Man looking at data on screen
Marketing technology vendors need to be in compliance with the European Union's General Data Protection Rule in eight months. How prepared are they? PHOTO: Tirza van Dijk

Marketing technology vendors face a "multi-faceted" challenge to ensure their personal-data-gathering systems comply with the European Union’s General Data Protection Rule (GDPR).

Specifically, they must secure data against unauthorized access, facilitate a deeper level of customer consent, provide auditable descriptions of actual data use, and be able to verify data veracity and removal.

Lisa Loftis, principal consultant for CI Advisory Services for SAS Best Practices, shared those sentiments with CMSWire as the compliance date (May 25) for the GDPR looms less than eight months away. GDPR is a new set of data privacy protection standards for the European Union (EU) that applies to any company that holds personal information of EU citizens.

The big question now is this: Have vendors even started to brace for GDPR like marketers themselves?

GDPR Readiness: Security, Privacy, Quality 

Headshot of Lisa Loftis, principal consultant for CI Advisory Services for SAS Best Practices.
Lisa Loftis

CMSWire caught up with some industry experts to discuss GDPR preparedness specific to marketing technology (MarTech) vendors.

Loftis said the onus on the MarTech industry is a “multi-faceted” one that includes data security, privacy, quality and lineage. 

Most vendors, she said, seem to be focused primarily on security with little thought to the privacy or quality/data lineage components. 

“To be fair, quality/lineage is actually an enterprise problem that transcends any single MarTech platform or vendor,” Loftis said. “The sheer number of solutions included in Scott Brinker’s 2017 MarTech Supergraphic illustrates this point. The applications included in MarTech today include virtually every system in an organization sans the traditional transactional and ERP-type applications. Vendors focusing primarily on quality/lineage are given equal billing to those whose focus is more traditional marketing or advertising technology.”

MarTech vendors should focus on each: security, privacy and quality/lineage, Loftis added.

(Editor's note: Stay tuned for our coverage of how MarTech providers are addressing GDPR compliance.) 

Data-Centric Audit and Protection

In the realm of security, MarTech vendors should recognize whether their product or platform can incorporate a DCAP (Data-Centric Audit and Protection) solution, one that focuses on securing data as it moves from application to application. 

MarTech companies should investigate the EU-US Privacy Shield framework and consider how to incorporate audit capabilities for consent and information use into applications. 

“This might end up being the most impactful component of the regulation for companies with significant numbers of EU citizens in their client base,” Loftis said. “Failure to comply here can result in more than a substantial fine — the consequence can involve loss of customers for the companies using these technologies. I believe that vendors who provide comprehensive solutions here will gain significant competitive advantage. And those who don’t may lose large numbers of clients.”

For those MarTech vendors that lack the ability to influence the quality and lineage requirement, forge partnerships with the vendors in this space, Loftis said.

Graphic that includes logos of the more than 5,000 marketing technology vendors, who are now charged with General Data Protection Rule compliance.
Scott Brinker's marketing technology landscape graphic. Are these vendors GDPR-ready?

GDPR Is Transparent Regulation

Ultimately, there is no excuse for GDPR ignorance. It is not an “unknown future” like some hyped technology trends tend to be, according to Tim Walters, partner and privacy lead with New York City-based digital consultancy Digital Clarity Group.

GDPR is a blueprint, he said, for how companies will need to adapt to ensuring privacy.

Headshot of Tim Walters, partner and privacy lead with New York City-based Digital Clarity Group.
Tim Walters

And they need to be ready — and fast. The data minimization principles will represent radical changes for MarTech vendors, whose inherent strategy in their toolsets stress the capability to collect the most data possible in the most sources and keep it forever, essentially.

“This is a 180-degree contradiction to their established practices of data maximization,” Walters told CMSWire. “Accumulate as much as data as you can. That data maximization has been more or less the common practice.”

It’s not as if personalized customer experiences are impossible under GDPR. Provided customers and prospects have control of their own data, “go to town” on keeping personalization efforts in play, Walters said.

Internal Data Governance

GDPR may be about data protection but it’s more so a game of a company’s internal data governance, according to Darren Abernethy, senior global privacy manager for privacy compliance solutions provider TrustArc.

Will MarTech vendors offer technology that is GDPR-ready? It depends, Abernethy said, on their current practices and internal organization.

“But it is very likely that most would not be ready at present for a regulator’s audit,” he added. “Governance means having the right people, process and technology in place to demonstrate organizations have thought through issues of data privacy and security, and that this is reflected throughout the organization.” 

Know Thy Data

Headshot of Darren Abernethy, Senior Global Privacy Manager at TrustArc
Darren Abernethy

What can MarTech providers do for data governance? Provide clear visibility into all of their data flows. Know from where it comes and what type of data it is. Understand that “personal data” will now include online identifiers, geolocation, IP address and other technical or pseudonymized IDs.

Know where and how long it will be stored, and with whom it will be shared. 

“Then this information can be categorized, mapped or inventoried, and more easily retrieved in order to respond to data subject access requests or requests for deletion, and to comply with new record-keeping obligations,” Abernethy told CMSWire.

MarTech providers will also need to update existing technologies and build new technologies that are in compliance, according to Peter Milla, GDPR and data protection consultant for market research technology provider Cint

“Of particular importance will be how consent is gathered,” he said. “In addition to technology, operational practices must comply with GDPR. 

MarTech providers will need to implement “Data Protection by Design,” which means implementing appropriate technical and organizational measures designed to implement data protection principles, such as data minimization, and integrate the necessary safeguards into processing, Milla added.

MarTech Vendor’s Worst Nightmare?

Is the GDPR a MarTech provider’s worst nightmare in an age where "data is king"?

Not at all, Abernethy said. 

Most companies have come to embrace this as a net positive in the long run because it is an opportunity for further customer/partner engagement, to be a competitive differentiator and to re-think stale practices that lead to stale data.  

“Once companies go through the growing pains of assessing their existing status/practices and making the key adjustments they need to comply, it is actually business-enabling,” he said. 

Prospects and customers will get emails they actually want, for instance. MarTech vendors will also have improved internal security practices, updated technology/infrastructure and more buttoned-up vendor and co-controller agreements.

"And when GDPR-compliant," Abernethy said, "companies can then look for interoperable means of leveraging that work toward other global data privacy/protection regimes.”