1.
GDPR and Data Privacy Best
Practices for Digital Marketers
Prepared by / 22 March 2018
Ryan Horner & Bob Beach

2.
Consultant
Bob Beach
Managing Director, Technology
Ryan Horner

3.
Agenda
• Defining GDPR
• Changing Data Privacy Expectations
• 5 Key Concepts for Digital Marketers
• Applying to Marketing Automation
• A Process & Steps to Take Now

4.
What is GDPR?

5.
General Data Protection Regulation (GDPR)
• Standardize data privacy laws across Europe
• To protect and empower all EU citizens from data privacy and
breaches
• “The protection of natural persons in relation to the processing of
personal data is a fundamental right.” -Recital 1
• To reshape the way organizations approach data privacy
• Users own their data and you are just borrowing it
• 261 pages, 173 Recitals and 99 Articles
What When Who/Where Why How

6.
General Data Protection Regulation (GDPR)
• Approved by EU Parliament in 2016 and enforcement on
May 25th 2018.
• 63 Days, 7 Hours from Now
What When Who/Where Why How

7.
General Data Protection Regulation (GDPR)
• The GDPR... will apply to a organizations located outside
of the EU if they offer goods or services to, or monitor the
behavior of, EU data subjects.
• It applies to all companies processing and holding the
personal data of data subjects residing in the European
Union, regardless of the company’s location (applied
through diplomatic or consular post).
What When Who/Where Why How

8.
• Heavy Fines - up to 4% of Annual Revenue or €20 Million (whichever is
greater)
• GDPR is here now, but more regulations are coming.
• Avoid negative brand reputation / PR / news from data privacy
breaches
• Meet users expectations for privacy
What When Who/Where Why How
General Data Protection Regulation (GDPR)

9.
• Awareness
• Process
• Team
• Including Legal Counsel
• Note: Each organization is unique and will require its own legal
counsel to interpret the specifics of GDPR in its situation.
What When Who/Where Why How
General Data Protection Regulation (GDPR)

10.
GDPR in Context
Data Privacy & Trust

11.
And many more…Target, JP Morgan
Chase, Anthem, Ebay, Home Depot…

12.
The State of Data Privacy
91% of adults agree that they
have lost control of how
personal information is
collected and used by
companies.
PEW Research, 2016
83% of respondents agreed
that trust is the cornerstone of
the digital economy.
Accenture Tech Vision, 2016
74% of respondents say it is
“very important” that they be
in control of who can get
information about them.
PEW Research, 2016
84% of U.S. companies don’t
understand what GDPR means,
and 74 percent are not
confident that they will be
compliant.
Sage Survey, 2018

13.
5 Key Concepts for
Digital Marketers

14.
5 Key Concepts for Digital Marketers…
Consent
User Data
Rights
Audit Trail
Privacy by
Design
Breach
Notification

15.
Consent
User Data
Rights
Audit Trail
Privacy by
Design
Breach
Notification

16.
CONSENT

17.
What It Means
• Be transparent and be explicit:
• What you are capturing
• For what purpose
• For how long
• No legalese
• Can't be buried in fine print
• Separate and distinct from Privacy Policy
CONSENT

18.
CONSENT

19.
What It Means
• Active Opt In
• Can't auto select checkboxes
• Can't have blanket consent, need to get for each use case
• Must be easy to revoke consent as well
CONSENT

20.
From https://www.superoffice.com/blog/gdpr-marketing/

21.
CONSENT

22.
Consent
User Data
Rights
Audit Trail
Privacy by
Design
Breach
Notification

23.
USER DATA RIGHTS
What Data Applies?
Any information related to a natural person or ‘Data Subject,’ that can be used to
directly or indirectly identify the person.
It can be anything from:
• a name
• a photo
• an email address
• bank details
• posts on social networking websites
• medical information
• a computer IP address
From https://www.eugdpr.org/gdpr-faqs.html

24.
USER DATA RIGHTS

25.
What It Means
• You need a clear way for users to make requests such as:
• Updates (the Right to Rectification)
• Deletions (the Right to Erasure)
• Process
• Verify the requestor
• Track the requests (in a central location)
• Notification of status
• Completion of the request
• You have 30 days to update and respond.
• Tools and Systems
• Know where your user data is stored (CRM, MA, CMS, 3rd parties, spreadsheets, etc.)
• Don’t forget about backups and archives, and other supporting environments.
USER DATA RIGHTS

26.
What It Means
• Why Third Parties?
• On Updates, you have to process their request and pass on to 3rd parties you use.
• Make sure you know what your 3rd party event management, recruiting/job posting, alumni
applications are doing.
• Some of these rights are not absolute.
• Excluded when the company is:
• Exercising its right of freedom of expression and information
• Under a legal obligation to retain the data
• In the interest of public health
• Is needed for the establishment, exercise or defense of legal claims
USER DATA RIGHTS

27.
USER DATA RIGHTS

28.
USER DATA RIGHTS
PORTABILITY

29.
What It Means
• You need a means for users to request their data in a structured
format.
• The data needs to exist in a source that can be exported.
• NOTE: Whether that format is standardized within industries and
integrated directly or shared with user is not clear.
USER DATA RIGHTS
PORTABILITY

30.
Consent
User Data
Rights
Audit Trail
Privacy by
Design
Breach
Notification

31.
AUDIT TRAIL

32.
What It Means
• You need a way to capture the details on consent.
• Easier if centralized across systems
• With enough detail to handle each type of use
• Including timeframes
• Language they accept
• Bound to each user
AUDIT TRAIL

33.
From Janrain Consent Lifecycle
Management software
AUDIT TRAIL

34.
Consent
User Data
Rights
Audit Trail
Privacy by
Design
Breach
Notification

35.
PRIVACY BY DESIGN

36.
What It Means
Privacy by Design is a formalized approach to creating tools and
systems that forces privacy to be integral to the application. Its
founding principles:
1. Proactive not reactive; preventative not remedial
2. Privacy as the default setting
3. Privacy embedded into design
4. Full functionality – positive-sum, not zero-sum
5. End-to-end security – full lifecycle protection
6. Visibility and transparency – keep it open
7. Respect for user privacy – keep it user-centric
PRIVACY BY DESIGN

37.
Consent
User Data
Rights
Audit Trail
Privacy by
Design
Breach
Notification

38.
BREACH NOTIFICATION

39.
What It Means
• Need Monitoring / Alerting / Auditing tools to "become aware"
• Timeframes require a pre-defined process.
• Executives, PR, Marketing, IT, 3rd Parties all have to agree in
advance how to execute on this.
• Bad Examples
• Equifax
• Yahoo
BREACH NOTIFICATION

40.
Marketing Automation
An Applied Example

41.
Modern Digital Marketing Ecosystems
CRM
Email /
MA
CMS
Analytics

42.
Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2.
3.
4.

43.
Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2. Niche Newsletter Related to Webinar • Get New Consent?
• Get on First Request?
3.
4.

44.
Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2. Niche Newsletter Related to Webinar • Get New Consent?
• Get on First Request?
3. Web Visit with Personalization • Implicit / Explicit Personalization
• Be Transparent
• Indicate CRM Data Usage
• Get Consent on Data Gained Before
• Indicate Any Third-Party Usage
• Similar to Cookie Policy?
4.

45.
Marketing Activity GDPR / Data Privacy Considerations
1. Webinar Signup • Active Opt In
• Clear Language on Use
• Include Timeframe
2. Niche Newsletter Related to Webinar • Get New Consent?
• Get on First Request?
3. Web Visit with Personalization • Implicit / Explicit Personalization
• Be Transparent
• Indicate CRM Data Usage
• Get Consent on Data Gained Before
• Indicate Any Third-Party Usage
• Similar to Cookie Policy?
4. Data Right Erasure Request • Prove Identity?
• Acknowledge Receipt
• Complete in 30 Days
• Remove from all 3-4 Systems
• Keep Server Logs, Finance Records for Audits

46.
Steps You Can Take Now

47.
Moving Towards GDPR Compliance
Inventory Web Focus
User ExperienceRisk Level

48.
• Comprehensive system diagram – website outward, and including
internal AND external systems/applications
• All data stores holding employee, client/prospect, recruiting, etc. information –
note data flows
• 3rd-party plugins, web analytics, websites, etc.
• Other applications/websites with client/recruiting/etc. Interactions – email
marketing, CRM, HR, etc.
• Don’t forget personal data previously obtained with "blanket" consent.
• QA/test/development environments, DR sites, backups/archives, etc.
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience

49.
• Thorough review of the website
• Page by page, as well as...
• The Content Management System
• Data feeds/web services
• All URLs
• Forms – even (especially!) generic contact forms
• Legal notices – privacy statements, cookie warnings, etc.
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience

50.
• Involve your GC and/or DPO
• Align with your firm's broader GDPR initiative
• What data processing activities is marketing involved in?
• Assess your GDPR risk level: High Risk, Risk, Low Risk
• Define appropriate GDPR risk mitigation
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience

51.
• Consider the user experience when designing a GDPR-compliant
solution.
• Consistent consent form design/layout – opt-in, granular,
withdrawable and transparent
• Consent is not the same as Terms & Conditions.
• Privacy policy – clear, prominent and relevant
• Managing consent, personal data and other preferences
• User self-service or manual email?
Moving Towards GDPR Compliance
Inventory Web Focus Risk Level User Experience

52.
One North GDPR
Readiness Program
Let Us Help You Navigate Your Website GDPR Remediation

53.
GDPR is not just a regulatory
hurdle to comply with, but also an
opportunity to deliver a great user
experience and fuel better
marketing by acknowledging your
users’ ownership of their data.

54.
Q&A

55.
Thank you!