Tealium and Forrester recently partnered in creating one of the highest rated webinars of the year on “A Not-So-Normal Webinar on GDPR: Creating Your Organization’s Plan”. With the General Data Protection Regulation (GDPR) taking effect in less than a year, many businesses are overwhelmed with what to do, how to do it, when to start and where to turn.
This webinar, with Special Guest and Forrester Principal Analyst, Fatemeh Khatibloo & Adam Corey, VP of Marketing at Tealium, was so well received we’ve compiled the top takeaways and main themes so brands can better prepare and ensure compliance well before the May 25, 2018 deadline.
Confusion Around GDPR: What is it and does it apply to me?
When the 900+ webinar audience attendees from all industries, titles and business sizes were asked “What is your level of understanding of GDPR?” 62% understood what GDPR was and their organization had to comply, however almost 25% were unsure on what GDPR was.
GDPR is slowly gaining traction as the newest buzzword to hit the martech space – marketers are seeing it available as webinar topics and whitepaper downloads, IT teams are hearing of it in their privacy conversations and during research of the newest regulations – but that momentum doesn’t mean brands are clear on what it is, what needs to be done and who it affects.
What does GDPR mean to a Security team? Or the compliance team? IT? Marketing? HR? Finance? What if a brand has EU data but doesn’t do business in the EU? Are nonprofits held liable? Will small companies with less than 10 employees need to be GDPR compliant?
The General Data Protection Regulation (GDPR) is a new, single set of rules for EU residents that strengthens and unifies data protection. It’s a way to establish new rights for data subjects around transparency, notification, access, erasure and portability of an individual’s data. If companies who fall under the GDPR don’t comply by the deadline of May 25, 2018 they will be fined up to €20M or 4% of annual revenue.
More detailed specifics that will help brands understand if their company will be held GDPR liable or not are if the company:
- Has European data subjects on record (this could be customers, prospects, partners, employees, vendors, etc.). A North American bank who has customers that live in Europe will be held liable under GDPR. Think about the European subjects of your business, rather than just the business itself.
- Sells, markets or ships to an EU country
Any company that IS collecting or processing EU consumer data must now:
- Engage in regular, systematic data collection on a large scale, while officially appointing or hiring a Data Protection Officer (DPO)
- Report any data breaches to authorities within 72 hours of the breach
- Run regular Privacy Impact Assessments (PIAs), implement PrivacybyDesign (PbD) and be able to show evidence of having done each
- Provide 3rd party disclosure to data subjects upon request
Source: List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared with PayPal
Note that GDPR is vastly different from any regulations before it as it:
- Gives all EU residents new rights: “the right to be forgotten” and the “right to data portability”
- Vastly expands the definition of PII to include device IDs, cookies and even location data
- Requires marketers to collect “unambiguous consent” – no more pre checked boxes
GDPR Guides Customer Obsession
In all actuality GDPR is truly becoming a guiding principle around customer centricity and reminding brands to do whats right for their customers. The regulation is having brands constantly exercise their thinking around customer experiences and the data they hold on their customers.
When brands start to envision the data that’s flowing in and out of their organizations on their customers they are paralyzed by the chaos, the complications, the special cases, the unknown, etc. Eventhough most organizations realize the importance of putting the customer at the forefront it’s not always that easy, especially when new regulations are placed in front of us.
Applications, vendors, systems: The list of where data is held goes on…
Any company looking at their data will want to start to create a data map – essentially an inventory that documents everything and anything about the data:
- What are the vendors that I’m working with?
- What applications are within them? What is the purpose of them?
- Where are these companies based?
- Where are they storing data?
- What audience does this target?
- How does data come into each solution?
- Where does data go?
- How are humans involved in it?
- Who owns that data and process and storage within the organization?
Source: Forrester Slides: A Not-So Normal Webinar on GDPR: Creating Your Organizations Plan
Oftentimes it can be extremely hard to move forward and take action when we feel paralyzed by fear, uncertainty or the unknown. Over 50% of webinar attendees polled answered honestly in stating they didn’t yet have a GDPR plan in place.
So what do you do with this chaotic yet beautiful mess of all of the data, vendor, systems and people you have in place managing this ‘customer gold’ that every brand is in search of?
Document, Define & Collaborate
Tealium of course is undergoing the same GDPR data inventory process like the majority of other companies and we’ve started to think about each martech vendor marketing is using and creating the below spreadsheet as a starting point.
Remember that GDPR is so much larger than Marketing – this affects IT, HR, Legal, Finance – the list goes on. It’s critical to look at every role and department within your organization to see who is interacting with data and following a process similar to this of documenting and defining every flow of data.
Be sure to share this documentation with your teams and collaborate on all of the findings – you may find gaps, see errors, find opportunities to better manage the data and more
The MarTech Vendors Opportunity For A Competitive Differentiator
Are you a martech vendor? Then this is your time to shine – be proactive with your route to GDPR compliance. Provide value to your clients by showing them your GDPR roadmap to ensure complete data governance and privacy safety. This will allow for a competitive advantage over other brands like yours in the space.
Not a martech vendor? Well you most likely leverage martech vendor services in your campaign management so it’s critical you closely examine the partnership you have with them. Are they GDPR compliant? Are they safely securing and storing customer data that your brand is passing through to them?
If your martech vendor isn’t GDPR compliant your brand could be at risk. This is the time to start looking under the hood and asking questions of every service you leverage to ensure it’s still the best fit and decision for your brand. Confirm that partnerships in your brands ecosystem continue to serve your customers at the highest level, while still being compliant.
Bottom line is that we are all in this together – martech, adtech, notech – we now all have a stake in each others success, and ultimately, consequences of GDPR failure. If not we’ll all be susceptible to the 4% fine.
GDPR Guides Customer Obsession
It’s important we come back to this guiding principle – after all, why did GDPR come about? Why are brands like yours and Tealium now having to very specifically define, document and process all data in a much more detailed way?
Because consumers are worried about their personal data.
- 44% worry that apps collect data without consent
- 52% worry that their data is shared with companies they don’t know or trust
- 51% think it’s wrong for companies to track them across devices without consent
* Source: Forrester North American Consumer Technology Survey 2016
It’s safe to say that those of us in the industry haven’t always done a good job of providing choice on the interactions consumers do and don’t want to be a part of. Marketers aren’t explaining why we have the technologies running in the background of our campaigns that we do and that’s how we end up with regulations like this.
Putting The Customer First
What does the impact of what we do feel like to our consumers? Is this in the right spirit of what our customers would expect? And if things went wrong what would that look like? Are we acting in the best interest of the customer?
GDPR is truly about demonstrating that a brand is doing right by the consumer and respecting their data and privacy.
Want to hear this stellar webinar in its entirety? View the On-Demand version today.
Ready to get started with creating and executing your brand’s GDPR plan for compliance? Contact us today.