“Are You Getting My Good Side?”: What’s Your Profiling Strategy for GDPR?
June 5, 2017 – Scott Meyer
With the deadline for GDPR compliance under a year away, if you haven’t thought through how your company profiles users, and if you have the rights to do so, you could find yourself in a big trouble.
Are you getting my good side? With the deadline for GDPR compliance under a year away, if you haven’t thought through how your company profiles users, and if you have the rights to do so, you could find yourself in a big trouble. Conversely, if you get this key part of GDPR compliance right, you are in great shape. I’ve written before that companies need to get their GDPR “Un-Readiness Assessments” done. If you are not well underway in this regard, stop reading now. If you are, I think this will help.
We’ve been talking a great deal to the members of our GDPR Partner Program. Three big next steps are consistently emerging as priorities:
- Profiling: Your company must know if it is profiling EU Citizens and what kind of data is going into the building of these profiles. This covers data your company collects directly and data your partners collect on your behalf.
- Legal Basis: If I am profiling, what is my legal basis for processing the different types of data that go into the profile that I build and that partners build from my data. This will guide your company to determine where you have a legitimate interest to process the data without prior consent vs. where you need to obtain consent from the user in advance.
- Designating a Data Protection Officer: Do I need a DPO?
I’m only going to cover 1 & 2 in this post, as the need for a DPO is well-covered.
Profiling and the Legal Basis for doing so is quickly moving up on the radar of most EU regulators. The Regulator will need transparent documentation of your company’s profiling effort in order to determine if your consent process is compliant or not. If you work in Ad Tech or MarTech, this is the most important GDPR issue to contend with.
Out there in GDPR-land, the service firms are working 24/7 to perform these analysis. In order to get it right, particularly when you have a robust Digital Supply Chain, requires more than just interviews and populating a Data Mapping and Privacy Impact Assessment tool. It means knowing what is actually going on.
We hosted a webinar with our guest speaker, Forrester Research’s Fatemeh Khatibloo (watch the recording here), where she took us through just how hard it is to get this right, especially in the eyes of Consumers:
So getting down into granularity of how your company profiles users is the #1 must do right now. This is especially important as you transition from your data mapping and planning exercises to documenting how you profile and figuring out how to bucket your data collection:
- Profiling that is Essential
- Profiling for which I have a “Legitimate Interest” without prior consent; and
- Profiling that requires prior consent
This is also where the GDPR connects directly to the current Cookie Law and planned revisions to make it a Regulation. While the assignments of cookies today in those notices are generally grouped into Essential, Advertising and Analytics & Research, all on an opt-out basis, that will change. It will also be specific for each site. What’s a Legitimate Interest or Legal Basis for a publisher will be different than for a retailer.
The GDPR game will be won/lost based on how your company puts its digital supply chain into these three buckets. And that gets to the final challenge – WHO are these companies and WHAT data are they collecting.
We’ve built an audit workflow, based on our Trackermap that can help your company, and the service providers you rely on, to get this right. We’re looking forward to hearing from you!
Please feel free to share your thoughts with me directly at scott at evidon dot com, and on Twitter @scottmeyer and on LinkedIn.