Join David Booth for an in-depth discussion in this video Audit your data and processes, part of GDPR for Marketers.
- There are a lot of things you'll need to be doing with personal data in order to get compliant with the GDPR. For many organizations, that means first figuring out just what data you have, where you have it, and where you're using it. Depending on how large or complex you are, this could be a daunting task. From a marketer's perspective, there are lots of places that you might be storing or handling personal data up and down today's marketing technology stack. When you're doing an information audit and mapping your data, there are few steps you'll want to follow.
First, you'll need to assembly your stakeholders. Of course this will be the people inside your organization that plan, manage, and execute in the marketing function, but don't forget about your partners and vendors. Your agency ecosystem spanning media and advertising, digital marketing, CRM, analytics, and more, is all included in the data processor role. As a controller, you'll need to ensure you're compliant everywhere. Once you've defined the right group, it's time to start digging. This means identifying all sources of data that can contain anything that might qualify as personal data.
While you're at it, this probably isn't a bad time to extend this exercise beyond personal data to get a complete map of your data landscape. A key place to start is by identifying all the tools and systems that data flows through during user processes. For example, when a user hits your website, personal data is probably being collected through web analytics tools, and those might be administered through tag management systems. You might then have a data management or attribution platform quietly collecting data as a user browses your content, and a form later on that collects personal data and sends it to a customer relationship management system.
Eventually, a backend ecommerce platform might process the transaction and send personal data to inventory and fulfillment systems. Between those website visits, you might be measuring your various digital channels up and down the funnel with cookies, tracking code, and pixels across search, display, programmatic, retargeting, marketing automation, social, and more. Once you've got everything mapped out, you'll need to classify the data. Is it personal data? Is it first, second, or third party? Where does it live? In your systems, in the cloud? Is it under the control of a separate platform or partner you work with? Where does it come from? Through code that you own or through third party technologies and platforms? Who's touching it? Is this data collected, managed, or processed by you or by an agency or vendor partner? Next, you'll want to understand at least four key things around each piece of data.
Number one, how was it acquired? Was there a compliant consent process? Can you point to where that record of consent is stored and how you can access, change, or remove it if you're asked to? Number two, what exactly is it used for? Can you clearly and unambiguously explain to a user when you're getting consent, what you're doing with that data? Remember, when designing with default to privacy in mind, you can only collect what you really need. Three, you'll want to know how it's being shared.
Does the data move outside of your organization upon collection? Are you sharing it with partners for any kind of processing, ranging from simple storage to advanced analysis or anything in between? Remember, you're responsible and accountable for all of your data processing partners as well. Fourth, how long do you need to hang on to this data? Aside from complying with the GDPR and not keeping data indefinitely, this is probably a good time to understand the practical lifespan of this data given the specific applications you're storing it for.
This may seem like a big job. While it certainly can be, it's also very achievable and a great exercise to go through whether or not GDPR is the reason you're doing it. We do a lot of these audits, and we've not only uncovered lots of risk, we've also seen lots of opportunities for efficiencies and cost savings. In one case, a completely siloed database filled with personal data had survived no less than three owners at the same company who had all come and gone, and not a soul remaining knew what had fed it or what the data was used for.
We've seen organizations with multiple licenses for the same exact software solutions. Or worse, adoption of three or four different solutions for the same exact problem, requiring three or four times the cost, the training, and the maintenance. As you work towards GDPR compliance, this information audit and mapping is a foundational step that will not only provide the pathway for action, it might even uncover some opportunities to make your business a better one.
- Define “personal data.”
- Name three data subject rights provided by GDPR.
- Recall the steps that need to be taken to comply with GDPR.
- Explain “privacy by design.”
- Identify the responsibilities of a data protection officer.
- Recognize the steps required to audit your data and processes.