least they're testing it with with a doll first, right Ed? See, it's good example of testing in the right environment. I do enjoy that.

Ed Devine

At least it delivers the bottle in the end.

Glen Horsley: Yeah, that's great. Thanks for sharing that, Ed. So we're at a time, but two things, number one: lots of people agree with you that they think their devices are listening to them. So that is a common theme that we're seeing on the chat. So I 100% agree you know, Allison was saying that she was talking about getting a new car, you know, and all of a sudden she starts getting ads for cars. You know, that type of stuff is so real. One question that maybe we'll try to address and I know we're out of time, so we'll be quick on this is GDPR, CCPA, you know our are the kind of the core ones that we know of. What additional regulations do you think will be seen in the near future around the world that we have to be aware of?

Ed Devine

From what I can tell right now GDPR is still going to be the standard because it's really been the most influential, a lot of countries have just followed that model. I think so far the other upcoming regulations I've seen a lot are in the United States and there none have been as like I think that GDPR goes to the furthest. So at this point, yeah, building for a GDPR solution is still going to be your best bet. But you know, it's hard to say now that people are able to see what happens through the social dilemma, perhaps there's going to be a desire to have even more restrictions.

Glen Horsley

I agree with you. I think the United States, having a federal mandate is probably going to be the biggest and most impactful that we see in the near future rather than governed state by state.

Ed Devine 

You never know what the United States though. We're a little big rogue at times.

Glen Horsley

That's a good point. All right. Well thanks, Ed, I really appreciate you taking the time to share with everybody. It was really insightful and please don't hesitate to reach out to Ed on LinkedIn and connect with them and ask some personal questions if you have any questions for him. Thanks everybody.

Previous Video
Achieving Actionable Insights - Peter Nettesheim & Cameron Cowan, ObservePoint
Achieving Actionable Insights - Peter Nettesheim & Cameron Cowan, ObservePoint

Join this discussion on attribution best practices that help you gain actionable data on what’s working and...

Next Video
Data Privacy Regulations: Comply Now & Prepare for the Future (Europe) - Mike Fong & Dylan Sellers, ObservePoint
Data Privacy Regulations: Comply Now & Prepare for the Future (Europe) - Mike Fong & Dylan Sellers, ObservePoint

Learn how to establish flexible processes and solutions to ensure compliance now and in the future.