For mar tech companies, General Data Protection Regulation (GDPR) preparation starts by acknowledging that they handle personal data.
Many will insist it’s all de-identified and anonymized, said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals.
“But drill a bit deeper and you’ll find that while they might not have direct identifiers like a person’s name or social security number, they do collect, process and store personal data under GDPR,” he said.
The regulations broaden the definition of personal data to include pseudonymous data, like cookies or hashed email addresses – the lifeblood of mar tech vendors, marketing clouds and data platforms.
Here’s how the mar tech industry is getting ready for the regs.
Click below to read our companion guides to GDPR:
- The Marketer’s Guide To GDPR
- The Publisher’s Guide To GDPR
- The Media Agency’s Guide To GDPR And Privacy
Mar tech prep
Mar tech vendors need to engage in a detailed data mapping exercise to figure out how data flows through the organization, including what data is being collected, how it’s collected, where it’s stored and who has access.
Conducting a complete data inventory also helps a company figure out whether it’s a data processor under the law or a data controller.
Most mar tech providers are processors, meaning they process data on behalf of their clients, the controllers, which determine how and why the data is being processed.
“The delineation is clear,” said Peter Bell, senior director of product marketing at Marketo. “In a client’s instance of the cloud, they gather the data and they ensure they have consent for it.”
For a SaaS marketing automation platform like Marketo, the majority of the data it handles is permissioned, first-party data that comes direct from clients.
Even so, Marketo conducted a thorough audit of its data practices across all of its products and IT systems, capping off the exercise by updating its client contracts. The regs require processors to add language to their contracts promising to assist controllers in complying with GDPR.
The changes help indemnify data controllers in the case of a violation and clearly set out the duration, nature and purpose of the processing, said Forrester principal analyst Fatemeh Khatibloo.
But the contractual addendums protect the processor just as much as they do the controller.
“A lot of the marketing cloud vendors are absolutely putting liability clauses in contracts,” Khatibloo said. “They really have no way to police whether the client obtained consent or not before sending them the data – it’s nigh impossible.”
And that’s why third-party processors, especially those that own ad tech assets, like Salesforce/Krux and Adobe/TubeMogul, always have to swim in their lane.
“It’s very important to be careful that we don’t take on the role of controller – it’s their data and we process it on their instruction,” said Alisa Bergman, chief privacy officer at Adobe. “But we’re also on a shared compliance journey together.”
The rights stuff
And a central part of that shared compliance journey is handling data subject access requests.
Under GDPR, EU citizens have the right to get a copy of all their personal data, the right to port their data between platforms, delete their data and the right not to be profiled or have their data processed at all.
Controllers are most likely to receive those requests since they have the direct consumer relationship, but their vendors are required to help field them – and that’s a huge logistical challenge, Khatibloo said.
Account-based marketing software provider Demandbase is developing specific technological tools to help handle requests and “alter the way we host information,” said Fatima Khan, who became the company’s first-ever chief privacy officer in February.
“We’re in the process of finalizing an API build,” Khan said. “That will allow us to get data on an individual and return it to that individual if requested.”
Salesforce, with all of its offerings, has a more complex beast to tackle. It created a detailed website dedicated to GDPR compliance, including documentation on how clients can comply with data subject access requests across its different solutions.
Within the Salesforce Marketing Cloud, for example, the Contact Builder tool manages the right to be forgotten. Within its DMP, Salesforce supplies functionality to remove an entire record or only certain data sets or data fields. Within Pardot, its B2B marketing automation platform, Salesforce customers can delete personal data at an individual level or an organization level. And so on through the Sales Cloud, the Commerce Cloud, the Service Cloud and the Salesforce CRM platform.
“There’s great activity in the market toward reconfiguring the systems – and sometimes even product – to enable compliance with individual rights,” the IAPP’s Tene said.
As for handling updates to ePrivacy, mar tech is in vigilant wait-and-see mode. EPrivacy, the European directive governing electronic communications, could remove legitimate interest as a basis for processing data when it eventually comes into law.
“The ad industry is lobbying hard to keep legitimate interest, but if it doesn’t happen, we’ll figure out a way to adapt,” Khan said. “That may mean adjusting the data we collect or implementing additional processes when we collect or use data.”
GDPR provides a good opportunity for processors to take stock of their internal operations.
Adobe is addressing the way data is organized and which identifiers are used within Adobe Analytics and setting guidelines for how data is applied against other third-party data within Audience Manager, something that’s “critically important when you’re merging data from various sources,” Bergman said.
But GDPR also requires companies to take data privacy into account during product development.
Adobe, for example, embeds privacy directly into the engineering life cycle, Bergman said. The first phase of any product development at Adobe is called “concept accept,” in which she and her team present its privacy impact assessment of the proposed tool in front of the engineering board.
At Salesforce, data privacy impact assessments have always been part of any new feature or service rollout, said Lindsey Finch, SVP of global privacy and Salesforce’s product legal team. GDPR puts a bow on the process.
“We have for quite some time at the company been meeting the spirit of that requirement,” Finch said. “Now we’ve been formalizing that program going forward.”
Worth the effort
But there’s no finish line when it comes to GDPR compliance, Finch said. “GDPR is not something that can be outsourced [and] accountability is more than a box-ticking exercise.”
The Oracle Data Cloud worked for more than a year to review its systems, processes and technical controls and make necessary changes or improvements, said Brandon Paine, the data platform’s international VP and GM.
Demandbase, which has a chief privacy officer and privacy consultants and attorneys on retainer, also created a cross-functional GDPR team that consists of members from across the organization, including marketing, engineering and finance. Demandbase also plans to hire a data protection officer “in the near future,” Khan said.
But still, no amount of blood, sweat or tears can ensure perfect compliance with GDPR before May 25. The impending rules still leave many unanswered questions that will only start to shake out once the law goes into effect, said Luma Partners CEO Terry Kawaja.
“What is clear, though, is that the industry is woke,” Kawaja said. “But is what they’re doing sufficient? I’m not sure anybody has the definitive answer on that just yet.”