Yes, we have all probably heard quite enough about GDPR. There’s plenty of good tips, and also plenty of misleading information out there. The field is confusing enough as is.
But we can’t dodge the bullet, and, as Sweetspot customers start to ask or incorporate certain clauses into our contracts, we have to be much more clear about the impact that privacy compliance has on tools that apparently have little to do with personal data.
Here’s a quick, easy-to-digest summary of many exchanges we have had in private with customers, Data Protection Officers, and lawyers (me being one!).
Putting the more obvious B2B customer data aside (this relating to the actual people configuring and accessing the platform, as employees of our business customers), the very data handled by a reporting or omnichannel data integration tool can certainly be subject to privacy compliance.
After all, GDPR presents a very broad definition of “data processing”, which encompasses pretty much everything we know we can do with data (collection, analysis, retrieval, activation…), so it will all boil down to whether “personal data” is involved.
In essence, personal data goes far beyond so-called “Personally Identifiable Information” (or PII). To EU law, it does not really matter that a certain cookie ID, IP address, or GPS location cannot be tied to a physical person as it stands. What does matter is that it could be traced back to an individual if it were combined with other data points. Much of the data we deal with in marketing is actually deemed “pseudonymous data” by the EU legal framework, which means it is not really anonymous and, as such, will require full compliance.
In other words, again, forget PII as a threshold for compliance.
When would such dashboarding/reporting/marketing intelligence platforms require further scrutiny under the law, then? Here’s a few examples:
Sweetspot has, from day one, honored a commitment to stick to aggregate data and its many possibilities: compound, multi-source KPIs/breakdowns, forecasting, benchmarking, goal management, impact on timeline, etc. (check some of my blog posts from the past five years), consistently dismissing requests to accommodate any efforts remotely related to granular data integration, whether in the name of attribution, or for visitor-level analysis purposes.
Getting back to the matter at hand, let’s assume for a second that YOU DO actually use a platform that normalizes data at visitor/cookie level. Not the end of the world, but certainly the beginning of a lot of pain.
The EU’s General Data Protection Regulation provides six possible legal bases for your processing of such personal data. In practical terms, you will probably have mostly heard of two of these: consent and legitimate interest.
While legitimate interest can be claimed whenever there is an existing contractual relationship between “data subjects” and “data controllers” (under which the processing may be expected), online data collection scenarios, mostly accessory to the task being performed, are highly unlikely to qualify. This leaves “unambiguous consent” as your most reliable legal basis.
Stop for a second and try to remember how you obtained all of that granular data.
Is there a chance that the parties obtaining such data on your behalf (who may be deemed “data processors” or “joint data collectors”, depending on the circumstances) have obtained valid consent?
Perhaps under the soon-to-be-extinct regime, which pretty much validated the implied consent system we find all over the web (those extremely annoying cookie banners). But certainly not under the new GDPR standards, which require true prior, express consent – and an even higher bar of two-factor, or “explicit” consent for certain data types.
Let’s assume that all of the data you retrieve, store, integrate, and visualize has been obtained through prior, valid consent by everyone in the personal data custody chain. EU law will prevent the storage of such data in the United States (when related to EU citizens), unless:
As said, Sweetspot does not really allow (as per our own contract AND the manner in which our tool ingests data) for granular data integration, but, even if we found ourselves in the need to become a data processor, our servers are located in Ireland, saving Data Protection Officers a separate headache.
Lastly, privacy compliance will sometimes overlap with data security requirements. In the European framework this happens at two levels:
To keep using Sweetspot as an example, our two principal platforms (Sweetspot Intelligence and Sweetspot Reports) are audited under ISO 27001 on a yearly basis, should this ever become a concern despite all of the above.
Regardless of the steps we may have already taken to ensure proper user consent at data collection level (cookies, fingerprinting, location data, etc.), we must still pay attention to every additional layer of our marketing technology stack. Reporting environments are no exception.
Sweetspot can be the answer for organizations who simply have no time to destroy and redefine their entire reporting environment under GDPR, instead keeping a separate, “clean data”-based platform in charge of reporting tasks related to EU-based audiences and customers.
Can we be of help?
Not Another Dashboard.
Add a comment