Companies have had a year to get ready for the EU GDPR (General Data Protection Regulation) – it goes into enforcement on May 25, 2018, but many are still not ready. Compliance with the GDPR requires you fully understand where you capture your website visitors' personal data and where you store that data internally.
The reality is that personal visitor data is often stored in many locations, including cloud-based marketing tools, file shares and databases across the organization. If you don't know everywhere this personal data is stored, you'll have a very hard time complying with many of the articles of the regulation.
Let's look at some of the things every organization should do to ensure their web experience is compliant.
First, let's clarify two specific roles in the GDPR: Data Controllers and Data Processors. According to the GDPR, a data controller is a person or a company who wants to collect and use personal data. A data processor is a person or company who captures and processes the data on behalf of the controller.
A company can be both a controller and a processor, but often a controller also works with other processors. For example, a marketing automation provider is a data processor on behalf of a company. Google analytics is another example of a data processor. These vendors (processors) are also required to comply with the GDPR.
It's very likely you have one or more applications connected to your website collecting data, including analytics, marketing automation, and others. Make a list of applications connected to your website and what data they are collecting. Check with these vendors and ask what steps they are taking to ensure compliance. If they aren't compliant, you must switch to a vendor that is.
Many of the marketing applications in use today are cloud-based solutions, and you have no direct control over how the data is stored. One area to ask vendors about is their participation in Privacy Shield. US companies collecting the personal data of EU citizens often transfer that personal data from the European Union to the United States.
"The Privacy Shield Principles lay out a set of requirements governing participating organizations’ use and treatment of personal data received from the EU and Switzerland. By joining the Privacy Shield, participants make a commitment to comply with these Principles that is enforceable under U.S. law."
In some cases, vendors are also providing tools to help you meet any requests from data subjects. For example, if you use data providers or advertising providers who manage the data of customers.
Third Party Apps Embedded in Your Website
Often, companies incorporate third-party apps in their web experience. For example, you might include a widget that offers a weather app or a contest where the visitor enters personal information. These apps are often embedded via a frame which means you don’t host the content or the data.
Make a note of all the locations on your website where you use these types of embedded third-party applications and what data they capture. You need to check with the app provider to see if they are conforming to the GDPR and if not, you’ll have to remove the app from your website.
You may also want to consider removing the app completely even if it is compliant with the GDPR. The less third-party tools you use that capture personal data, the better you can ensure your company is protected. Remember, as the controller, even if it’s the processor that’s non-compliant, you are still at risk because the processor is doing the work for you.
Look for and Remove the R.O.T.
ROT stands for “redundant, obsolete or trivial” data; data you don’t want around because it has no value to you or the experience you deliver but has the potential to expose you to great risk if it gets into the wrong hands. Unfortunately, although most organizations have plans for capturing data and using it for a program or campaign, they often don’t plan for removing that data when it’s no longer needed. Which means you need to do some house cleaning.
Spend time examining all your marketing activities and the data you have collected on customers and prospects. Delete any data you no longer use. For data you think you still need, ask yourself if you could provide the same experience if you didn’t have this information. If you can, delete the data you have and stop capturing it going forward. If you do need the data, make sure you have the right consent forms in place giving you permission to capture it. Then capture and manage it in a way that complies with the GDPR policies.
Tag Management and GDPR
One way to manage all the cookies and tags marketing applications need to place on your website is to use a tag management system. Depending on the tag management system, you may be able to allow website visitors to opt-in to parts of the web experience. Also, because the GDPR only applies to EU citizens, your tag management platform should be able to display different opt-in/opt-out options based on geo-location or website (assuming you present a different version of your website for some EU citizens, such as a French version of your website).
Placing all your tags in a tag management platform gives you a centralized location to track and manage tags from vendors and the information they collect.
Keep Your Content Inventory Up to Date
The content inventory as it applies to your website comprises not only the data you capture directly from your internal web applications, but also the data captured and managed by your cloud-based marketing applications and third-party apps integrated with your website.
It’s important to have all touchpoints and data documented and to keep that document up to date as you add or change marketing applications and adjust campaigns and personalized experiences on your website. When a data subject (customer or prospect) requests to see what information you have about them, you’ll need to be able to quickly find all of it and provide it in a timely manner.
Subscribe to the Ingeniux blog. Great content delivered straight to your inbox.