The EU’s sweeping General Data Protection Regulation (GDPR) went into effect on May 25 but now that it’s here, many companies are finding themselves scrambling even harder than before to make sure they’re in compliance. At a recent joint meeting of Connectiv’s Digital Media and Audience Marketing Councils, six different information companies (including Strategic Insight, Watt Global Media, EnsembleIQ, Brief Media, Northcoast Media and Northstar Travel Group) shared how they got their houses in order—and how they continue to make refinements to their audience data strategies as the realities of GDPR become clearer.
Justin Hoffman, director of technology at Strategic Insight and co-chair of the Connectiv Digital Media Council, kicked off the meeting by sharing how his company made changes in three areas, including software engineering, legal and audience engagement. “This is something that every company is dealing with and it will be part of the foundation going forward, and that may be for the best” he said. “The same basic privacy rules have existed on the Internet since 1995 and it’s about time they did this to protect everyone and address the companies that have been making millions of dollars off our data for a long time. I think something similar will hit the U.S. in the near future and we need to understand that this doesn’t just impact user data. We’re talking about basic user identify but also their meta data—location, IP address, cookie, data, their health and genetic data, racial data, political—it goes on and on.”
1. Software Engineering
The first step was a massive database cleanup. “I’m on the tech side and this hit us hard especially in our core CRM systems” said Hoffman. “We had to go through our entire database of users and identify all European users that were missing opt-in criteria.”
Strategic Insight uses Eloqua, which allows users to identify their customers by their domain. “Once we’ve identified who is European, we identified whether they are active or not,” said Hoffman. “If they had no activity in the last 12 months or more, we’ll just deleted them. It’s more of a risk to keep that data.” Strategic Insight ended up deleted 20 percent of its entries.
But it also gave Strategic Insight the opportunity to re-engage users who were identified as active. Active users were sent re-engagement communications 60 days and 30 days prior to May 25 stating that they needed to re-qualify.
Next, Strategic Insight had to develop stronger access controls in regards to intra-company data sharing via its CRM (in this case, Salesforce). “We have one instance of Salesforce that manages all the company’s data—Euro, U.S., etc.,” said Hoffman. “That was a business decision way before my arrival because we don’t want to have duplicate licenses, so the entire organization can see the data. But for GDPR, that can be a problem. Collecting data is one thing, exposing it internally is another issue that we had to deal with.”
Strategic Insight established new approval-based permission sets so that users in Salesforce can’t see specific data unless they’re associated with certain brands. “I think this is something you should consider because it’s a nice way to keep people in their silos but as GDPR comes along this will be required. Salesforce has really strong access rules and this is one of their recommendations for European brands. From the tech side it’s not that much work as long as you can identify which brands are in the system and which reps are tied to those brands.”
Consider the physical location of where your data is housed. “Because we have brands specifically in Canada or Europe, we started moving those databases physically to those locations,” said Hoffman. “For Canada, that’s very important, Just saying it’s in the cloud doesn’t cut it, everything has a data center somewhere. It’s a lot of work but we did make the effort to isolate any data with risk to it.”
As most companies are doing, Strategic Insight updated its privacy policies with a detailed disclaimer about data collection and usage (see the new policy here).
3. Audience Engagement
In addition to contacting active users to alert them to re-opt into services and re-qualify and sending out mass pre-GDPR communications letting customers know of upcoming changes, Strategic Insight created consolidated registration forms (using the same demographic questions across all sites to ensure continuity between multi brands with GDPR associated language).
“All our sites are using Eloqua forms and we have one registration form across the business,” said Hoffman. “I recommend migrating to one system.”
To access an archive of the meeting and the six case studies, click here (presentations start at the seven minute mark). To be added to future meetings of the Digital Media and Audience Marketing Councils, email firstname.lastname@example.org.