BLOG

Surprise: Marketing Dashboards have a GDPR problem too

PUBLISHED ON

Tweet about this on TwitterShare on FacebookShare on LinkedIn

square peg trying to go into a round hole

Yes, we have all probably heard quite enough about GDPR. There’s plenty of good tips, and also plenty of misleading information out there. The field is confusing enough as is.

But we can’t dodge the bullet, and, as Sweetspot customers start to ask or incorporate certain clauses into our contracts, we have to be much more clear about the impact that privacy compliance has on tools that apparently have little to do with personal data.

Here’s a quick, easy-to-digest summary of many exchanges we have had in private with customers, Data Protection Officers, and lawyers (me being one!).

Why would GDPR apply to dashboards or enterprise reporting environments?

Putting the more obvious B2B customer data aside (this relating to the actual people configuring and accessing the platform, as employees of our business customers), the very data handled by a reporting or omnichannel data integration tool can certainly be subject to privacy compliance.

After all, GDPR presents a very broad definition of “data processing”, which encompasses pretty much everything we know we can do with data (collection, analysis, retrieval, activation…), so it will all boil down to whether “personal data” is involved.

In essence, personal data goes far beyond so-called “Personally Identifiable Information” (or PII). To EU law, it does not really matter that a certain cookie ID, IP address, or GPS location cannot be tied to a physical person as it stands. What does matter is that it could be traced back to an individual if it were combined with other data points. Much of the data we deal with in marketing is actually deemed “pseudonymous data” by the EU legal framework, which means it is not really anonymous and, as such, will require full compliance.

In other words, again, forget PII as a threshold for compliance.

When would such dashboarding/reporting/marketing intelligence platforms require further scrutiny under the law, then? Here’s a few examples:

  • You are bringing granular, visitor-level data into your dashboard that includes a cookie ID or reference which CAN be matched with other records
  • You are retrieving IP addresses from your original data sources
  • Your platform will perform cross-device ID matching for the sake of attribution modeling
  • Your platform is integrated with a data onboarding solution (by nature working at granular level)

Sweetspot has, from day one, honored a commitment to stick to aggregate data and its many possibilities: compound, multi-source KPIs/breakdowns, forecasting, benchmarking, goal management, impact on timeline, etc. (check some of my blog posts from the past five years), consistently dismissing requests to accommodate any efforts remotely related to granular data integration, whether in the name of attribution, or for visitor-level analysis purposes.

Getting back to the matter at hand, let’s assume for a second that YOU DO actually use a platform that normalizes data at visitor/cookie level. Not the end of the world, but certainly the beginning of a lot of pain.

The new limits of user consent

The EU’s General Data Protection Regulation provides six possible legal bases for your processing of such personal data. In practical terms, you will probably have mostly heard of two of these: consent and legitimate interest.

While legitimate interest can be claimed whenever there is an existing contractual relationship between “data subjects” and “data controllers” (under which the processing may be expected), online data collection scenarios, mostly accessory to the task being performed, are highly unlikely to qualify. This leaves “unambiguous consent” as your most reliable legal basis.

Stop for a second and try to remember how you obtained all of that granular data.

  • Some of it was probably collected via your tag management system, then passed over to a web analytics tool
  • Some of it originated in your ad servers, themselves enriched by third party tools
  • Some of it may have been retrieved from second-party data pools

Is there a chance that the parties obtaining such data on your behalf (who may be deemed “data processors” or “joint data collectors”, depending on the circumstances) have obtained valid consent?

Perhaps under the soon-to-be-extinct regime, which pretty much validated the implied consent system we find all over the web (those extremely annoying cookie banners). But certainly not under the new GDPR standards, which require true prior, express consent – and an even higher bar of two-factor, or “explicit” consent for certain data types.

Where is your dashboard provider hosting your data?

Let’s assume that all of the data you retrieve, store, integrate, and visualize has been obtained through prior, valid consent by everyone in the personal data custody chain. EU law will prevent the storage of such data in the United States (when related to EU citizens), unless:

  • Individuals (that data pertains to) have granted additional consent (itself subject to a higher, two-factor or “explicit” bar), or
  • Businesses have registered under the Privacy Shield program, which guarantees an adequate level of protection on the opposite side of the pond (formerly Safe Harbor, if that rings a bell).

As said, Sweetspot does not really allow (as per our own contract AND the manner in which our tool ingests data) for granular data integration, but, even if we found ourselves in the need to become a data processor, our servers are located in Ireland, saving Data Protection Officers a separate headache.

Security matters too

Lastly, privacy compliance will sometimes overlap with data security requirements. In the European framework this happens at two levels:

  • Storing data that pertains to special categories (health, ethnic origin, political opinions, etc.) will require an additional level of security, with official interpretations of the law -the “Article 29 Working Party”- pointing towards the ISO 27001 standard
  • There are specific provisions for data breach notifications in GDPR, themselves requiring details on the measures in place.

To keep using Sweetspot as an example, our two principal platforms (Sweetspot Intelligence and Sweetspot Reports) are audited under ISO 27001 on a yearly basis, should this ever become a concern despite all of the above.

Conclusion

Regardless of the steps we may have already taken to ensure proper user consent at data collection level (cookies, fingerprinting, location data, etc.), we must still pay attention to every additional layer of our marketing technology stack. Reporting environments are no exception.

Sweetspot can be the answer for organizations who simply have no time to destroy and redefine their entire reporting environment under GDPR, instead keeping a separate, “clean data”-based platform in charge of reporting tasks related to EU-based audiences and customers.

Can we be of help?

Tweet about this on TwitterShare on FacebookShare on LinkedIn

Sergio Maldonado

Founder & Chairman at Sweetspot. Author, speaker on analytics, marketing technology, privacy compliance. JD, LLM (Internet law). Once a dually-admitted lawyer. Father of three. I love surfing and cooking.


Add a comment

Try Sweetspot today!

Not Another Dashboard.