Editor’s Note: This is the second of a two-part series on the Right to be Forgotten clause of the General Data Protection Regulation. Part 1 focused on Erasure 101, compliance and complexities, and ongoing considerations.
The right to be forgotten, also known as the right to erasure, detailed in Article 17 of the General Data Protection Regulation (GDPR) is only about 400 words, broken down into three sections. The first outlines the conditions under which data controllers must erase personal data “without undue delay” upon request from a data subject. The second requires the original data controller to notify other data controllers who may be processing the personal data of the data subject’s request. The third outlines exceptions, listing five conditions where keeping personal data supersedes a subject’s right to erasure.
Straightforward, right? Well, for data controllers – including retail and brand marketers responsible for safely guarding personally identifiable information (PII) – Article 17 is rife with potential pitfalls, many of which arise from how marketers interpret rules for compliance. A previous blog in this space detailed the right to be forgotten requirements and identified many of the difficulties with compliance.
Since GDPR doesn’t present a handy guide for how retailers and brand marketers can overcome compliance challenges, we want to share a roadmap for how to successfully navigate the right to be forgotten complexities while showing customers that you value their data privacy.
Data Privacy and the Value Exchange
In a Harris Poll survey commissioned by Redpoint earlier this year, consumers were unambiguous in their opinions about transparency and control in the use of personal data. Strong majorities said that it was at least “very important” that companies tell the consumer what information is being collected (74 percent) and how the information is being used (73 percent). Concerning authorization, 71 percent of consumers said it was very important that they must be allowed to give a company explicit authorization for how data is being used, and 68 percent said it was very important that they be allowed to set specific preferences.
While consumers demand transparency, they also understand that companies have valid reasons for the request and use of personal data. In the same survey, 54 percent of consumers said that they will share personal data in exchange for a personalized customer experience. But if the company or brand misuses or is careless with personal data, nearly 90 percent of consumers said they would likely switch brands.
The consumer/brand value exchange is an opportunity for brands to minimize the percentage of customers who exercise the right to be forgotten – and to deliver a more personalized customer experience. The more a brand demonstrates transparency in protecting personal data, the more data a consumer is willing to share, and the more personalized the experience becomes.
This self-fulfilling cycle is a win-win for marketers; they deliver on consumer expectations for privacy, ensure compliance and documentation, build brand trust, and strengthen customer lifetime value (CLV) by building customer loyalty with relevant, personalized engagement.
Anonymous and Known Considerations
Transparency addresses many of the challenges in addressing the right to be forgotten, because in addition to satisfying the customer it also establishes a trail, if you will, that documents the consent-based relationship. But there can also be legitimate business purposes for anonymizing a known record, or using aggregated information for segmented campaigns, while still honoring the contract with the customer.
To personalize a programmatic ad for a cookie-based, anonymous record, for example, a marketer must have a source for third-party demographic data, which can be combined with anonymous and known records to deliver personalized content. By stripping PII away from a known record – anonymizing the data – before conducting a campaign, marketers accomplish several objectives. They ensure they’re not breaking the trust of a consent-based relationship, they ensure they’re not in violation of the law, and they avoid having an unsuspecting prospect or customer wonder why a brand knows so much about them (the dreaded ‘creep factor’). A failure to properly segregate anonymous and known data will increase the risk that a data subject files a request for erasure.
Automate Compliance with Data Lineage
How, then, do marketers document all the steps they take to ensure they’re complying with the right to erasure for every data subject, while still using relevant data to deliver a personalized customer experience? Marketers need a platform that manages the operational considerations for every GDPR requirement, including consent collection, data rectification, and the integration of that data with enterprise systems. Redpoint’s partnership with PossibleNOW marries the latter’s enterprise consent and preference management platform with Redpoint’s proven data lineage capabilities in the Redpoint Customer Data Platform (CDP).
A robust data lineage solution documents the origin and use of any data that touches an enterprise system; how the data was acquired, its permissions, its current and future use, and movement. It includes mechanisms to mask or forget data, and to inform other systems that data has been masked or forgotten. It is a hub, if you will, to inform other systems of every aspect of GDPR requirements – the right to be forgotten, channel preferences, portability, the right to connect, and others – and the basis for ensuring the accuracy and currency of data used for high-quality customer records that are in turn used to deliver personalized customer experiences.
The right to be forgotten presents challenges for marketers, but it also presents a golden opportunity to better understand your customers. Honoring a customer’s preferences for how their data is collected and used strengthens a personalized customer experience because the currency in the exchange – trust – is more valuable to the customer than getting their product preferences right.
Why the Right to be Forgotten is One of the Hardest Parts of GDPR
What You Need to Know about Consumer Data Privacy Compliance
How Can Marketers Streamline Their GDPR Compliance Efforts?