Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR - two practical approaches to compliance in digital analytics

1,271 views

Published on

The digital analytics industry is very negative on GDPR. In this talk, I argue that they should be positive: GDPR is an enormous opportunity. I highlight two approaches to compliance, and argue that by embracing GDPR certain companies can use digital data to drive competitive advantage

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

GDPR - two practical approaches to compliance in digital analytics

  1. 1. GDPR Two practical approaches to compliance
  2. 2. • Co-founder at Snowplow Analytics: give companies control of their data so they can use it to do more • I build technology: that has a profound impact on my view on data regulation • Data optimistic: believe passionately in the enabling power of data for good • I am not a lawyer. These are my opinions, not legal advice. Hello! My name is Yali
  3. 3. • New set of European regulations designed to safeguard “personal data” i.e. data on individuals • Builds on The Data Protection Act • Gives “data subjects” new rights over their data • Corresponding obligations on “data controllers” and “data processors” i.e. companies that collect and use data • Focus on online data in particular A very quick recap… What is GDPR?
  4. 4. • Transparency. People should know what data about them is collected, and how it is used. • Accuracy. The data collected should be accurate/not misleading • Control. Users should be able to control what data is collected and how it is used. Consent needs to be specific and explicit. • Security. Personal data must not be leaked. • Verifiability. Companies need to be able to demonstrate that they meet their obligations. Underlying principals
  5. 5. New rights for individuals over “their” data… Right to be informed Right of access Right of rectificationRight of erasureRight to restrict processing Right to data portability Right to object Right related to automated decision making / profiling • Show me the data you have on me! • What data are you collecting on me? • How are you using that data? • Give me the data you have on me (so I can do other things with it)! • Stop doing that with my data • Delete the data you have on me • The data you have on me is inaccurate. Fix it! • Stop using my data to market to me • Explain to me the algorithm • Let a human intervene if the impact is significant
  6. 6. WTF? How do we do that?
  7. 7. • More data is ‘personal data’ than you might think • Specifically includes online identifiers e.g. IP address, cookie ID (?) • Personal data that has been pseudoonymised might still fall within the scope of GDPR depending on how difficult it is to attribute the pseudonym back to the particular individual • You have to comply and demonstrate that you comply • Need to document / demonstrate how you comply. (Not enough just to comply) …and that’s not all
  8. 8. If we’re not collecting personal data, we don’t have to meet those obligations Let’s embrace all the change that compliance entails Two practical approaches to complying with GDPR Ensure data isn’t “personal” 1 Build “rights” into your data management processes 2 The best approaches will involve a combination of both of the above
  9. 9. Approach 1: no personal data here! • Do not collect IP addresses • These are “personally identifiable information” apparently. (But what about cookies?) • Be very strict with where you put personal identifiable information • DataLayer? • Which 3rd party services? • Pseudoanonymization to the rescue! • Keep “user-level” data i.e. view a user’s journey • Can’t identify “which” user that journey corresponds to
  10. 10. Win user consent 1 • Engage your users • Explain why you’re using their data, simply • Demonstrate the value for them in what you’re doing with their data • Loyalty cards are instructive Check each analysis is compatible with consent in advance 32 • Auditable log of consent by user • “Part” of our user-level data set. (Make it easy for user’s working with the data to query consent as part of their analysis.) • Document purpose e.g. on first tab in spreadsheet, at the top of a • Where it requires consent, flag and subset the data in the first step Approach 2: embrace the new processes and approaches demanded by GDPR (1/3) Track consent as an “event”
  11. 11. Identify all data sets that contain PII 4 • Have clear documentation for the sources, tables and fields • Have a regular review process to update this documentation Check each analysis is compatible with consent in advance 65 • Access contingent on GDPR training • Rules around where analysis results can “live” • Centralize access so can make it auditable • Document purpose e.g. on first tab in spreadsheet, at the top of a • Where it requires consent, flag and subset the data in the first step Approach 2: embrace the new processes and approaches demanded by GDPR (2/3) Strict processes where access and query PII data
  12. 12. Put in place processes to “forget” users 7 Put in place processes to “correct” data 98 Approach 2: embrace the new processes and approaches demanded by GDPR (3/3) Put in place processes to “export” users
  13. 13. Approach 2 is hard work, but a huge opportunity to build significant competitive advantage • Intervene in individual user journeys: better understand your users and use that to intervene in their journeys to surprise and delight them • Personalization is very powerful: proven out at FB, Google and beyond • GDPR reduces the # of companies that can do this: 3rd parties without a direct user relationship (e.g. ad industry) “cut out” • Favors companies that users trust. Aren’t those the companies we want to encourage?

×