It’s been a year-plus since the General Data Protection Regulation (GDPR) went into effect, and there is no shortage of commentary about the impact of GDPR compliance on basically everything.
It’s been fascinating to see brands’ different approaches — particularly in the affected-but-not-clearly-obligated companies that turned off data collection entirely for people coming from the EU so they don’t have to manage consent at all and those charging a so-called “EU premium” to a certain UK-based weekly that seems not only to fail GDPR compliance but even the now-obsolete cookie law:
What is GDPR compliance? And what tech can help?
As a data processor and global company, we at BlueConic made (and continue to make) significant investments in our platform to prepare our own business and our customers’ businesses for GDPR compliance (and now for additional data measures like CCPA).
In addition to responding to the direct requests we’ve received, more than 25% of our customers are using BlueConic capabilities to enable GDPR compliance for U.S. companies and other organizations abroad. Checklists like this one can certainly help, but really, it comes down to have the right solution in place to ensure you’re entirely GDPR-compliant.
David Raab, founder of the CDP Institute, believes customer data platforms are a great fit for helping marketers get a handle on GDPR. As he wrote earlier this year:
- “CDPs are genuinely well suited to help with GDPR. They’re built to solve two of GDPR’s toughest technical challenges: connecting all internal sources of customer data and linking all data related to the same person.”
Not all CDPs help with GDPR compliance requirements
However, just having a CDP doesn’t automatically make you GDPR-compliant.
And just being a CDP doesn’t automatically check the box to enable compliance.
There’s a big difference between a CDP that offers guidance on compliance and one that offers productized solutions that enable compliance with 100% of the regulation.
In case you hadn’t noticed, GDPR is the most important change in data privacy regulation in 20 years.
The English version of the regulation consists of more than 50,000 words of legalese noting how to now collect, unify, and process customer data — which clearly relates to your CDP.
Therefore, it’s really important to read the not-so-fine print, FAQs, and other material from CDPs to understand what you’d be getting — or not getting — as it relates to GDPR compliance.
Here are a few CDP vendor loopholes you might want to watch out for.
The “we’ll-be-right-behind-you” cover
Statement: “As Data Processor, [CDP Vendor] fully supports your organization to comply with these regulations,” or, “The GDPR also grants the Data Subject the right to erasure of personal data without undue delay. [CDP Vendor], as Data Processor, fully supports your organization’s ability to comply with this regulation.”
Translation: While it’s not specified about whether this moral support or perhaps some help desk support, neither is going to make you GDPR-compliant. You deserve more: Push your vendor to deliver.
The GDPR puts the onus on data controllers — i.e., the brands — to comply with the regulation. If a CDP handles this with this argument, then you probably want another solution.
The “we-really-didn’t-think-this-through” option
Statement: “If an integration (such as an ESP or CRM) re-sends customer data after deletion, [CDP Vendor] will recreate the customer data. Consequently, it’s important for the Data Controller to plan the proper order of operations for personal data erasure, based on your technology stack.”
Translation: Just because the CDP deleted the person’s data once doesn’t mean it won’t stay deleted, which is a huge violation of one of the core tenets of GDPR.
Your alternative is to turn off all the connections into the CDP, which is the equivalent of just taking gasoline out of your car. Completely defeats the purpose of owning it.
One of the two primary reasons David Raab thinks CDPs are a great option to manage GDPR compliance is because of their integrations with other systems: “connecting all internal sources of customer data and linking all data related to the same person.”
So, one would think it would go without saying that this would extend to a person’s right to be forgotten. Turns out, one would be wrong.)
The “we-wish-you-the-best-of-luck” approach
Statement: “If you choose to use a consent management vendor on your site, you will need to test the consent experience for visitors to your site. While [CDP Vendor’s] tag will work in the same way it has, the Consent Manager will decide if it loads/fires and therefore is responsible. Or (even worse) we are pursuing partnerships with Consent Manager vendors to abdicate our responsibility.”
Translation: The CDP doesn’t have any out-of-the-box solution for this, so they’re making it your problem to deploy and spend money on yet another vendor to do so.
If your organization wants to use GDPR compliance software outside of your CDP or in addition to your CDP, which is a common requirement, your platform will need to be able to work with other GDPR-compliance solutions in some form or fashion to keep each customer profile up-to-date.
This isn’t just a nice-to-have. In the same way a CDP can manage compliance, as one of (or perhaps the) largest source of first-party data in the organization, it is absolutely critical to be compliant with that data.
The “do-it-yourself-or-call-IT” avenue
Statement: “With [CDP Vendor], you can accelerate compliance with a single API for user data collection.”
Translation: Get in line for a ticket or two to beg IT to help you out. Testing? Maintenance? That’s on you. The only thing this CDP provides is the exchange of data — everything else is up to you.
One of the core attributes of a CDP is that it is owned and operated by you, the liberated marketer: no need for IT support every time you need a customer data point to go in or out of any of your campaigns or to use in real-time messaging.
That’s why you bought the thing in the first place, right? Therefore, it’s puzzling to see how many CDP companies have chosen to only implement bare bones support for GDPR on the API level.
That will only help you once your dev team has built the actual hard logic that manages what data point gets processed and what not on top of it, which is an extraordinary undertaking.
We know that because it’s at the root of the data complexity problem CDPs solve.
What to ask CDP vendors about GDPR compliance
The good news in all of this is that vendors (CDPs and others) should be able to show these capabilities and just walk you through how to check off compliance, so you don’t have to guess.
For example, ask your vendor how they handle the fact that the conditions for consent have been strengthened and now must include the “purpose” for each method of data processing, which is arguably the most overlooked impact by CDP vendors.
Within BlueConic, we’ve addressed this by encapsulating all data points, interactions, and connections that can be set to only collect data when consent has been given for each of them.
And, of course, we provide an integrated Privacy Center and Consent Management module in BlueConic, allowing you to give users access to:
- Manage their consent
- Request to view or download all their data without you as the middle man
- Request a change in their data
- Request to delete their data
To help you with the implementation, we built templates for consent management, consent request and other privacy management features out of the box.
We can automatically detect a legislation area and BlueConic can easily be setup to comply to the strengthened local privacy legislation that applies to each individual customer like the GDPR, the Swiss Data Protection Act (DPA), or similar Canadian or Chinese laws.