Gigya is now SAP Customer Data Cloud. Learn more
Forrester logo Download the report

Webinar Recap: Good Cop/Bad Cop – A Discussion to Help Guide Your GDPR Compliance Initiative

In a recent webinar on the topic of readiness for the European Union’s General Data Protection Regulation (GDPR), a “good cop/bad cop” routine fit for the movies led to some key insights about trust, the digital experience and consumer data privacy. Let’s explore what happened.

As host of the webinar, I played the role of the good cop by introducing the audience to our digital maturity roadmap.

This visualization, which we created based on our experience implementing hundreds of customer data management solutions for enterprise clients, focuses on how to turn consumer data privacy into a competitive advantage. It provides the pillars of a holistic enterprise approach for addressing GDPR requirements and building trusted relationships with consumers.

The first pillar we discussed: capturing consumer preference and consent data. This activity should be:

  • Standardized to help present unambiguous and verifiable requests for consent and to manage version control as policies evolve
  • Centralized to facilitate the enforcement of consumers’ explicit consent choices throughout the digital ecosystem
  • Seamlessly integrated into the digital experience

The second pillar: creating an audit-ready environment. This involves creating a single repository for every consumer consent agreement and preference setting offered by your digital properties. This repository should:

  • Store consumers’ personal data for seven years
  • Surface requested consent and preference data with speed and accuracy
  • Provide functionality to enable consumers to view and download their personal data stored in the system

The third pillar: Providing users with transparency and personal data control. Thanks to GDPR, the burden is now on businesses to provide consumers with transparency into the personal data you collect, process and store. The regulation also puts the onus on businesses who serve European customers to offer a host of personal data access rights.

But, by actually delivering on these requirements in an intuitive, user-friendly way that builds on the customer experience, rather than breaking it, you can turn these “burdens” into a competitive advantage. The key to doing this is having the ability to centrally enforce customers’ consent and preferences across your entire digital ecosystem.

The last pillar: Maintaining a unified experience across touchpoints to build trusted relationships. The final destination on our roadmap is a trusted digital experience for consumers. This experience should be driven by a unified record of customer profile, consent and preference data that is respected and enforced across every touchpoint your organization offers. In addition to building more trusted relationships, this strategy provides a holistic approach to solving many of the toughest consent and preference requirements in the GDPR.

“The GDPR is about putting consumers first,” I said. “This roadmap can help you empower user control of preferences and consent while powering great, personalized digital experiences across multiple touchpoints.”

Martin Kuppinger, principal analyst for the independent research firm KuppingerCole, played the bad cop. He answered commonly-asked questions about GDPR preparation and dispelled some common myths he’s heard about the regulation.

One major myth he cleared up involved the penalties for non-compliance. Martin said most of the attention has focused on the monetary penalties of 20 million euros or 4% of a company’s global annual revenue, whichever is greater.

While agreeing these penalties are severe, he said the data protection authorities (DPAs) in charge of enforcing the regulation in EU member states have another power they can exercise.

“The DPA has to act… and they will start seeing many complaints as of May 26th… The standard process [calls for] the stoppage of data processing before the fine… it means ‘shut down your web site,’ so to speak.”

While only time will tell how punitive the GDPR will be, I found Martin’s point to be impactful. Setting aside the risk of fines, there are also operational and brand reputation risks associated with noncompliance that companies need to recognize.

Listen to the Entire Broadcast

The result of the webinar is a motivating, insightful discussion on consumer data privacy and GDPR requirements. It provides helpful insights into:

  • How you should prioritize your GDPR readiness initiative in these final days before the May 25 enforcement deadline
  • What your business should do to turn GDPR compliance into a competitive advantage
  • What risks your company faces in the new era of consumer data privacy.

You can access the full broadcast here. I hope you find the presentation relevant and helpful to your work.

One final note: Many attendees asked questions during the presentation. They are an excellent window into top-of-mind GDPR preparation challenges for businesses around the globe. So, we’ve posted the blinded questions and our answers below.

Webinar Questions and Answers

On GDPR Preparedness

Q: Putting aside the framework, what are organizations obligated to do prior to the May 25th deadline?

A: Organizations must prove, at the very least, that they are making the effort to ensure that they are protecting their customers’ rights when processing their personal data by doing the following:  

  • Prove that customers have consented to Terms of Service (ToS), Privacy Policy and other custom marketing communications
  • Be able to renew and version consent to ToS, Privacy Policy and other marketing communications
  • Centralize and securely store profiles, preferences and consent
  • Enforce profiles, preferences and consent to downstream third-party sales and marketing applications
  • Provide a self-service preference center where customers can view, change or delete profiles, preference and consent

On GDPR Applicability

Q: How does GDPR affect companies outside the EU if these companies work with established European enterprises?

A: If a company outside the EU collects consumer data from the EU, then they must follow the same GDPR regulations as the EU established enterprises.

Q: What potential legal consequences can a US company with EU customers face if it is not compliant by May 25th?

A: The US company can be mandated to cease processing EU customer data and then may be fined 20M Euros or 4% of their annual turnover – whichever is greatest – if found to be in violation of particular articles of the regulation that carry the heaviest penalties.

Q: The GDPR states it will be enforced for any company that collects customer data online. Could this apply to a website that collects email addresses for a newsletter OR an e-commerce website that collects transactional customer information?

A: Yes, any company that collects EU customer data online must be GDPR compliant. This applies to email addresses and transactional customer information.

On Definitions of Personal Data

Q: Are unidentifiable IDs considered customer data? For example, a device ID used to track activities within an app.

A: Yes, unidentifiable IDs are indeed considered customer data and companies that collect this information are subject to the GDPR regulation.

On Definitions for Consent

Q: What is considered implied consent versus explicit consent?

A: Implied consent is what customers give give for processing their data for a specific marketing activity like emails or ads. Explicit consent is about processing specific customer data for emails or ads. For example, if a runner indicates that their favorite brand of running shoe is Nike and they only give consent to receive Nike branded emails or ads, that is explicit consent.

On GDPR Compliance

Q: Is there any kind of compliance certification given to organization for GDPR compliance once they show compliance?

A: There is not a GDPR compliance certification given to organizations.

Q: We have been advised that we can consider our “marketing purposes” to be legitimate interest enough that we do not need to get explicit consent to email our contacts or maintain their data in our system. Is this generally true?

A: Organizations must obtain consent for processing customer data by specific purpose. It is no longer acceptable for bundled, multi-purpose pre-checked consent.

Q: If you have corporate members, you have consent with a company, not their employees. How do you handle that?

A: In most cases, there will be contracts of some form in place, both between the employees and the other corporation and between the two corporations. Factually, GDPR requires describing data flows and enforces that various rules between the corporations are in place.

Q: If a member of the public contacts us for information related to GDPR, do we refer the consumer back to the controller or do we need to address the query directly, even if we are the processor?

A: You would refer back to the data controller.

Q: How do excel files with lists of “donors” or “constituents” relate to GDPR? Are we permitted to keep them?

A: If there are contracts in place or if there is a legitimate interest or if there is explicit consent, then yes. But this involves PII, and so is within the scope of GDPR.

Q: What defines “business”? My company does not sell products in the EU, however, we do capture email on our web properties and send marketing emails. Must we meet GDPR compliance for any contacts on those email lists?

A: If any type of business collects personal data for the purpose of processing that data for emails and other marketing activities, customer consent is required. It does not matter that if you do not offer goods or services.

SAP Customer Data Cloud from Gigya solution for GDPR

Q: What is the difference between deleting subject data versus purging that data completely (not recoverable). For example, once we receive subject request to delete data and do so, what data should we continue to keep in our systems (and for how long) to meet requirements to retrieve subject data for legal reasons (i.e., law enforcement requests for that data)?

A: Customers must be able to self-sufficiently delete their customer data or account through a preference center or with the help of customer service agent. The data is never immediately purged as organizations must keep customer data for seven years in the event of an audit. However, the customer data can no longer be processed by the organization.

Q: Does Gigya provide any kind of API or tool to know if a user or a device falls within GDPR rule?

A: We provide a way (UI, API) to know if a user has an expired consent and is therefore required to reaffirm their consent to continue accessing the brand property. Otherwise, that user must be removed.

Q: You mention that we need to “allow customers to access a preference center so they can exercise their rights (i.e., right of erasure, right to be forgotten, right to make changes to their preferences and consent…) Would having this in a privacy policy where they can email a site owner to fulfill the request be enough? Or does a site owner need to build out a more automated process?

A: Organizations must allow all registered customers to access a self-service preference center so that they can make changes to their profile, preference and consent. However, customers must also be able to request changes through a customer service agent – which means that customer service agents must have access to their customer profiles, preference and consent in order to satisfy customer requests.

Q: Do you have a system to manage data registry?

A: The system registry feature of SAP Customer Profile stores the identifiers and status of each connected system, enabling administrators to monitor and maintain the health of all owned and third-party technologies integrated with the SAP Customer Data Cloud.

Transparency, Trust and Customer Control of their data.

On Transparency, Trust and Customer Control of Their Data

Q: I have a question about users wanting to have trust, and what builds that trust. Do you have insights or percentages of users that care about having that trust with sites that they visit? Or in other words, what percentage of users care what sites are doing with their personal data? I’d imagine this has been increasing over time as awareness grows. But curious if you have any insights on how many consumers/users really care to build that trust.

A: According to an SAP survey of US and UK consumers conducted by Arlington Research in 2017, results indicate that two-thirds, or 68% of respondents, did not trust brands to handle their personal information such as name, email, location or marital status appropriately. 21% of customers were somewhat unconcerned, and the remaining felt that it did not impact them one way or another.

Still, this lack of trust among the majority of the customers surveyed has profound implications for the relationship between consumers and brands. The greatest benefits of the upcoming GDPR is that brands will now must put forth clear privacy policies and gather consent for how they are using customer data, as well as provide greater transparency throughout the customer journey. Brands that provide a transparent customer experience can more easily build trust and loyalty with their customers.

By Rashmi Vittal

Gigya has updated its Privacy Policy as Gigya, Inc. has been acquired by SAP America, Inc. and Gigya has updated the information regarding how we collect and use your Personal Data. You can see the updated Privacy Policy here.