The European Union’s General Data Protection Regulation (GDPR) will have a profound impact on marketers around customers opting into their data being stored and shared. Issues around consent, analytics and the right to be forgotten should be high on the agenda for marketing leaders.
However, the physical data related to each customer also has to be considered. Records have to exist somewhere, and these copies of data should also be considered when it comes to security and data protection. These points will go through the short-term decisions that marketers should be aware of now, as well as what they will have to change in order to comply with GDPR.
1. Do you know where your customer data is?
Many marketing services now rely on IT services, often hosted in the cloud. Most large enterprises have their CRM systems hosted for them by the likes of Salesforce; these cloud-based services make it convenient for teams across the sales and marketing departments to collaborate.
However, many don’t think to protect the data that exists in this kind of cloud service. While cloud services are often sold as being ‘easier to manage’ and without the headache of caring about security, the truth is that this responsibility doesn’t go away.
All marketing departments should therefore have their own copy of their data held in Salesforce. The data should be held in a separate location just in case the service should not be available for any reason, such as downtime for maintenance or loss of Internet access.
This backup can be used in the event of any data being lost – typical reasons for data loss include data corruption, wrong information being overwritten or accidental modification though integration with a third-party application that goes wrong. If you do need to request backup data from Salesforce directly, there is a minimum wait of 20 days at a flat rate charge of $10,000, with no guarantee the information required will be there.
2. No, do you really know where your customer data is?
Another reason for using cloud services is that the information they hold can be accessed easily wherever and whenever it is required. Need to run a report on CRM data? Simply log in, download the necessary figures and then your spreadsheet is done.
However, this ease of access can lead to big problems later. Copies of the customer database can be saved on individual laptops or phones, which can then be lost or stolen. Similarly, old versions of customer data can hang around and then be used in error.
There are two issues here. The first is the general lack of awareness around when and how individuals can be working with data in this way. The second is the potential risk around ‘right to be forgotten’ decisions; any customer no longer using a business service has the right under GDPR for their records to be deleted. This means removing all records from all copies of the customer data.
Imagine if, after a customer requests their data has been deleted, that the wrong customer list is used for a marketing campaign. A breach in GDPR would have occurred and a potential fine of up to €20million or 4% of company turnover would be in order.
Overcoming this means knowing where all copies of data exist – both the company’s official versions, and those copies that people may have created over time.
3) Do you know how your customer data is getting used?
Alongside reports from cloud services, there are other ways that customer data might be used across the business. This kind of personally identifiable information (PII) can be used in marketing planning. The risk is that PII gets shared beyond those who have been trained on security responsibility.
To combat this, there are two steps that you can take. The first is to educate people across the whole business on the value of customer data: all employees should be trained to think of those customer records as being just as critical as any internal data.
The second is to try and track when files containing PII records are created. By looking out for specific data that match the formats of common customer data sets, such as credit card numbers or customer IDs, companies can ensure these files are then protected.
4) Have you captured all the ways that data gets used?
Alongside these internal reports, it’s also worth looking at how data is used by other services or partners. For example, data from CRM systems may be analysed by other cloud services. Depending on how these services work, they may take and retain a copy of that data.
Similarly, marketers may work with agencies or consultants on their projects. If copies of data are shared with them, then their processes around data security should also be checked. Collaborating with your IT team on these issues to know what can be shared securely is a good idea to avoid potential problems in the future.
What next for marketers?
GDPR will come into force in May 2018. Businesses will have to have full and honest disclosure to their customers around how their data will be used, and that relationship will have to become more nuanced over time. As part of preparing for this, it’s important that marketers look at the internal steps that they take around customer data security too.