The European Union has an entirely different view of digital privacy than here in the United States. Europeans...
are more skeptical of data-driven businesses that rely on content targeting and one-to-one personalization. Beginning on May 28, this skepticism will have new teeth when the EU's General Data Protection Regulation goes into effect.
Specifically, EU residents are going to have the right to know and restrict how their personally identifiable information is being collected and used. And this right isn't limited to activities in Europe. The General Data Protection Regulation (GDPR) applies to any organization around the world delivering digital experiences to European audiences.
Fixed borders are difficult to draw and maintain in the digital age. If your company is building digital experiences (DX) over the web, GDPR may sound scary. After all, even as an American firm, you must protect the privacy of EU residents or face large fines. GDPR for marketing -- the cornerstone of DX -- is equally important.
While GDPR for marketing might seem intimidating, there is an upside. In light of the recent Facebook- Cambridge Analytica controversy, it's time to get serious about personal privacy protection because, even in the U.S., individuals are pushing back on the invasive use of personal data by commercial entities.
GDPR defines a regulatory framework and specifies technical features for privacy. It should become the baseline for protecting personal information around the world.
Don't panic -- get started. Begin your GDPR compliance program by describing the steps of your overall customer experiences. Leverage these privacy regulations to systematize how, when and why you are collecting personal information in the first place. Then check, test and verify compliance.
Conduct a privacy audit
GDPR for marketing begins with knowing what is going on under your own roof or in your own cloud. As a first step, make sure you catalog how you are using any kind of personally identifiable information to deliver content and produce digital experiences.
Conduct a privacy audit to determine all the different ways you are assembling and utilizing data about individual people. Be sure to include both:
- direct personal information, including names, email addresses, social media posts, cookies and a host of other elements; and
- indirect personal data produced by algorithms, such as preferences inferred by ad networks to target personalized ads.
Next, clarify your business purpose for collecting this information. As part of the audit, be sure you have a rationale for each element -- it being nice to have or potentially using the data in the future is no longer sufficient. Be as precise as possible -- collect only what you need to accomplish your business tasks. Europeans are data minimalists when it comes to personally identifiable information; less is better.
Third, assess how you maintain personally identifiable information at rest. Ensure the accuracy of each data element. Develop both business policies and technical procedures to support this assurance. Store the information for only as long as necessary to support your business purposes.
Information security is necessary to protect against data breaches and accidental losses. Be sure to audit for security. You should also audit for ownership and management.
The GDPR mandates that each person owns his/her own data, and that person should be able to:
- access all personal data;
- rectify inaccuracies;
- purge personal information and be forgotten;
- restrict processing and limit the ways data is used;
- obtain a copy of the data upon request; and
- object to decisions made solely via automatic processing and profiling.
Make sure you have the necessary features and functions within your customer-facing applications to deliver these capabilities. If you are already designing digital experiences around your customer journeys, you are going to be well-positioned to address these ownership concerns.
Build a privacy protection roadmap
With the audit in hand, build your privacy protection roadmap. Define the ways you can use your existing IT resources to protect personally identifiable information. Identify the gaps and risks. Develop plans to fill the technical gaps and mitigate the operational risks.
Not surprisingly, management matters. Wherever possible, centralize how you maintain personally identifiable information. This may require enhancements to your underlying enterprise architecture.
In all likelihood, you are relying on your CRM system to track and interact with your customers. It helps to identify a single source of truth by maintaining a customer data platform and implementing the needed privacy protection features. Make sure that CRM data is part of the mix.
Be sure to account for personal information when delivering content. For instance, if you are using cookies to track results, end users need to agree to accept them. It helps to manage content and cookies through a web content management platform.
Finally, there is the human element of privacy protection. Technology should augment your efforts, not replace them.
GDPR mandates that every organization designate a chief data officer who has executive-level responsibility to manage the protection of personally identifiable information. While this may seem like common sense, it is also a good management practice. It's best to drive privacy concerns from the top and to have an advocate who is able to negotiate for the budget and resources needed.
Personal privacy protection should be part of your overall effort to reinforce trust and support your brand presence in the digital age. GDPR for marketing is merely a motivator to ensure you are investing in both the technical capabilities and business leadership you need to address the privacy concerns of your customers and stakeholders.