Privacy by Design: GDPR and Your Experience Business

Adobe Analytics and GDPR readiness.

On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. Adobe believes this presents a new opportunity for marketers to strengthen their brand loyalty by focusing on user privacy while delivering engaging and contextual experiences. As your trusted data processor, Adobe is committed to compliance and to helping you on your GDPR compliance and readiness journey. However, GDPR readiness is a shared responsibility.

GDPR harmonizes and modernizes data protection requirements. Businesses have an important responsibility to effectively communicate and demonstrate their commitment to data privacy. We understand that trust is an essential part of every business relationship. A brand can offer the best product or service in the market — however, if users don’t trust your brand, they won’t engage.

If your organization uses Adobe Analytics to track individuals in the European Union, GDPR may require changes in how you obtain consent and how you process users’ personal data. Therefore, your organization might need to rethink how you engage with your users.

“GDPR presents the perfect opportunity for brands to lean into user centricity, build trust through transparency, and improve the user experience with privacy in mind,” says Alisa Bergman, chief privacy officer at Adobe.

Adobe Analytics embraces GDPR as an opportunity to help ensure optimal engagement between brands and users — on the user’s data privacy expectations. Brands can differentiate themselves and thrive in the GDPR era by honoring their commitment to users’ data privacy.

As we embark on this shared GDPR compliance journey with you, our customer, it’s time to start asking yourself key questions about your customer intelligence practices:

• How can we, as data controller and brand, make user-controlled data privacy central to our customer intelligence strategy?
• How are we planning to make the process of obtaining consent simple and trustworthy?
• What will be the impact on our business if we deliver transparent experiences by focusing on user privacy while delivering personalized, relevant experiences?

Privacy by design

Adobe Analytics is committed to empowering data controllers, aka our customers, with the tools necessary to support their GDPR readiness and compliance efforts. Furthermore, Adobe Analytics’ engineering teams have a long-standing practice of incorporating privacy into the design and development of products, referred to as “privacy by design.” Privacy tools are incorporated into the Adobe Analytics framework (in addition to, of course, Adobe’s business practices) making privacy one of its core design principles.

Consent management: Changing how to obtain consent

Many websites today focus more on providing a path to opt-out. This practice likely won’t be an option under GDPR, which requires affirmative, unambiguous consent for many activities. In those instances where consent will be needed for certain marketing activities, user consent will need to be active (e.g., no silence as assent or pre-checked boxes), unbundled, and offers of services may not be made conditional upon the data subject’s giving consent.

We suggest designing the consent process in a thoughtful and transparent way. This aligns with GDPR and helps users know exactly what they’re agreeing to when providing information about themselves. Adobe strongly encourages you to seek legal counsel from a specialized data governance provider as you evaluate your options.

Consider implementing Adobe Analytics’ opt-out logic in order to prevent data collection and processing, or simply choose to not send Adobe Analytics the server call if consent is not explicitly collected from the data subject.

Access and delete GDPR requests: Define your channels and workflows

Individuals have the right to request access to their personal data, withdraw consent at any time, and request deletion. Your organization should define and implement channels and workflows for your customers to easily fulfill your users’ requests. Web-based channels for collecting requests by your users to exercise their rights may be an effective method for collecting and managing these requests.

Adobe Analytics customers are able to submit individual GDPR requests for access and deletion through Adobe Experience Cloud GDPR APIs or UI. Adobe’s GDPR API helps you facilitate and scale the processing of individual rights (e.g., access and delete requests) for your data stored across certain Adobe Experience Cloud solutions.

Data governance: Rethinking your processes to manage your data

Data governance helps set the framework for defining the strategies, processes, policies, and technologies used to manage data. We recommend being proactive when it comes to data governance. Among the many benefits, this approach helps facilitate data subjects’ access or delete requests, and your users will have a positive, differentiated experience with your brand.

Consider having privacy administrators, such as your chief privacy officer, connect with marketing and analytics stakeholders to ensure that your data governance honors your users’ rights and differentiates your brand with trust.

A critical aspect of data governance is data classification. Adobe Analytics provides identity, sensitivity, and GDPR labels in our new feature called Data Governance. Labels are important and useful to helping with functions like: (1) determining which data to return as part of an access request, and (2) identifying data fields that must be deleted as part of a request for deletion. We encourage our customers to apply data controls and classifications across all your Analytics data.

The Data Governance tool in Adobe Analytics contains the following data labels:

• Identity data: used to classify data that can identify an individual either directly or in combination with other data (none, I1, I2).
• Sensitive data: used to classify data as data that may be defined as sensitive under applicable law (none, S1, S2). Note that currently the use of sensitive data in Adobe Analytics is generally prohibited except for precise geolocation data properly obtained under applicable law, which may be considered sensitive data in some jurisdictions.
• GDPR data: used to define the fields that may contain personal identifiers for use in GDPR requests or that should be removed as part of a GDPR deletion request. These labels may overlap the identity and sensitive data labels in some cases.

Your privacy administrator(s) — along with your analytics stakeholders — should proactively label data in Adobe Analytics. Setting your labels and integrating Adobe GDPR APIs will help your company operationalize in fulfilling GDPR requests. Adequate data governance practices will help offer transparent experiences to your customers.

The power of delivering the right experience

By applying appropriate data governance practices and implementing workflows to manage your users’ data with adequate levels of privacy, you will be better positioned to offer transparent user experiences that help your brand gain your users’ trust. Through trust, your brand will be able to establish a new level of communication and collaboration with your users. Adobe believes trust should be an essential building block for doing business, and GDPR presents an opportunity to deliver safe and delightful experiences with privacy in mind. Adobe Analytics provides you with tools to support good data governance practices, and that helps your organization in your GDPR readiness journey. Understanding how and when your user wants to engage on their terms will win their hearts.

Thanks to John Bates for his contributions to this article.