red mushroom among moss
PHOTO: Harlie Raethel

Once upon a time, a digital fairy lived in a countryside cottage. Her name was Deirdre and she earned her keep running an online bakery. 

Deirdre baked the most scrumptious pastries, from fancy cupcakes and scones to doughnuts and snickerdoodles. She gave her customers lots of tender loving care: entering their names, locations and email addresses into her customer relationship management (CRM) software, tracking their preferences through cookie data on her online shop and using her content management system (CMS) to create personalized offers. The orders kept coming and business was good.

Then one day, the GDPR giant from Euroland stepped in. The giant was not evil, but some global companies had come dangerously close to abusing their access to citizens’ personal data. So the giant brought in a new regulation with this single goal: to give people control of their personal data. Companies who ran foul of the law would be slapped with massive fines that could destroy their existence.   

Deirdre was worried. Her customers, their data and preferences were the lifeline of her business. How else could she peddle her wares if she didn’t have access to that? She lived across the borders of Euroland, but many of her customers lived in Euroland and she would have to bow to the rules of the GDPR giant.

What did the giant really want, she asked herself as she scanned through the pages of the regulation. A voice seemed to whisper: Put the individual at the heart of the journey. Show your customers you value their privacy and personal data. Then they might be more ready to buy your goodies.

Keep It Simple

Deirdre realized that she should simplify. She would only collect personal data she really needed and store as little data in the first place. Data, like her freshly baked breads and cakes, had an expiry date. If she defined how long she would keep the data, she could be sure that she was working off recent data she could trust more. Why should she record favorite breads from two years ago, when old Mrs Graves developed gluten intolerance in the meantime? She would need names and addresses when it came to delivering the goodies, but she didn’t necessarily need a lot of data to start personalizing. Broad behavioral data and content preferences might be better. Did it really matter to have a category “elderly dames in northern England”? Couldn’t she capture this as “people who like the super sweet and dry variation”? Deirdre started to think of her data in broad segments rather than specific descriptors.

Related Article: GDPR Compliance Requires Looking at the Big Customer Data Picture

Reduce the Spread

As she minimized, Deirdre saw she had to reduce her spread of data sources. There were bits of personal data everywhere: in her CRM, CMS, analytics and marketing automation tools. Did she really need all of them? Because customers now enjoyed the “right to be forgotten” and the “right to erasure” under the law, she must be able to show them what data she held about them and then delete it completely if needed. It was far easier to feed less data into her tools and have fewer integrations. Deirdre aimed to reduce her tools to just three: CRM, CMS and an AI search engine.

Encryption Elves

Poring over some research, Deirdre came across two magic words, “pseudonymize and encrypt.” She would store personal data so it was not immediately identifiable as coming from a certain individual. If customers visited her online bakery, she would “hash” names at the point of capture on the site, recording their details as long but unique strings of meaningless data. Instead of storing personally identifiable email addresses or user IDs, she would use system-generated common identifiers to trace individuals between data sources. For instance, if a customer signed up for a newsletter on her website, a universally unique identifier (UUID) could be randomly generated and sent to both her CRM and AI engine. This common identifier became Deirdre’s key to synchronizing data between the systems and to personalization. And best of all: the UUID by itself couldn’t be directly linked to any person. 

Get Consents With Charm

The GDPR giant had made a big deal about managing consent and decreed this should be “freely given, specific, informed and unambiguous.” Haven’t we been doing this all along, wondered Deirdre and scurried to check the current cookie policy on her website. No, that won’t cut it. Silence, bundled or single consent didn’t count and she couldn’t assume that just because customers continued to browse her site, they had consented to her collecting their data. She had to stay away from pre-ticked or opt-out boxes and the catch-all phrase “I agree to all future use of my personal data.”    

What she had to do, Deirdre realized, was to give her customers a real choice to opt-in. She had to explain to them, clearly and simply, what data she was collecting and what she was using it for. Managing consents was becoming the heart of customer journeys. The GDPR giant did not forbid the use of personal data. All it wanted was for companies to use data responsibly and ethically.

Deidre checked if her digital tools were up to the mark. She had to be able to record consents, to show which customers gave consent for what, when and how it was given (email or online, form, etc.) There were two reasons for this: First, she had to be able to show customers what data she collected about them and why, as well as make it easy for them to withdraw consent at any time. Second, if the GDPR giant ran an audit, she had to be able to show why and how she processed what types of customer data.

Deirdre cleverly customized her CMS to include a “log consent” function, which was in turn connected to the personalization feature. In this way, she could capture her customers’ consent to any data use and at the same time create an audit trail that she could call up when needed.

Related Article: Say Hello to Your Brand's Net Decliner Score

The AI Magic Wand

The customer journey starts with consent requests and notifications, Deirdre said to herself. She saw that she could get creative with this, using clear, simple language and giving her customers an easy, straightforward consent process. She didn’t need to get all that data about their diet needs and anniversary dates. She would simply start by asking them what blogs or videos they would like to see. Then get to know her customers better and build a personal element around each touchpoint. She didn’t need to remember dear Mrs. Smith’s birthday and agonize about surprising her with the perfect cake. The smart AI engine could detect what was catching Mrs Smith’s fancy and delight her with just the right gift. Deirdre could effectively dish out relevant content without personal data, or personalize without getting personal, if you will.

The GDPR giant would be pleased. Deirdre wouldn’t be just pushing her marketing messages, but giving customers the most relevant experiences that they want. The law had got her focused on doing the simple things well. She could cut out all that noise of data she didn’t really need, reduce it to the essentials, and still win her customers with scrumptious cakes and pastries. All was well again with the digital fairy and the GDPR giant from Euroland.