GDPR: Digital Experience in the Age of Consumer Privacy

Ingeniux Web Experience Strategies: GDPR Compliance

The Protection of Consumer Privacy and an Opportunity for Brands

The digital economy has brought many great things to consumers, but it has also raised big questions about the collection and use of customer data and their right to privacy. The result has been the introduction of a new set of privacy regulations in the EU – the GDPR, and a re-thinking of how privacy can present a new way to engage and build relationships with customers regardless of where they live. 

What is GDPR

The EU GDPR, General Data Protection Regulation "replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy." 

The GDPR outlines exactly what constitutes private data, what rights consumers have to the data a company collects on them, and how companies can collect and use customer data. It also outlines clearly what will happen if you don’t adhere to the regulation, with huge fines for those who found in non-compliance. 

This is an EU citizen privacy regulation. If you are a global company that sells products and services to citizens in the EU, then you are required by law to comply with the regulation. Even if your company is in the US, if you ship goods to the EU, you are affected. You don't have to apply these regulations to your US customers, or customers from countries not part of the EU. 

Let's look at the GDPR "Data Subject Rights," and what they mean for how you, as a marketer. 

Why is the GDPR Important for You?

According to the regulation, "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)." This includes all the obvious personal information such as name, age, address, birthdate, credit card number, social security number and so on. But it also includes information stored in cookies that identify the person, device ids and other locations where a person leaves a digital footprint.

A Data Subject is any EU citizen whose personal data you have collected. It applies to persons only, not companies.
The Data Subjects rights are found in Chapter Three of the GDPR. They are as follows:

  1. Right of access by the data subject – a data subject can request to know if a company has collected data on them and ask to see all the information collected.
  2. Right to rectification – a data subject has the right to modify the data a company has collected on them.
  3. Right to erasure ('the right to be forgotten') - a data subject can request that all data a company has collected on them be deleted and the proof showed that it has been deleted.
  4. Right to restriction of processing – a data subject can request that information collected on them can only be used in certain ways, limiting how the company can use that information.
  5. Right to data portability – a data subject can request that all information a company has collected on them be packaged up and sent to another company (typically a competitor). The data must be packaged in a way that is both human and machine-readable.

These data subject rights, along with other parts of the regulation affect how you do both inbound and outbound marketing. You will have to look at when and how you capture data about a person if you have asked explicit permission to capture that data and explained how you would be using it, where you are storing the data and how you will provide access to data subjects to view or modify their data.

How Can You Plan for the GDPR?

There is much work to do to ensure you are complying with the GDPR, but to get you started here are a few things should do:

  • Confirm you need to comply with the regulation. If you don't have customers in the EU, and you don't store information about EU citizens at all, then you likely don't have to comply with the GDPR.
  • Take an inventory of all your digital properties and note where you capture personal information, where you use personal information and what you use it for. Make sure you include any registration pages, but also places where you may not explicitly ask for personal information, but you collect data that can be attributed to a person. You need to understand every touchpoint so that you can later review them and decide which ones you need to continue and which you can suspend.
  • Perform an inventory across the company that lists every location you store personal data. If a data subject asks if you are storing information on them, you must show all the data you have, no matter where it's stored in your company. This would include support systems like a support portal or a customer community.

Create a Content/Application Inventory for GDPR

Compliance with the GDPR requires you fully understand where you capture your website visitors' personal data and where you store that data internally. The reality is that personal visitor data is often stored in many locations, including cloud-based marketing tools, file shares and databases across the organization. If you don't know everywhere this personal data is stored, you'll have a very hard time complying with many of the articles of the regulation.

Let's look at some of the things you need to do to ensure your web experience is compliant.

Marketing Apps

According to the GDPR, a data controller is a person or a company who wants to collect and use personal data. A data processor is a person or company that captures and processes the data on behalf of the controller.

A company can be both a controller and a processor, but often a controller also works with other processors. For example, a marketing automation provider is a data processor on behalf of a company. Google Analytics is another example of a data processor. These vendors (processors) are also required to comply with the GDPR.

It's very likely you have one or more applications connected to your website collecting data, including analytics and marketing automation. Make a list of applications connected to your website and what data they are collecting. Check with these vendors and ask what steps they are taking to ensure compliance. If they aren't compliant, you must switch to a vendor that is.

Third-Party Apps Embedded in Your Website

Often, companies incorporate third-party apps in their web experience. For example, you might include a widget that offers a weather app or contest where the visitor enters personal information. These apps are sometimes embedded via a frame which means you don’t host the content or the data.

Make a note of all the locations on your website where you use these types of embedded third-party applications and what data they capture. You need to check with the app provider to see if they are conforming to the GDPR and if not, you’ll have to remove the app from your website.

You may also want to consider removing the app completely even if it is compliant with the GDPR. The less third-party tools you use that capture personal data, the better you can ensure your company is protected. Remember, as the controller, even if it’s the processor that’s non-compliant, you are still at risk because the processor is doing the work for you.

Look for and Remove the ROT

ROT stands for “redundant, obsolete or trivial” data; data you don’t want around because it has no value to you or the experience you deliver but has the potential to expose you to great risk if it gets into the wrong hands.

Spend time examining all your marketing activities and the data you have collected on customers and prospects. Delete any data you no longer use. For data you think you still need, ask yourself if you could provide the same experience if you didn’t have this information. If you can, delete the data you have and stop capturing it going forward. If you do need the data, make sure you have the right consent forms in place permitting you to capture it. Then capture and manage it in a way that complies with the GDPR policies.

Tag Management and GDPR

One way to manage all the cookies and tags marketing applications need to place on your website is to use a tag management system. Depending on the tag management system, you may be able to allow website visitors to opt-in to parts of the web experience. Also, because the GDPR only applies to EU citizens, your tag management platform should be able to display different opt-in/opt-out options based on geo-location or website (assuming you present a different version of your website for some EU citizens, such as a French version of your website).

Placing all your tags in a tag management platform gives you a centralized location to track and manage tags from vendors and the information they collect.

Once you have your inventory complete and you understand how to apply the regulation, you now need to make some decisions about your digital experience.

GDPR in the Age of Consent: You Have to Earn Your Audience

The GDPR is going to change the way you do business, and for many, that's a good thing.

Think about it this way:

"While complying with GDPR regulations is definitely a challenge for all organizations currently operating with EU citizens, success would lie in seeing these new regulations as an opportunity to achieve competitive differentiation rather than just a barrier or a challenge. This presents an exemplary opportunity for organizations to drive digital trust for their brands and ensure that they not only comply with these regulations but also end up making a mark for themselves in this competitive environment."

What does that mean? Is it an opportunity?

The Age of Consent

Let's face it; your customers are becoming much more concerned about their privacy. They want to know why you want their information and what you are going to give them in return for it. And if they find out you've used it inappropriately, or not used it to better their experience, watch out.

You only have to look at what happened with Facebook to understand the privacy challenge. The GDPR is the EU's way of dealing with the misuse of the personal information of its citizens. One of the biggest changes is in how you capture private data.

From the GDPR Key Changes:

"The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it."

You have to change the way you capture information about your visitors and customers. When you ask them to register, your terms of use will have to be explicit and easily understood. You won't be able to drop a cookie on a visitor's desktop without first asking permission to do it, and you will have to tell them what information you are storing and why.

These changes only apply to EU citizens, but it seems like the right time to make the changes for everyone and deliver an experience all your users can trust and enjoy.

This is the age of consent. And it's a perfect opportunity to step back and look at your customer experience and associated content strategy from a new angle.

Great Customer Experience is No Longer an Option

Companies can end from a bad customer experience, but there are still many out there who don't make the effort required to make customers happy.

"Marketers will not legalize or “software” their way out of the GDPR challenge. They must innovate, design, and create their way into the GDPR. The one thing absolutely clear since we at CMI started talking about GDPR more than a year ago is that it is the biggest opportunity in more than a decade for content marketers to become strategic." Robert Rose, Content Marketing Institute

Privacy is not the end of a great experience; instead, think of it as the beginning of an even better experience. If you haven't done it already, document your current web experience. Make a note of the following:

  • pages where you drop a cookie and update it,
  • where you have registration forms
  • where your Terms of Use web pages are and what they say,
  • the pages you have applied personalization or targeted content

You'll also want to look at your analytics to see where visitors are spending their time on your website, what forms are converting, how long they stay on your website, what pages have the highest bounce rate and so on. Scan search analytics to understand what visitors search for on your site.

Revisit your customer journey and confirm the web pages that are the most important to visitors. Identify where they are most likely to share additional information about themselves to get more information or a more personalized experience.

Armed with all this information, it's time to evaluate your web experience and make some changes. Do you need to personalize every page? Which ones are most important and are you providing the necessary information? Are you missing key content on your website?

If you knew more about the visitor could you provide more relevant content?

As you redesign your customer experience, keep the GDPR in mind, ensuring all your changes support the regulation.

A Final Note

Your content management system doesn’t make great content, but it can help you make that content easier. While you are re-evaluating your customer experience from a content perspective, take some time to re-evaluate your CMS and ensure it provides the best tools to do the job. This is no time to get complacent with your CMS infrastructure.

GDPR: Digital Experience in the Age of Consumer Privacy

The digital economy has brought many great things to consumers, but it has also raised big questions about the collection and use of customer data and their right to privacy. Learn about GDPR and how to prepare your web experience for the new regulation. Find out how this new way of thinking about digital privacy can present an opportunity to engage with customers online in meaningful ways.

This website uses cookies to enhance your experience. You can read more about how this website uses cookies and your privacy options in our privacy policy.