Privacy Compliance: Reveal All Data Collection, Collectors, and Destinations - Craig Ferguson, Lloyds Banking Group

With companies around the world being fined hundreds of millions of dollars, isn’t it time you started taking data privacy more seriously? Whether it be GDPR, CCPA, LGPD, or any other data protection regulation, sleep easier knowing ObservePoint is watching over your website and protecting your customers’ data, your reputation, and bottom line. In this session, we'll show you how Privacy compliance enables you to:

  • Inventory your entire website to create a report of all tags and cookies—including what data they collect—and create approved/unapproved lists.
  • Identify the geolocation of all server calls to understand where your data is stored and processed.
  • Visualize initiator tags and see the relationships of each tag firing on your site to easily locate unauthorized tags.
  • Monitor consent categories against tags or cookies and be alerted if your technologies collect data before users have given consent.


Craig Ferguson

Engineering Manager - Analytics, Lloyds Banking Group

Craig Ferguson is a Digital Analytics specialist with many years of experience. During that time he has worked within the financial services industry. His main areas of focus are: Tag Deployment, Governance, Release Management, and Data Quality. Craig is passionate about his work and feels that if you can get the data right, that will help your organisation understand what is happening and allow focus on the why. He also believes that in order for organisations to focus on the “What” & “Why”, it's critical to have the right tools and processes in place.


Mike Fong

Sr. Manager of Product Go To Market, ObservePoint

Mike is the Sr. Manager of Product Go To Market at ObservePoint and assists in aligning the Product, Marketing, and Revenue teams on product strategy, value propositions, and promotion. Previously a Senior Consultant and Solutions Engineer on ObservePoint’s EMEA team in London, Mike has been integral in ensuring ObservePoint users are obtaining the highest quality of data from their marketing technologies. With over 10 years of experience in the analytics world, Mike is an expert when it comes to data analytics, SQL, problem solving, and spreading good vibes.



Mike Fong: (00:00)
Okay, so thank you very much for bearing with us for a couple of minutes, everybody. So my name's Mike Fong and my role here at ObservePoint is a product marketing manager at ObservePoint. And I'm delighted to be joined today by my friend and a long-term ObservePoint customer, Craig Ferguson.

Craig Ferguson: (00:32)
Hi Mike. How are you doing? Yeah, a longtime customer, a long-time friend, think we've known each other for maybe eight or going on nine years now.

Mike Fong: (00:45)
Whoa, whoa, hang on. Sorry. Sorry about this. I've just got to accept these cookies. Okay, great. Yeah. So, Craig thanks for joining us. As I say, as a long-time customer of ObservePoint, how have you seen things changing over the last few years that you've been with us?

Craig Ferguson: (01:05)
Good question. I've seen ObservePoint evolve and evolve quite quickly, to get in place with all the compliance that's coming in, around GDPR, which is obviously already there. And it's been great because things I think the tool needs eventually appear and it's been brilliant. I suppose the compliance space has forced you guys to evolve.

Mike Fong: (01:36)
Yeah. Craig, can you tell us a bit about the problems Lloyd's and the brands are facing?

Craig Ferguson: (01:46)
Yeah, so before we go into really anything in depth in terms of the problems we face at Lloyds, what I'll do is give you a a brief intro into who Lloyds are, for those who don't know who those are. And then start talking about how and why we use ObservePoint. So, brief intro: Lloyd's banking group itself is made up of 13 brands. I'm not going to name them all because we could be here for awhile, but I'll just touch on a few of the high profile profile ones that stick out there. So you've got Lloyds Bank itself, and you've got a Halifax Bank, and then you've got a Bank of Scotland. So those are all your main high-street brand banks. And then we have pensions and investments arm called Scottish Widows, and then there's a few lesser known brands in there.

Craig Ferguson: (02:39)
One is a share dealing service called IWeb and then a random savings one in there as well called St. James's Palace, which is for savings. So over all those brands, we serve around 30 million customers and predominantly based in the UK market. So you can understand that's a large proportion of the UK market that we serve, and we serve our customers in various different ways. Also we've got our websites, we don't just have 13 to cover all brands, probably 25 to 30 out there. Plus we have a mobile banking app, which covers our core brands. Then within the branch network as well, we have tablets that customers can use to do some servicing as well. From an analytic and self compliance perspective, the team that I work in, we predominantly look after that area that I've just covered. All the websites, the app, and tablets. It's a small team, but we get by. Every day is never the same as a last and as most people say every is a school day because we're always learning just to the sheer size of Lloyds banking group

Mike Fong: (03:57)
Given all the various brands, it's not just your website, so I guess you're basically one team is in charge of a heck of a lot of channels, right? These are apps, the websites, these are all channels that you've got to manage.

Craig Ferguson: (04:17)
Yeah. Spot on. That is a massive thing to do and we need to make sure we get it right. And anything that we do deploy over those platforms and channels, that we don't affect the customer experience. We don't give them a negative experience when accessing those channels. I was just about to touch on how Lloyds banking group actually uses ObservePoint. So we've been a customer for two and a half to three years with ObservePoint and when we first onboarded them, we primarily used ObservePoint just for tech governance and on-site interactions, checking our analytics, payables, et cetera. Right around the same time we were onboarding, we went through a massive analytics migration. So we were keen to get the tool in there to make sure that when we were migrating our analytics everything was working as expected.

Craig Ferguson: (05:24)
Once that had all settled, we then developed our use cases for ObservePoint. We have a suite of tests that we do on our QA environment that allows us to do our assessments on a regular basis, we use production testing as well. So that's how we were using ObservePoint, but obviously in the last year ObservePoint have brought out the Privacy Compliance product. Quick brief on that, that allows us to get us to get an understanding of how well our GDPR slash cookie compliance is working. So Mike, is there anything you want to add before I go into the depths of how we are using Privacy Compliance?

Mike Fong: (06:34)
Yeah, no, it's interesting to see and to hear about your previous experience using Tech Governance and how prior to what I would say was 2018, when GDPR came in, when you were working for your previous organization, what you see as the opt in side of things, is that basically very, very similar to the Tech Governance aspects? Or would you say there's a bit more to it as well since you've had to check on the CMP itself as well?

Craig Ferguson: (07:09)
I'd say there's a bit more to it now. It's one thing running a few tests to make sure that if you've opted out that marketing tags aren't firing. So using ObservePoint, we can tell them what to do via our Audits and some JavaScript, and then that'll come back and give us the information we're looking for. But I now want to start talking about the main features and within Privacy Compliance. First thing we're going to talk about is what we have done. We created Audits for our core brands and we've created two Audits per brand. These Audits were opt-in and there was an opt-out as well. So first of all, let's talk about opt-in and why we created an opt-in. So essentially if you're opting in to everything, when you're navigating a site, all manner of tags should fire. So you should see all your marketing and soft performance related tags, they should all fire once you've opted in.

Craig Ferguson: (08:19)
So what we want you to understand though is, okay, we know everything's going to fire on the back of some of those tags, is there at any third, fourth, fifth-party tags that are firing as well? What we did is we let the Audit run a few times without any preferences against it. What this did is this built up a catalog of data for us. We did a comparison to what we have deployed in the past and it pretty much tallied up. That was the first piece of good news and the first bit of validation that it looked right. So what we then did is, within the preferences, is you can either approve tags to fire or leave them as unapproved.

Craig Ferguson: (09:03)
And because we were going opt-in, all the tags that we were aware of and verified and checked, we changed them to approved. And again, had the Audits run on a daily basis. And then we can check to see if there's anything unapproved slipping through into our opt-in Audit. And as you'll see from the screenshot, it's very visual, so you can see if you have any issues at a glance with how well the data is represented there from ObservePoint. So any questions on our opt-in Audits, Mike?

Mike Fong: (09:46)
No nothing from me. Just a comment that the opt-in Audits are very parallel to the Tech Governance use case. Did you did you have to do anything extra to check that the CMPs themselves were there?

Craig Ferguson: (10:07)
Not really. I suppose one of the things we have is, we have trust and the data that ObservePoint returns. And we obviously have our internal processes on what's deployed across our sites as well. So we're comfortable and there wasn't really too much additional work and actually you let the Audits do the leg work for you from the start. You let them run and run and just build up that data set before you then start applying your consent preferences to them. So just give me two seconds, please. Then the next one I want to talk about is that opt-in Audit. If you've ever gone to one of the sites within Lloyds Banking Group as a new visitor, you will be presented with a cookie consent pop-up, and you have a couple of options.

Craig Ferguson: (11:01)
And one of the options is to opt out of marketing and performance related tags. So we created an Audit to replicate this again, like the opt-in, we allowed the Audit to run build up that catalog of data. And then we referenced what should be there and set all the tags to either approved or unapproved depending on whether they fell within marketing performance or functional. And again, once the Audit's run, processes all that information, and you get to see at a glance if you've got anything firing that shouldn't be. And you can see from the screenshot there, that we are pretty much there. Little bit of work to do. But sometimes Google doesn't play ball, so you can have one or two issues there, but that's Google and we'll not comment on that. The good thing about having these Audits and the Privacy Complaints is it's a set of certain rules and we have a set of standardized rules across all our brands.

Craig Ferguson: (12:20)
Across all the brands, it should be very similar on what is firing, what's late, and essentially what is not firing as well. And yeah, again, as I say, I like to go back to the visuals and the data, you can see at a quick glance if you have any issues. So that's the main feature of Privacy Compliance is setting up your consent preferences to test whether your rule, from my point of view, our GDPR controls, are working and the cookie consents are working based on tag firing. But within the compliance module itself, it's not all just about cookie consents and GDPR controls. There are a few other tools that we find very useful within Lloyds. One of them is third party management. And what I mean by this is domains that are firing across your web estate.

Craig Ferguson: (13:25)
As a business, we are thinking of deploying a content security policy across our public facing pages. A wee brief on our consent security policy. It's just a security standard, to prevent cross-site scripting, click jacking, and things like that. And what Privacy allows us to see is all the domains that are firing across our network stack. And it's not just our MarTech, analytics, there's VOC, there's a whole list of things. And I could be here all day naming everything is within that list. So what we are planning to do is, again, just let that information build up so we can understand what domains are finding. And then when the time is right, use information from that, which will then allow us to create a CSP, which we can then get the more technical IT guys to implement.

Craig Ferguson: (14:36)
And the good thing about us as a team supplying that information to the business is it means there shouldn't be any issues with our MarTech stack or analytics stack, or anything do with the web chat, voice of consumer, and things like that as well. That should all be covered within the CSP because that's the information that we are getting from ObservePoint. And you'll notice from the screenshot as well, it doesn't just tell you the domains, it also gives you the geo location of the domains. This could be useful if you have sites across the world and you want to understand where all those domains are coming from. We are lucky that the vast majority of our domains you can see are originating in the United Kingdom. We don't really need to do anything with that part, but if we see somewhere down the line that locations were moving out to different spaces. I'm not naming any countries, but you could probably take a guess at a few. We could then start looking at that and understanding why that's happening. So that is another very useful feature that we are in the midsts of using.

Mike Fong: (15:54)
At a previous role, at a previous organization, we were in a position where we were implementing tags, and I was quite junior at the time, so I ended up implementing a tag and it wasn't coming through in our manual testing. And it took us the longest time to, well, as a learning experience for me, it took me the longest time to figure out what a content security policy was. And actually that the IT team were basically blocking our tags through a CSP. I think that's a symptom of, maybe IT teams and MarTech teams not always communicating well with each other. So it's great that you've got such a good process to communicate between those two teams at your organization.

Craig Ferguson: (16:37)
Yeah. And as I say, Lloyds Banking Group is massive. So if you don't have the right channels of communication in place, things will get lost and things could go wrong. So the fact that we we're the ones that are, not necessarily leading it, but we're providing the information that we think is correct. Then down the line, we shouldn't see any issues due to change those guys make.

Craig Ferguson: (17:09)
And then there's one other bit of functionality within the Privacy Compliance that I would like to talk about. This relates to third party JavaScript. As you know, on most websites, there's some form of JavaScript on there for deploying a web chat, pop-up banners, or pop-up questionnaires, and things like that. ObservePoint have recently brought in, and I say recently as in the last few months, but I have asked ObservePoint on many occasions over the years, if this is something they would look to introduce. So I'm taking full credit for ObservePoint bringing this feature in. And this feature is when you're auditing and you say, look for all the third party JavaScript that's on there, and it will monitor the files or look for last update, date, the file size, and where the files will load as well.

Craig Ferguson: (18:17)
This is really, really useful if you're not hosting the third party JavaScript yourself. If you're relying on that third party to deploy that JavaScript, you're susceptible to them making changes, and then they've got to communicate that to you. But if they don't communicate that to you, that they've made a change, you could end up with issues on your site. Be it browser compatibility. It could be doing something really, really erroneous like stealing data is potentially happening as well. Again, you'll see from the screenshot that we have there, you'll see the file name, where it's coming from, whether it's a first or third party, and then it tells you if there's any changes, and lists file sizes. We at Lloyds are pretty lucky that we deploy a lot of third party stuff rather than rely on third-party to deploy that themselves. So this is something that we're still building up our use cases for, but as I say, it's something that I've asked for many times in the past, and I'm sure everyone will find this extremely useful going forward.

Craig Ferguson: (19:35)
Pretty much covered all the aspects of Privacy Compliance. We've talked about the consent preferences, where you can go in to approve or unapprove tags and cookies that you can see fire across your sites, and depending on what Audits you've got them attached to. We have talked about your requests domains and how you can use that information to create CSPs. And then also finally, we just mentioned the third party JavaScript monitoring as well. At Lloyds we see many benefits of using ObservePoint in a high level. The Benefits I see from the tool are confidence to investigate, inform, change, and update. I wanted to give you a bit more information on each of those ones. So for confidence, we as a team, we trust the solutions that ObservePoint are providing us. We trust the data that it brings back to us, and by that, I mean, we can see at a glance, whether the controls we have in place are working with that data that is returned. What this does is that it gives us confidence that our controls are working, but also gives confidence to the wider business that the work that we are doing is correct, and we're not hampering the customer in any way.

Craig Ferguson: (21:07)
Then the next benefits is investigate. To go back to the consent preferences at a glance. You'll be able to see whether something, depending on what you're running, whether it's approved or unapproved. And if you're seeing something that's unapproved on one of your Audits, you then have that ability to drill into the data, to see at page level where the tags are firing or the cookies are being dropped. So the ability to be able to investigate and understand what's going wrong is really, really good as well. And another thing that comes out of running Audits is you get to see console log errors as well. You can get whole host of information things go wrong within the tool.

Craig Ferguson: (21:53)
The next one is inform. With inform, we have the data we then inform the rest of our business of things. If things go wrong, we can then act on it. We then monitor everything that ObservePoint runs with the Audits that they run on a very frequent basis. So we can see results pretty quickly if anything goes wrong. We can also compare things see if there is any slow changes happening across our estates. And then also touching on the domains as well, we will be using the data that comes out of that to then hopefully build up our CSP.

Craig Ferguson: (22:43)
And then the last one is change and update. What I mean by that is every time you add a new piece of tech to your stack, you don't have to essentially reinvent the wheel. Just let the Audit itself, pick it up, and then you can add it in whether to be approved or unapproved. As I say, when you're bringing on those new pieces of technology, it's easy to validate whether those are working as well and they fall within your compliance matrix. So would that in mind, the best way I can summarize Privacy Compliance with ObservePoint is, we have a tool that allows us to monitor our core sites, making sure we are compliant and any issues are picked up quickly and resolved.

Craig Ferguson: (23:35)
So this builds confidence in the business, and it makes all relevant stakeholders comfortable in what we are doing. I think this was probably the last thing for me is, that level of comfort is very hard to achieve in any business, never mind one the size of Lloyds. But where you can document, visualize, and demonstrate that the controls are in place or working, using ObservePoint, you can achieve those goals. And that's everything from me, Mike, unless you have any questions for me.

Mike Fong: (24:10)
You've mentioned confidence as your first point here. And also when you were talking through inform, like being able to inform the business of something—like we're not ready for this release yet because we found a bug—would you say that, this has allowed your organization to take the data-driven aspect of the business to the next level? Because many businesses struggle with trusting the data.

Craig Ferguson: (24:40)
Yeah, that's a good question. And I said, we definitely do, especially as you mentioned on a release basis, we do frequent releases every week, and we run our QA tests first. Those come back with any issues, we will not go ahead for release until those issues are resolved. So at that time point, you can see, we are using that data to inform a decision and we've got to let various teams across the bank know whether we're going ahead with a release or not. And we also share those results. So those teams can see what's happening with the release. And again we will be using the data to inform the business. Yeah, it will be using the data to inform the business on what domains should be held within our CSP as well. So yeah, we would use that data and I would say that helps us be a data driven organization.

Mike Fong: (25:42)
Great. Well, thank you very much, Craig, for your time. And what I didn't mention at the beginning of the session was that Craig is actually battling from illness right now. So thank you Craig very much for powering through with us. And I guess everyone in your audience can also thank Craig for the the new JavaScript reporting feature. So have a great rest of Validate. The next session is coming up. So just click that button in the top, right of your screens for the final session. Thank you, Craig.

Craig Ferguson: (26:15)
Thank you.

Previous Video
Journey Maintenance: Test & Monitor Critical User Paths for Functionality - Lucas Pafume Silva, Vivo
Journey Maintenance: Test & Monitor Critical User Paths for Functionality - Lucas Pafume Silva, Vivo

Are you sure those paths are functioning properly and that your MarTech solutions are tracking correctly? L...

Next Video
Campaign Validation: Pitfalls in the Campaign Lifecycle and How to Overcome Them - Cameron Cowan, ObservePoint
Campaign Validation: Pitfalls in the Campaign Lifecycle and How to Overcome Them - Cameron Cowan, ObservePoint

To trust campaign ROI, you need to trust the data. See how ObservePoint is bringing together touchpoint & m...