Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers

356 views

Published on

One North’s Managing Director of Technology Ryan Horner and legal process and technology consultant Bob Beach share details on how the EU’s General Data Protection Regulation (GDPR) could impact digital assets.

This webinar is designed to educate digital marketers, share actionable examples, and provide an overview of how One North can help clients ensure their digital properties are in compliance with the regulation and execute on those efforts. Beyond GDPR compliance, the session will also highlight important information for marketers as data privacy continues to become a critical and strategic component of digital.

Access the recording: https://youtu.be/ruQpN70LGt0

Published in: Business
  • Be the first to comment

  • Be the first to like this

#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers

  1. 1. GDPR and Data Privacy Best Practices for Digital Marketers Prepared by / 22 March 2018 Ryan Horner & Bob Beach
  2. 2. Consultant Bob Beach Managing Director, Technology Ryan Horner
  3. 3. Agenda • Defining GDPR • Changing Data Privacy Expectations • 5 Key Concepts for Digital Marketers • Applying to Marketing Automation • A Process & Steps to Take Now
  4. 4. What is GDPR?
  5. 5. General Data Protection Regulation (GDPR) • Standardize data privacy laws across Europe • To protect and empower all EU citizens from data privacy and breaches • “The protection of natural persons in relation to the processing of personal data is a fundamental right.” -Recital 1 • To reshape the way organizations approach data privacy • Users own their data and you are just borrowing it • 261 pages, 173 Recitals and 99 Articles What When Who/Where Why How
  6. 6. General Data Protection Regulation (GDPR) • Approved by EU Parliament in 2016 and enforcement on May 25th 2018. • 63 Days, 7 Hours from Now What When Who/Where Why How
  7. 7. General Data Protection Regulation (GDPR) • The GDPR... will apply to a organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. • It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location (applied through diplomatic or consular post). What When Who/Where Why How
  8. 8. • Heavy Fines - up to 4% of Annual Revenue or €20 Million (whichever is greater) • GDPR is here now, but more regulations are coming. • Avoid negative brand reputation / PR / news from data privacy breaches • Meet users expectations for privacy What When Who/Where Why How General Data Protection Regulation (GDPR)
  9. 9. • Awareness • Process • Team • Including Legal Counsel • Note: Each organization is unique and will require its own legal counsel to interpret the specifics of GDPR in its situation. What When Who/Where Why How General Data Protection Regulation (GDPR)
  10. 10. GDPR in Context Data Privacy & Trust
  11. 11. And many more…Target, JP Morgan Chase, Anthem, Ebay, Home Depot…
  12. 12. The State of Data Privacy 91% of adults agree that they have lost control of how personal information is collected and used by companies. PEW Research, 2016 83% of respondents agreed that trust is the cornerstone of the digital economy. Accenture Tech Vision, 2016 74% of respondents say it is “very important” that they be in control of who can get information about them. PEW Research, 2016 84% of U.S. companies don’t understand what GDPR means, and 74 percent are not confident that they will be compliant. Sage Survey, 2018
  13. 13. 5 Key Concepts for Digital Marketers
  14. 14. 5 Key Concepts for Digital Marketers… Consent User Data Rights Audit Trail Privacy by Design Breach Notification
  15. 15. Consent User Data Rights Audit Trail Privacy by Design Breach Notification
  16. 16. CONSENT
  17. 17. What It Means • Be transparent and be explicit: • What you are capturing • For what purpose • For how long • No legalese • Can't be buried in fine print • Separate and distinct from Privacy Policy CONSENT
  18. 18. CONSENT
  19. 19. What It Means • Active Opt In • Can't auto select checkboxes • Can't have blanket consent, need to get for each use case • Must be easy to revoke consent as well CONSENT
  20. 20. From https://www.superoffice.com/blog/gdpr-marketing/
  21. 21. CONSENT
  22. 22. Consent User Data Rights Audit Trail Privacy by Design Breach Notification
  23. 23. USER DATA RIGHTS What Data Applies? Any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person. It can be anything from: • a name • a photo • an email address • bank details • posts on social networking websites • medical information • a computer IP address From https://www.eugdpr.org/gdpr-faqs.html
  24. 24. USER DATA RIGHTS
  25. 25. What It Means • You need a clear way for users to make requests such as: • Updates (the Right to Rectification) • Deletions (the Right to Erasure) • Process • Verify the requestor • Track the requests (in a central location) • Notification of status • Completion of the request • You have 30 days to update and respond. • Tools and Systems • Know where your user data is stored (CRM, MA, CMS, 3rd parties, spreadsheets, etc.) • Don’t forget about backups and archives, and other supporting environments. USER DATA RIGHTS
  26. 26. What It Means • Why Third Parties? • On Updates, you have to process their request and pass on to 3rd parties you use. • Make sure you know what your 3rd party event management, recruiting/job posting, alumni applications are doing. • Some of these rights are not absolute. • Excluded when the company is: • Exercising its right of freedom of expression and information • Under a legal obligation to retain the data • In the interest of public health • Is needed for the establishment, exercise or defense of legal claims USER DATA RIGHTS
  27. 27. USER DATA RIGHTS
  28. 28. USER DATA RIGHTS PORTABILITY
  29. 29. What It Means • You need a means for users to request their data in a structured format. • The data needs to exist in a source that can be exported. • NOTE: Whether that format is standardized within industries and integrated directly or shared with user is not clear. USER DATA RIGHTS PORTABILITY
  30. 30. Consent User Data Rights Audit Trail Privacy by Design Breach Notification
  31. 31. AUDIT TRAIL
  32. 32. What It Means • You need a way to capture the details on consent. • Easier if centralized across systems • With enough detail to handle each type of use • Including timeframes • Language they accept • Bound to each user AUDIT TRAIL
  33. 33. From Janrain Consent Lifecycle Management software AUDIT TRAIL
  34. 34. Consent User Data Rights Audit Trail Privacy by Design Breach Notification
  35. 35. PRIVACY BY DESIGN
  36. 36. What It Means Privacy by Design is a formalized approach to creating tools and systems that forces privacy to be integral to the application. Its founding principles: 1. Proactive not reactive; preventative not remedial 2. Privacy as the default setting 3. Privacy embedded into design 4. Full functionality – positive-sum, not zero-sum 5. End-to-end security – full lifecycle protection 6. Visibility and transparency – keep it open 7. Respect for user privacy – keep it user-centric PRIVACY BY DESIGN
  37. 37. Consent User Data Rights Audit Trail Privacy by Design Breach Notification
  38. 38. BREACH NOTIFICATION
  39. 39. What It Means • Need Monitoring / Alerting / Auditing tools to "become aware" • Timeframes require a pre-defined process. • Executives, PR, Marketing, IT, 3rd Parties all have to agree in advance how to execute on this. • Bad Examples • Equifax • Yahoo BREACH NOTIFICATION
  40. 40. Marketing Automation An Applied Example
  41. 41. Modern Digital Marketing Ecosystems CRM Email / MA CMS Analytics
  42. 42. Marketing Activity GDPR / Data Privacy Considerations 1. Webinar Signup • Active Opt In • Clear Language on Use • Include Timeframe 2. 3. 4.
  43. 43. Marketing Activity GDPR / Data Privacy Considerations 1. Webinar Signup • Active Opt In • Clear Language on Use • Include Timeframe 2. Niche Newsletter Related to Webinar • Get New Consent? • Get on First Request? 3. 4.
  44. 44. Marketing Activity GDPR / Data Privacy Considerations 1. Webinar Signup • Active Opt In • Clear Language on Use • Include Timeframe 2. Niche Newsletter Related to Webinar • Get New Consent? • Get on First Request? 3. Web Visit with Personalization • Implicit / Explicit Personalization • Be Transparent • Indicate CRM Data Usage • Get Consent on Data Gained Before • Indicate Any Third-Party Usage • Similar to Cookie Policy? 4.
  45. 45. Marketing Activity GDPR / Data Privacy Considerations 1. Webinar Signup • Active Opt In • Clear Language on Use • Include Timeframe 2. Niche Newsletter Related to Webinar • Get New Consent? • Get on First Request? 3. Web Visit with Personalization • Implicit / Explicit Personalization • Be Transparent • Indicate CRM Data Usage • Get Consent on Data Gained Before • Indicate Any Third-Party Usage • Similar to Cookie Policy? 4. Data Right Erasure Request • Prove Identity? • Acknowledge Receipt • Complete in 30 Days • Remove from all 3-4 Systems • Keep Server Logs, Finance Records for Audits
  46. 46. Steps You Can Take Now
  47. 47. Moving Towards GDPR Compliance Inventory Web Focus User ExperienceRisk Level
  48. 48. • Comprehensive system diagram – website outward, and including internal AND external systems/applications • All data stores holding employee, client/prospect, recruiting, etc. information – note data flows • 3rd-party plugins, web analytics, websites, etc. • Other applications/websites with client/recruiting/etc. Interactions – email marketing, CRM, HR, etc. • Don’t forget personal data previously obtained with "blanket" consent. • QA/test/development environments, DR sites, backups/archives, etc. Moving Towards GDPR Compliance Inventory Web Focus Risk Level User Experience
  49. 49. • Thorough review of the website • Page by page, as well as... • The Content Management System • Data feeds/web services • All URLs • Forms – even (especially!) generic contact forms • Legal notices – privacy statements, cookie warnings, etc. Moving Towards GDPR Compliance Inventory Web Focus Risk Level User Experience
  50. 50. • Involve your GC and/or DPO • Align with your firm's broader GDPR initiative • What data processing activities is marketing involved in? • Assess your GDPR risk level: High Risk, Risk, Low Risk • Define appropriate GDPR risk mitigation Moving Towards GDPR Compliance Inventory Web Focus Risk Level User Experience
  51. 51. • Consider the user experience when designing a GDPR-compliant solution. • Consistent consent form design/layout – opt-in, granular, withdrawable and transparent • Consent is not the same as Terms & Conditions. • Privacy policy – clear, prominent and relevant • Managing consent, personal data and other preferences • User self-service or manual email? Moving Towards GDPR Compliance Inventory Web Focus Risk Level User Experience
  52. 52. One North GDPR Readiness Program Let Us Help You Navigate Your Website GDPR Remediation
  53. 53. GDPR is not just a regulatory hurdle to comply with, but also an opportunity to deliver a great user experience and fuel better marketing by acknowledging your users’ ownership of their data.
  54. 54. Q&A
  55. 55. Thank you!

×