Commentary
The GDPR Is Coming, The GDPR Is Coming: Tools To Help You Comply
- by Ray Schultz , Columnist, November 14, 2017
Yeah, we know: it’s only a couple of weeks since our last GDPR update. But the panic levels are rising because the regulation takes effect in a mere six months from now. And marketers are trying to make sense of the opposing opinions, differing polls and the welter of new regtech products that help with compliance.
Among those new offerings is one from Gigya, the customer identity management company, which does 45% of its business in Europe. It recently introduced a product called Gigya Enterprise Preference Manager, which allows firms to manage consent settings and customer preferences, in compliance with GDPR.
As Gigya sees it, the key issue is resolving the identity of those who give and withdraw permission to use their data. It’s not easy, given the many systems and databases that exist at some companies.
“We work with one major pharmaceutical company in Europe, that has over 1800 systems internally that contain customers’ personal data,” says Gigya CMO Jason Rose.
advertisement
advertisement
Gigya can help companies pull all that data together in a centralized fashion, Rose says. That means it can determine a consistent identity for all those permissions and unsubscribes, some done on Gmail, some on Yahoo, often with different spellings.
“Technically, it doesn’t matter,” Rose states. “When we have an account that’s logged in different places, we can do deterministic matching based on the device ID.”
Then there’s Openprise, which claims to be a one-stop shop for companies trying to comply with GDPR. It recently introduced the Openprise Data Orchestration Platform, which automates data onboarding, data cleansing and enrichment, data unification across systems and data delivery.
It can also help with other problems—like the fact that some vendors won’t sign data protection agreements (DPAs), assuring users that they are in compliance with the GDPR.
“You need to sign a DPA that certifies where you got data from and that you’re not breaking any laws,” says Allen Pogorzelski, vice president of marketing for Openprise. “But none will sign a DPA.”
Why won’t they sign? Because they’re getting the data from many sources. And many companies are buying up data, knowing that “they won’t be able to do it after May 18th.” Pogorzelski says.
However, Openprise claims it can help, by providing fine-grained data capabilities. If a person only provides an email address and name, “you don’t know they’re in the EU,” Pogorzelski says. “We can identify EU data if the country field isn’t filled out. And we can control the flow of EU data out of your company. so you can use third-party data providers even if they don’t have a DPA in place.”
Sadly, GDPR awareness remains dim in some sectors. Openprise fielded a survey of 250 registrants at the recent Dreamforce conference, and preliminary show that the “the vast majority that are responsible don’t know anything about it,” Pogorzelski reports. So education is part of the mission of all vendors helping with GDPR compliance.Yet U.S. firms with European customers risk heavy fines if they don't comply.
Still another type of service is offered by BitSight, which functions as a cyber security rating firm, somewhat like a consumer credit bureau.
“If you’re an organization doing business with hundreds or thousands of different third parties, you want to know the security posture of a company before you go into business with them,” says Jacob Olcott, VP at BitSight.
Under GDPR, companies are responsible for using compliant vendors. But it’s not easy to achieve that. BitSight offers supply chain risk management with ratings based on external observations of organizations.
BitSight largely serves the financial and insurance industries, but can help other types of companies.
GDPR doesn’t only affect consumer marketing.
“There’s no difference at all between B2B and B2C,” says Julian Archer, senior research director at SiriusDecisions, a firm that serves a B2B customer base, offering advisory and consulting services for marketing operations, governance of data, and compliance with GDPR.
Interest is growing, Archer says. “Six months ago, it was a trickle,” he states. “Now we take four calls a day on GDPR.
Contrary to those who predict the end of marketing, Archer sees GDPR as an opportunity: It will simplify matters and force companies to look at their processes and data management.
It will also simplify things.
“There are 28 countries in the EU, and all 28 write their own national laws,” he says. “The GDPR is a European Union-wide law.”
But Archer strongly recommends using a double opt-in for permission. And he urges U.S. marketers to stop thinking in terms of personally identifiable information (PII), a tiny subset of the whole data picture
GDPR covers “any information that can directly or indirectly identify someone—a chart, an IP address, location, search history—it’s all covered under the EU as personal data.”
He counsels, ‘Stop using the term PII. You’re not being honest with yourself and not looking at the full scope of things.”
Archer continues that marketers need not go over it line by line to find “what’s the law in Argentina, or Ecuador or Lichtenstein.” If you have consent, firms like his can help you cope with it.
Finally, let’s look at Identillect, which says it can help firms with the many nuances of the GDPR.
“When you look at regulations, they all function the same way,” says Todd Sexton, CEO of Identillect. “There are
18 personal identifiers, and they’re asking you to encrypt those identifiers or mask them so you cannot pull additional info on that person.”
Sexton adds that Identillect is “100 compliant with GDPR,” and that its system is geared to helping clients do all they need to do to comply.
Had enough for today? Wait—this just in. AxonIQ, a software platform provider for event-driven microservices systems, is offering its GDPR Module for data erasure such systems. The GDPR requires data erasure—on request, but it is a difficult problem and “stressful for companies who are tasked to implement solutions or risk severe repercussions," states Jeroen Speekenbrink, CEO and co-founder of AxonIQ. That’s where firms like AxonIQ come in.
One caveat MediaPost does nor endorse or vouch for any of these services.
We’ll catch up again soon.
I've only made it through your write up of Gigya and Openprise so far.
About Gigya, you report they claim deterministic capabilities using device ID, but I note that you don't explain where they obtain the explicit consent to use device Ids. I was under the impression that they were a data processor and had no rights whatsoever to use device IDs.
Then, you reported that Openprise is claiming to know the nationality of users from an email address, and that lead/data sellers are not willing to sign a DPA. Is Openprise claiming to be sitting on an email nationality database, again having promoted itself as a data processor without any consumer rights whatsoever.
Forgive me Ray. I do appreciate that these companies are spending the money on your conferences and I understand the relational issues.
I am not sure that these companies are going to gain the trust of the client by making the sort of bold claims that they are making, because they are begging the question about their own business practices.
If you operate a data processing business, the first thing you need to do is clarify that you are a data processing business.
I'm not sure anyone with a modicum of intelligence is really going to trust a processor that claims they have all these data points but fails to make it clear how they obtained the consent and permission of the subject to use the data for thesw purposes.
For our part, we're actively working to execute data processing agreements with both groups of data controllers for whom we process.
Feet on the ground.