For decades we have been hearing about the importance of maintaining a healthy diet, the importance of moderation, of balance and of exercise. And for any diet, we know that not only is caloric intake important, but also the type of intake. Sugar, starch, protein, fat and fiber, it all has meaning and it all is important. The importance of a healthy diet has now become part of our “Data diet.”
In the last several years, data storage became less expensive. With a move to the cloud, not only was data storage inexpensive, but we no longer had to own the resources to store all this data. Life was good – or so it seemed. A veritable all-you-can-eat data buffet without ever having to consider the consequences. The concept that “more is better” became all too real; we were flush with marketing data. And so, the story goes: If a consumer was willing to provide it, we were willing to collect it. Not necessarily concerned with security and privacy, after all, the customer was providing the data. Also, since we were not asking for bank or credit account numbers, was there any real harm in gathering all of this personal data? As for the practical use of this data, there was not much of a story to tell — at least not yet — but we had the data.
And so, just like too many trips to the food buffet, the consequences of this inevitable data bloat came home to roost. First, it was the personal and account number data breaches at department and big-box stores, credit reporting agencies, transportation companies and others, only to be followed by the mishandling of personal information by some of the internet giants. The cost of holding too much personally identifiable information (PII) without proper protections or possibly even worse, the improper management and use of this personal information, became all too real.
While this phenomenon was happening in the field, organizations such as NIST, ISO and AICPA got involved to create standards that would help to ensure the security, confidentiality and privacy of such information. Additionally, every state in the United States came up with its own data privacy regulation, and in Europe, the General Data Protection Regulation (GDPR) came of age. Putting it all together, for an enterprise that was breached, the issue became the source of significant cost for card replacements and credit monitoring services, millions of dollars (or more) of lost profit and ongoing reputational damage. And so, as the GDPR and other regulations continue to emerge; it is clearly the dawn of a new day in the marketing data collection business.
What then, are our best next steps?
Step 1: Starting point, Find the data.
Know where your data resides. For companies that feature a single flagship product less than about 10 years old, this should be a very tractable problem. It is likely that you have a single data store with data in a single location, though perhaps with inadequate controls. The challenge is then one of data organization, rationalization and controls.
For those companies with multiple, sometimes even hundreds of products built up over many years by acquisition, or companies with dozens of databases containing personal information, it is a much larger challenge. This will require not only careful analysis to find the data but is likely to incur software refactoring to segregate the PII from co-mingled, historical, transactional information. Once this PII has been found and separated from the non-PII data, the challenge is, to the extent possible, to accurately consolidate overlapping PII.
Step 2: Rationalize the data you keep.
Once the data has been found and is somewhat consolidated, determine the validity and usefulness of the data already collected. If the data stored is more than three to five years old and there is not a legal or financial requirement to maintain the data, it has probably outlived its marketing usefulness. At this point, it is time to either pseudonymize, anonymize or to just simply delete the data. Consider it a boat anchor to be jettisoned while you reorganize the rest of your ship. As a QSA / Assessor friend of mine says, “If the data is not making you money, you have to question why you are holding it.”
Step 3: Get an updated customer consent; Step 3a: Rationalize your CRM lists
For data that you decide to maintain, you will now want to go to your client base and request consent to continue using this information. Your request ought to speak well about the benefits of giving consent, such as taking advantage of money saving offers, being introduced to interesting new products and receiving valuable promotions. The best advice is to make this sound very attractive, given that getting an updated consent may be a one-and-done opportunity. Otherwise, with the recent spate of negative headlines, you will get more “Nos” than you like from a clientele that have heard nothing but bad news regarding personal data collection. Additionally, asking for consent provides another reason to reach out and contact your customer base, and with it, an opportunity to refresh your CRM lists, rediscovering those customers and clients who are still genuinely interested in your product or service. With GDPR, which leans toward a “principle-based” regulation as opposed to a highly prescriptive regulation, demonstrating your proper intent, that is, “doing the right thing” does matter, particularly if doing the right thing puts you on a path toward full compliance.
By exercising these first few steps, you will likely have made significant progress in the management of your customers’ and clients’ personal information; furthering your GDPR compliance as follows:
1. The location of all customer PII is now identified for all future database design. Knowing location will also provide certainty in the case that something bad does happen and you need to be able to quickly access this information in a certain, complete and auditable way. Whether you are considered a data controller, processor or both, GDPR requires that you are fully aware of and can easily access all of the personal information that you maintain. Having ready access to the PII in your database has accomplished a GDPR principle.
2. You have rationalized the quantity and quality of the data that you are maintaining. A side benefit being a potential significant reduction in data storage costs, whether it is on premise or in the cloud, these are real savings. In doing so, you have decreased the task at hand of managing and protecting the personal information you choose to maintain. You have created standards for the removal of aged data, and now there is a reason for each piece of data being collected, which achieves a greater level of transparency in data collection. Another GDPR principle accomplished.
3. You will have gotten a dated consent from your customers to continue with the use of their data. Something you may have received before, but it is unlikely that you have saved both the consent and the date upon which it was received. Again, GDPR principle accomplished.
With these objectives achieved, a practical and compliant data roadmap can be established that has included, as the first step, the separation of personal information from all transactional and other data. Plans can then be established for the proper encryption of all PII, with a design for data presentation that supports activities such as customer service and for marketing data usage. These functions will be addressed in the next paper: Marketing Meets GDPR, Part 2: Data Management, Presentation and Usage.