How a CDP can help brands with GDPR
The May 2018 enforcement deadline for the European Union’s General Data Protection Regulation (GDPR) has passed, but many brands are still unsure how to comply with the new requirements. Learn how a CDP can help.
Introduction to GDPR compliance
GDPR imposes a variety of stringent new rules for handling the personal data of EU residents—and it applies to any company that stores such data, regardless of where the company is based. With penalties of up to four percent of worldwide revenue, it cannot be ignored.
Most companies have been working for some time on GDPR compliance, but few have actually completed their preparations. This paper reviews GDPR requirements and shows how a Customer Data Platform (CDP) can help to meet them quickly and efficiently.
Personal data rights under GDPR
GDPR is based on the premise that people should be able to control the use of their personal data.
Personal data itself is defined broadly to include things like location, cookies, and devices that could conceivably be tied back to an individual. There are even more stringent controls over special personal data such as health information, biometrics, political opinions, religious beliefs, and sexual identity. Individual rights over personal data include:
- Access to data collected about them
- Correction of errors in collected data
- Erasure of data they don't want retained or distributed
- Review and objection to automated processes using the data
- Portability to move collected data from one company to another
These rights are enforced by the right to file complaints and receive compensation for material and non-material damages. GDPR sets standards related to these rights, such as requiring that information be provided in readable formats, within a specified time period, and that they be notified of any data breaches within 72 hours.
In addition to personal rights, GDPR establishes the principle that companies can only collect and use data is they have a lawful basis for doing so. Two of the data processing mechanisms under discussion by most marketers are: a) legitimate interest and b) explicit consent of the individual. GDPR carefully specifies that this consent must be based on clear, advance disclosure of what is being collected, how it will be used, how long it will be stored, and who else may receive it for processing. There are some narrowly defined exemptions to consent and legitimate interest including a legal basis that can be derived from performance of a contract, fulfillment of legal obligations, public interest, and similar factors.
Data holders must also meet a variety of requirements to ensure adequate control over processing, including hiring a Data Protection Officer (DPO), building “privacy by design” into systems, assessing the privacy impact of proposed processes, creating formal governance policies, ensuring adequate security, and keeping records each time data is shared. Companies are responsible for ensuring that anyone they hire to process the data also meets the standards.
Meeting the requirements
Even this high-level description of GDPR requirements makes clear that most companies will need to significantly change their systems to comply. One option is to collect less data, which is certainly among the goals of GDPR’s creators. But many businesses must collect personal data to operate and most customers now expect personalized treatments that rely on still more information. So nearly every company subject to GDPR will continue to collect personal information. Those firms will need to develop processes to manage that data in a GDPR-compliant fashion.
This summary of GDPR requirements also emphasizes that compliance would be nearly impossible without a central, unified customer database. Building a central database is probably the only way companies can assemble the information needed to respond to customer requests and maintain control over how data is used. This database might be custom-built by the company’s IT department or outsourced to a processor that operates under company supervision. Both options can be error-prone and expensive. An attractive alternative is to use pre-built software suitable for the task: a Customer Data Platform.
What is a CDP?
Customer Data Platforms (CDPs) are packaged software that create a unified, persistent customer database that is accessible by other systems.
Most CDPs are used by marketing departments to give marketers a complete view of each customer, which they use to tailor offers and messages for each person. But CDPs are also used outside of marketing, often for customer support, fraud detection, and analytics. This is possible because the CDP is specifically designed to let other systems use its data as directed by the data controller; since those systems are not defined in advance, the CDP is built for flexibility above all else. Specific capabilities that create this flexibility include connection to any data source, support for any data structure, retention of source data in its original format, bulk extracts, and quick access to data about specific individuals. These are all capabilities needed in a system that supports GDPR where the marketing department needs to determine exactly how data is being processed with significant granularity and through multiple systems.
Even more fortunately, the CDP’s core function of finding and linking all data related to specific individuals is exactly what’s needed to meet GDPR requirements for assembling, sharing, correcting, and possibly deleting personal data. CDPs include the linking capability because marketers need a customer-centric view for their own purposes; that GDPR uses the same linking for a different purpose is a valuable coincidence.
CDP applications for GDPR compliance
Here are specific GDPR requirements that CDP helps to support:
IDENTIFYING DATA SOURCES
Building a CDP requires finding which company systems gather customer data and what data they store. This map of customer data flows is the foundation for GDPR processes that also require a complete inventory of customer data caches.
CONNECTING WITH DATA SOURCES
Unlike a static document that can easily become outdated, the CDP actively reads data from source systems and, in some cases, feeds data back to them. This forces CDP operators keep abreast of any changes in the source systems and to ensure their connections remain functional. This supports GDPR requirements including data correction and deletion, which also rely on functional connections to customer data repositories.
ASSEMBLING CUSTOMER DATA
CDPs create a central copy of most customer data and have on-demand connections to read data that remains outside the CDP. This makes it easy to assemble a complete set of personal data for individuals to review, correct, and export customer data. As previously noted, the CDP’s ability to link all data to the correct individual is an especially valuable contribution to the assembly process.
CORRECTING CUSTOMER DATA
Many CDPs create a “golden record” that finds the most accurate version of elements such as a customer name, address, or status. This information can be sent back to source systems that may contain errors - ensuring that data subject access requests are propagated downstream. This is part of the data governance required by GDPR. It also reduces the likelihood that customers will be presented with bad data, potentially triggering a review request.
A CDP can be used as a repository to track the authority by which a particular piece of data is collected and how it can permissibly be used. This might include the details of personal consent or withdrawal of consent, links to contracts, government regulations, legal opinions, and so on. It can also include expiration dates when authority is time-limited. Having this information assembled and easily accessible will be essential for responding promptly and efficiently to questions about data use. Furthermore, a CDP can be used to simplify consent adherence to downstream systems. By applying consent status to its data coordination functions, the CDP can assure that downstream systems only receive data which is GDPR compliant. This reduces operational complexity created through individually implemented systems which will require their own compliance vetting.
MANAGING AND TRACKING USE
A CDP can be the central resource for managing how data is shared with internal systems, external processors, and third parties. This makes it easier to define and enforce rules that ensure data is only used in authorized ways. A CDP can also maintain the history of use that GDPR requires and to provide that history when needed. This particular application is worth highlighting because it can imply storing massive volumes of data, something that can be difficult to engineer but CDPs handle easily.
PRIVACY BY DESIGN
GDPR requires that systems be designed with privacy in mind. A CDP supports this by centralizing access to personal data, allowing different systems to share it without accessing each other’s data directly. Centralization means that customer data is only exposed in one place, rather than in every system that holds it. This means that authorized use and tracking must only be managed in the CDP, which can be designed to handle data properly. Other systems don’t need similar features, which reduces their complexity and the risk of non-compliance. Of course, they will still need other privacy-supporting features such as encryption and access controls.
CDPs have additional benefits beyond helping you meet GDPR requirements. It’s worth considering these when you’re assessing your GDPR compliance options. Key benefits include:
UNIFIED CUSTOMER DATA
A complete view of each customer has many uses beyond GDPR. Marketers in particular are eager to use it to understand each person and to offer them the most effective treatments. Customer service and research teams also benefit from having more complete, accurate data.
EASY EXTERNAL ACCESS
The CDP is designed to share its data with other systems. This makes it easier to coordinate customer treatments across different channels and to consistently personalize messages within each channel. Analytical systems, such as predictive models, artificial intelligence, and attribution, also benefit greatly from easy connections to ready-to-use data.
A CDP is packaged software. This means it includes pre-built features that an IT department would otherwise need to develop. These features include connectors to common source systems, tools, and APIs to simplify connection to new systems, processes for common tasks such as data cleaning and identity matching, standard reports on system operations, and prebuilt integrations with marketing, sales, service, and operational systems. As with other types of packaged software, a CDP is almost always a cheaper, faster, and less risky way to reach your goals than custom development.
CDP vendors are experts at building unified customer databases. This means they can provide technical support and professional services to help during your deployment, often anticipating problems that would otherwise go undetected until later stages of a project. It also means they continually update their systems to meet evolving industry needs and regulations— including those of the GDPR.
CDPs are built to work with all kinds of data and to rapidly adapt to new sources. This is especially important in today’s business environment, where new systems and data types are constantly added. GDPR makes it a legal requirement to quickly integrate these with other company systems. But your marketers and other departments would want to do that even if GDPR didn’t exist.
By building a customer data repository outside of your other systems, the CDP makes it easier to replace systems as needed. There’s no risk of losing customer data stored within those systems, no disruption to other systems that read their data, and no need to look for replacement systems that built a unified customer database of their own. This is especially important for sophisticated companies that want to buy the best system possible for each application.
Integrated applications: Many CDPs provide applications of their own for tasks such as segmentation, personalization, campaign management, predictive modeling, or advanced analytics. Buyers who find the CDP’s version of those applications meet their needs will benefit from tight integration and easier deployment. This is often most appealing to companies that lack adequate existing systems for these functions and want to deploy a complete solution quickly.
Vetting a CDP
All CDPs offer the same core function: building and sharing a unified, persistent customer database. But the details vary greatly. Companies that want a CDP to support GDPR compliance should look for several specific capabilities:
PROCESSOR OR CONTROLLER
A critical question is to understand whether a CDP will be considered a data processor or a data co-controller by the GDPR standards. If the CDP is considered a data-processor, GDPR compliance is relatively straightforward as the processor falls within the marketers compliance scheme. However, if the CDP is considered a data controller, both the marketer and the CDP will need to coordinate their co-controller status, including harmonizing consent and legitimate use status, handling APD requests, liability assignment, etc.
While the status of CDPs may not be clear in the immediate term, a quick test is to determine whether the CDP has their own data assets that they’ve created by commingling customer data. In these cases, there is a high probability that the CDP will be considered a co-controller. Another test would be to understand if there is explicit segregation of data between CDP customer data - not necessarily physical, but logical. If there is not explicit segregation of data between customers, there could be a co-controller situation which will need to be addressed.
Personal data comes in all formats, including structured, semi-structured, and unstructured. Most CDPs should be able to ingest and store all of these.
CONSENT ENABLED FILTERING / COORDINATION
Important personal data may be embedded in semi-structured or unstructured sources, such as weblogs containing IP addresses or device IDs. A CDP should have features to extract them and store them in a structured database for easy access
CDP should be able to load data from source systems via an open API and file imports. Prebuilt connectors to systems you already have in place are extremely helpful; beyond the ability to connect, it reduces the necessary effort to accommodate different data structures and formats.
A CDP must be able to link different identifiers that relate to the same person. At a minimum, it should maintain links provided directly by the customer (e.g., phone number, email address, and postal address entered into a personal account). It should ideally also maintain inferred matches, such as linking a device ID to an email account used on that device. All of these different identifiers should be connected to a persistentID that doesn’t change over time.
Some CDPs provide data collectors, such as website tags or mobile SDK hooks, that can gather data and then share it with other systems. Removing tags or SDK calls that were gathering data separately for each system, can improve performance and reduce the risks of privacy violations through data leakage.
A CDP should itself employ best practices for maintaining data security, including encryption of sensitive data. It should also support secure data sharing practices like anonymizing data sets for analysis, and creating hashed customer identifiers to share personal data without exposing actual identities.
A CDP should be able to attach permissions to personal data, maintain rules that define how it can be used, ensure access requests comply with the rules, and keep track of actual usage.
A CDP should be able to attach usage restrictions to data that’s shared with business partners or processors in agreed formats. Conversely, if your company will accept data from partners, the CDP should be able to receive it with restrictions and apply them. And of course, as the controller of such data, you company should be able to have granular control regarding which partners have access to data, and even specify which data segments those data partners may process.
A CDP should be able to provide data subject with direct access to their data, likely through SQL queries by a system built for this purpose.
Access, Portability and Erasure (APE) rights for consumers is a centerpiece of the GDPR. How a CDP supports this requirement depends on whether it is considered a processor or co-controller. If the CDP is a processor, it will support the marketer’s efforts to respond to APE requests. These requests will need to be authenticated by the market as the data controller. The specific requirements for this will largely be determined by the marketer and how they want to address APE requirements.
If a CDP is a co-controller, it will need to support their own APE requests in addition to supporting the marketer’s own requirements. They will also need to coordinate their APE efforts to make it clear to consumers which parties are involved in the APE.
The CDP’s core function of finding and linking all data related to specific individuals is exactly what’s needed to meet GDPR requirements.
A CDP alone won’t be the panacea for GDPR compliance.
Companies still need to modify their organization and business processes to support GDPR principles. They must design operational systems to correctly capture consent, avoid unauthorized data collection, and make changes or deletions when required. Companies will also need to supervise processors and business partners to ensure they also provide adequate security and comply with usage constraints.
But a CDP can solve several important challenges posed by GDPR, above all, by assembling a unified view of each customer’s data. Companies that do not already have a GDPR solution in place should look closely at whether a CDP should be part of their final design as GDPR standards continue to become more strictly enforced.