In my last blog, I looked at the potential impact that the General Data Protection Regulation (GDPR) will have on marketing teams. In this post, I’ll go through how the new regulation may affect your overall approach to using data and how to prevent the regulation from negatively affecting you.
There’s no doubt that using customer data more effectively can be extremely beneficial for marketing. By using data from Customer Relationship Management (CRM) systems with other forms of data, organisations can plan ahead in their sales strategies, spot trends in buyer behaviour and look at where their greatest chances of success are in new deals.
However, those records are a treasure trove of personal information. GDPR ensures that all companies will put appropriate safeguards in place for personal data. Ensuring that you are compliant is a big task, but there are ways to make this easier. These steps cover three areas: scope reduction, compliance and security.
Phase #1 - do you really need that data?
While it can be tempting to collect huge volumes of data on customer activities and results, it’s worth looking at how much value that information has. Some data may be valuable, but other information will not be worth the expense.
It’s important to bear in mind that personal data under GDPR includes all information that can be used for identifying an individual. This can include technical information such as device data, application versions or IP addresses that can be linked back to people.
Either way, it’s important to check that such information is necessary, rather than being collected “just in case” it might be useful at some point in the future. By not collecting certain sets of information, marketers can take some of their analytics projects out of the scope of GDPR.
Put simply, avoid collecting non-essential data, so that bringing your project into compliance will be easier.
Even if you need to collect this kind of data to make your analytics provide value, look at how you can use less identifiable data to get the same result. For example, don’t collect specific birthdays, but instead collect age or, even better, age range data points instead. Similarly, don’t collect specific address details but instead use postal codes as the information set.
Phase #2 – don’t give out the real data
After you have validated the reasons for collecting personal information, the next step is to go through techniques to keep that data secure and compliant. This includes a range of approaches that can pseudonymise or anonymise the data so that it can’t be directly linked back to real-world individuals.
It’s worth noting that, even with these techniques, it still may be possible to determine the individual when the collected information is combined with other data sources. As marketers, you may want to enrich data to make it more valuable, but this can also mean that more care around security is required.
For example, a full customer record may contain name, birth date, address, purchase history and other details. Rather than providing the collected data, use pseudonymisation to provide tokenised values for names, and age ranges rather than birth date. If you do want to go all the way to full anonymisation, this requires expert advice to get it right.
For marketers, sharing pseudonymised or anonymised data is safer than sending over the whole customer record. The value of analysing this data remains, but anonymising the information makes it easier to demonstrate compliance. This can help you prove that your process for customer data meets the needs of GDPR and Privacy By Design.
Phase #3 – data security for everyone
For some instances, anonymisation or pseudonymisation techniques won’t be possible or workable. At the same time, those records will have to be kept. Here, data security will be critical for marketing, as well as the rest of the business.
Encryption is a good example of a technology that can ensure that data can be shared while being kept secure. Without the appropriate passcode or credential, the file is unreadable. If the file is misplaced, lost or stolen, then the valuable customer data inside can’t be accessed. However it is very important to utilise industry standard strong encryption algorithms rather than trying to create your own from scratch. Even the smartest tech teams can make mistakes here, which will lead to a false sense of security. Instead, talk to experts as you investigate solutions.
All records containing personally identifiable information should be kept secure, especially when the files might be shared outside the business. For marketers, this means knowing what security processes are in place at your suppliers. If a supplier makes a mistake and suffers a breach of data, you are still responsible. Putting technologies such as encryption in place can therefore ensure that you are compliant, but your suppliers have to work to the same standards as you, too.
About Rick Spickelmier
Rick Spickelmier, CTO at Birst, is responsible for architecture, security, privacy and big ideas for Birst. Rick brings over 20 years of wide-ranging software development experience, including experience in enterprise architecture, databases and on-demand applications. Rick has been senior director of technology at Geac, CTO at Extensity, worked in a number of management, architecture and development roles at Objectivity, and was on staff at the University of California, Berkeley. Rick has participated as a panelist and presenter at numerous conferences and industry events and has authored several books and publications.