4 Ways a CDP helps customers embrace the GDPR
The GDPR is finally here. Learn how mParticle helps our customers not only support GDPR compliance but embrace it.
Welcome to peak GDPR. The mad scramble for email marketing consent is indicative of how ill-prepared most companies have been for the impending regulation. Your inbox likely now looks like a graveyard of brands you transacted with 2 years ago and forgot about, and tomorrow you can expect to be greeted by a flurry of dialog boxes as you fire up your favourite websites and apps.
While this may feel burdensome for us as consumers, spare a thought for the data controllers who have been left scratching their heads as they try to find scalable and interoperable solutions to the compliance challenges GDPR poses.
According to Gartner the average large company has 22 marketing technologies in their stack and 8 more in progress. Almost every one of those technologies has launched their own purpose-specific consent management platform (CMP), and companies are now drowning in vendor-specific APIs to build and maintain. The latter problem is why mParticle spearheaded the OpenGDPR initiative, recognizing that data privacy in the connected age is bigger than one company, and requires industry collaboration to support consumers' rights.
I'm extremely proud of the work that mParticle has done in the last 12 months creating what is categorically the most comprehensive suite of Customer Data Platform tools for nailing and scaling privacy and compliance. GDPR may have been the forcing function, but it is not the end-game.
I am going to share four ways we're helping our CDP customers to embrace the new privacy-first paradigm.
1. Consent, lawful processing, purpose limitation
Consent shouldn’t just live client-side in a perishable cookie, and is not a singular binary yes / no. Consumers have the right to choose how and if their data may be processed per purpose, and with the average adult now owning 6+ connected devices, collecting, storing and federating consumer acceptance or rejection of data processing rights needs to be disassociated from any specific platform or use case.
mParticle is providing complete flexibility for customers to define their own consent categories & purposes, and associate collections with a user record. We log and timestamp consent events for auditing, and allow customers to associate their own document versions that reflect the changing nature of privacy policies. In preparation for ePrivacy and other international data regulations, we also allow custom compliance frameworks to be defined per workspace, catering for specific business or vertical needs.
Consent can be leveraged in our pre-built API connectors at both event forwarding and audience sync levels, meaning that businesses can setup rules to automate whether or not raw data or audience members should be connected with downstream platforms such as email, push, analytics, location or advertising.
Capabilities like these provide peace of mind that any future platform connections are not fed data relating to consumers that they are not entitled to, and directly align to the principle of "purpose limitation" set out in Article 5 of the GDPR.
2. Data subject access requests (DSARs)
As well as releasing the OpenGDPR standard to the ecosystem, we have built a comprehensive DSAR workflow into the mParticle platform. mParticle is the point of data collection, handles identity resolution, and is where you connect your data to a world of technology partners. This makes it a great place to see what data you hold on whom, where it is being sent to, and to ultimately assist in fulfilling data subject requests like deletion and/or access.
DSARs are time sensitive and promise to be complicated. Building out your own tools is a complicated task considering that data resides across both internal and external systems. Thankfully systems that have adopted the OpenGDPR can be connected to mParticle, enabling us to fulfill requests. OpenGDPR supports status callbacks for additional transparency.
3. Data minimization via filters and rules
One of the core principles of the GDPR is data minimisation, meaning that personal data should be adequate, relevant and should be limited to what is necessary in relation to the purposes for which they are processed.
A long-standing and mature feature of the mParticle CDP is our data filters, which enable customers to determine at a granular level what data to share with each connected partner. Filters operate server-side, and provide safeguards to ensure that specific user IDs and data points are not transmitted on unless approved. Newly detected data points can be restricted by default providing further safety.
More recently we introduced tools for data transformation, allowing our customers to write and execute custom rules to manipulate & transform their inbound or outbound data. With rules you’re able to rewrite data on the fly, meaning you can de-personalize it prior to storage or host your own custom hashing functions outside of mParticle for greater security.
4. Integrity and confidentiality
mParticle has never owned and will never own the data our customers collect and process via the CDP. We’re not in the business of creating “master IDs” or trying to build collective insights across multiple customer accounts. Our business model is 100% transparent, and funded by software license fees - no data sales, no hidden CPMs, no revenue shares and no gimmicks. This level of business and data integrity and confidentiality has been a cornerstone of the company since inception, but it is now more important than ever.
Legacy data platforms architected for scale over privacy, prioritizing lookalike modeling, probabilistic matching and aggregate machine learning over platform security and integrity of data. That doesn’t work today. With most data being considered personal under new regulations, companies are waking up to the fact they need a secure and foundational data platform, built with privacy and security as part of the the blueprints.
For some, GDPR preparations have been a tough and often scary process. When the law comes in tomorrow it marks the beginning of the journey, and hopefully the above fills you with confidence. Confidence that mParticle’s technology is moving in lockstep with regulations, and confidence that compliance cannot just be achieved but can become a scalable and integral part of your customer data strategy.