It’s been 21 days since GDPR (do I need to write it out still?) went into effect, and there is no shortage of commentary about the impact of GDPR compliance on basically everything. In case you need some reading to catch up:
- A thorough and readable explanation of what GDPR is
- Wired’s take on how GDPR will change the web
- An article in Digiday about how pissed everyone is at Google (because why not?)
It’s been fascinating to see what the different approaches have been (particularly in the affected-but-not-clearly-obligated United States), from turning off data collection entirely for people coming from the EU so they don’t have to manage consent at all, to charging a so-called “EU premium,” to a certain UK-based weekly that seems not only to fail GDPR compliance but even the now-obsolete cookie law:
At BlueConic, as a data processor and global company, we made (and continue to make) significant investments in our platform to prepare our own business and our customers’ businesses for GDPR compliance in time for the May deadline. In addition to responding to the direct requests we’ve received, more than 25% of our customers are using BlueConic capabilities to enable GDPR compliance.
David Raab, founder of the CDP Institute, believes customer data platforms are a great fit for helping marketers get a handle on GDPR. As he wrote earlier this year:
“CDPs are genuinely well suited to help with GDPR. They’re built to solve two of GDPR’s toughest technical challenges: connecting all internal sources of customer data and linking all data related to the same person”
Don’t Be Fooled by The Fine Print
However, just having a CDP doesn’t automatically make you compliant. And just being a CDP doesn’t automatically check the box to enable compliance. There’s a big difference between a CDP that offers guidance on compliance and a CDP that offers productized solutions that enable compliance.
The GDPR is the most important change in data privacy regulation in 20 years, the English version regulation consists of more than 50,000 words in legalese, requiring that you profoundly change the way you collect, unify, and process customer data – which clearly relates to your CDP.
Therefore it’s really important to read the not-so-fine print on the documentation, FAQs, and other material from CDPs to understand what you’d be getting – or NOT getting – as it relates to GDPR compliance. Here are a few CDP vendor loopholes you might want to watch out for:
The “We’ll be right behind you!” Cover
Statement: “As Data Processor, [The CDP Vendor] fully supports your organization to comply with these regulations” OR “The GDPR also grants the Data Subject the right to erasure of personal data without undue delay. [The CDP Vendor], as Data Processor, fully supports your organization’s ability to comply with this regulation.”
Translation: While it’s not specified about whether this moral support or perhaps some help desk support, neither is going to make you GDPR compliant. You deserve more: push your vendor to deliver.
The GDPR puts the onus on data controllers – i.e. the brands – to comply with the regulation. If a CDP handles this with a “we’ve got your back” argument, then you probably want another solution.
The “We really didn’t think this through” option.
Statement: If an integration [such as an ESP or CRM] resends customer data after deletion, [the CDP vendor] will recreate the customer data. Consequently, it’s important for the Data Controller to plan the proper order of operations for personal data erasure, based on your technology stack.
Translation: Just because the CDP deleted the person’s data once, doesn’t mean it won’t stay deleted, which is a huge violation of one of the core tenets of GDPR. Your alternative is to turn off all the connections into the CDP, which is the equivalent of just taking gasoline out of your car. Kind of Completely defeats the purpose of owning it.
One of the two primary reasons David Raab thinks CDPs are a great option to manage GDPR compliance is because of their integrations with other systems – “connecting all internal sources of customer data and linking all data related to the same person” – so one would think it would go without saying that this would extend to a person’s right to be forgotten. Turns out, one would be wrong.
The “Wish you good luck” approach.
Statement: If you choose to use a consent management vendor on your site, you will need to test the consent experience for visitors to your site. While [the CDP Vendor’s] tag will work in the same way it has, the Consent Manager will decide if it loads/fires and therefore is responsible. Or (even worse) we are pursuing partnerships with Consent Manager vendors to abdicate our responsibility.
Translation: We don’t have any out-of-the-box solution for this, so we’re making it your problem to deploy and spend money on yet another vendor to do so. ¯\_(ツ)_/¯
If your organization wants to manage GDPR compliance outside of your CDP or in addition to your CDP, which is a common requirement, your CDP will need to be able to work with other GDPR compliance solutions in some form or fashion to keep each customer profile up to date. This isn’t just a nice to have. In the same way a CDP can manage compliance, as one of (or perhaps the) largest source of first-party data in the organization, it is absolutely critical to be compliant with that data.
The “Do it yourself” or “call IT” approach.
Statement: Accelerate compliance with a single API for user data collection
Translation: Get in line for a ticket or two to beg your IT department to help you out. Testing? Maintenance? Sure, that’s on you. The only thing we’re providing is the exchange of data; everything else is up to you.
One of the core attributes of a CDP is that it is owned and operated by you, the liberated marketer: no need for IT support every time you need a customer data point to go in or out of any of your campaigns. That’s why you bought the thing in the first place, right? Therefore, it is puzzling to see how many CDP vendors have chosen to only implement bare bones support for GDPR on the API level. That will only help you once your dev team has built the actual hard logic that manages what data point gets processed and what not on top of it, which is an extraordinary undertaking. We know that because it’s at the root of the data complexity problem CDPs solve.
What to Ask Your CDP Vendor About GDPR Compliance
The good news in all of this is that vendors (CDPs and others) should be able to show these capabilities and just walk you through how to check off compliance, so you don’t have to guess.
For example, ask your vendor how they handle the fact that the conditions for consent have been strengthened and now must include the “purpose” for each method of data processing, which is arguably the most overlooked impact by CDP vendors. Within BlueConic, we have addressed this by encapsulating all data points, interactions and connections in Objectives that can be set to only collect data when consent has been given for each and every one of them. And of course we provide an integrated Privacy Center and Consent Management module in BlueConic, allowing you to give users access to:
- Manage their consent
- Request to view or download all their data without you as the middle man
- Request a change in their data
- Request to delete their data
Learn More About GDPR Compliance Using BlueConic
In case this wasn’t enough information, we have plenty of additional resources that show off BlueConic’s consent & privacy management capabilities.
- Webinar: Consent Management for GDPR Made Simple
- Webinar: What GDPR Means for Marketers & CDPs
- FAQ: Consent & Privacy Management for GDPR
- Video: How to Setup Objectives & Dialogues in BlueConic for GDPR
- Using BlueConic to Manage Individual Rights Requests