4 Tips for GDPR Readiness
On May 25, the General Data Protection Regulation (GDPR) goes into effect, a law that will greatly affect how companies comply with the collection and processing of personal data. GDPR is actually a European Union law, but it could have far-reaching effects beyond European borders, as U.S.-based companies will have to comply with the new regulation when doing business within the EU.
In a world where companies are thinking about collecting more and more data about their consumers, GDPR is a great opportunity to stop and think about privacy and make sure that, when capturing data, you’re always focused on the consumer experience. Within the context of the Adobe Experience Cloud and GDPR, Adobe is a data processor, and we’re here to partner with our customers on their road to GDPR readiness.
One of the key principles promoted by GDPR is data minimization, which states that companies must limit data collection and usage to data that will be used for a specific purpose. This means that now is the time to review data capture processes at your company and ensure you’re only capturing data in Adobe Analytics or Adobe Audience Manager that’s needed for your marketing campaigns. You may find data fields you captured with good intent, but never ended up using.
This type of comprehensive review may sound daunting, it may even sound counterintuitive, but the benefits span even further than GDPR compliance.
Even before GDPR, Adobe recommended that customers limit data imports to only the essential data needed for their uses. We did this not only because it reduces overhead and maintenance, but because it also allows marketers to focus on the most critical data, which can ultimately be used to give customers better experiences. Regardless, some companies still wanted to import and capture as much data as they could, even if it didn’t have identified uses. This generally led to longer implementations — due to additional testing required to ensure all the data was flowing properly — and additional work and maintenance for the IT teams preparing the data. The benefits were never readily apparent.
GDPR now doubles down on the sage practice of not collecting more data than necessary, and those companies that haven’t followed these good practices have a bigger challenge ahead of them as they review their data usage and processing in preparation for GDPR.
Here are a few things to keep in mind as you review your data in the wake of GDPR.
Your customers’ rights as data subjects
GDPR provides individuals (data subjects) with enhanced rights to information that companies maintain about them. As a data controller, you should be prepared to handle these types of requests (e.g., data access and data deletion). Review existing consumer rights workflows, internal processes, and points of contacts to determine how collecting analytics data will align with current processes.
- Identify a process to receive and respond to data subject requests. Consider building an automated tool to manage those requests.
- Consider how you’ll collect identifiers from data subjects (e.g., privacy mailbox, web-based form, etc.).
- Consider authentication and validation requirements, particularly since data in Adobe Analytics can often be described as indirectly identifiable data (e.g., IP addresses or cookie IDs rather than authenticated data, such as where a user provides an email address).
- Conduct a data review prior to providing the data subject access to their data. Document the steps you put in place to help you establish an audit trail.
Evaluate your data governance
If you have a data management platform (DMP), start thinking about how your consumer data is managed.
- Review the various IDs (including mobile IDs) your marketing teams use to identify users in Adobe Audience Manager along with the data sources in which they’re stored. This will streamline the process for requests (like delete or access requests), since certain data types will be hashed by your teams prior to ingestion in Audience Manager.
- Determine a validation and authentication policy and process for data subject identity confirmation. This will be an important part of making sure you properly return data in response to the data subject.
- Consider using data export controls to block audience activation to technologies that house personal data. For example, segments with third-party data should not be syndicated to email service providers. Set a data export control to help ensure that no one in your organization can accidentally activate this data.
- Begin utilizing role-based access controls to help ensure the right teams have access to intended data.
- Review identity linkage, privacy policies, and legal requirements to see when and where it is appropriate to tie identity sets together. Use these appropriately via Audience Manager’s Profile Merge Rules.
Focus your data stream, and increase conversions
The good news is that reducing data capture may provide a better experience for customers, both at the time of data collection and throughout the customer journey. Limiting the number of fields on web forms has long been used as a technique to increase conversions. With more focused data about customers, marketers will have an easier time establishing personalization as part of their marketing programs.
Refine your data-capturing techniques
Don’t be afraid of capturing data. Just because it’s more highly regulated doesn’t mean you shouldn’t do it and do it well. Be transparent about why you’re collecting data, and help your customers understand the value of collecting it.
Start slowly. Collect the customer data that you actually need. Then, with the data you have, use it wisely to build better personalized experiences. This will grow more trust in the relationship, which is a key ingredient to long-lasting relationships.
With these tips for GDPR readiness, you’ll establish trust and build a stronger relationship with your consumers. This is an important step toward providing your consumers with truly delightful experiences.
To learn more about how Adobe can help you become GDPR compliant, visit the Adobe Privacy Center.