MarTech and GDPR Data Requirements - Privacy

Are marketing technology vendors invested in compliance readiness for the General Data Protection Rule (GDPR)? Or have they taken the casual, toss-up-a-few-blog-posts kinda approach? Tim Walters, partner and privacy lead with New York City-based Digital Clarity Group and a GDPR analyst, told CMSWire the commitment from MarTech vendors is all over the map. Taking an informal survey on MarTech vendor websites, he was surprised to see a lack of GDPR insight given the GDPR will "fundamentally affect the way most companies do business around any kind of personal data." Walters called the lack of information suspicious and problematic, adding lately he has seen some vendors “getting on the bandwagon.”

They surely have a lot of work to do, as we discussed in this week's report on MarTech vendors and GDPR compliance.

Beyond GDPR Whitepapers?

Walters is not alone in his thinking. "Vendor responses to the 'preparation for GDPR' question range from detailed, dedicated GDPR website pages to the offer of generic 'here's how you prepare' themed whitepapers," said Lisa Loftis, principal consultant for CI Advisory Services for SAS Best Practices. “And frankly, given the compliance deadline of May 2018, I believe that any vendor who is not deep in the throes of formulating solutions for this has already missed the boat.”

Zachary Paruch, product manager and legal analyst at Termly, where he works to build legal policies for American companies and vendors, thinks most MarTech vendors are only vaguely aware of GDPR. "As it is EU legislation, those of us in the US are skeptical of its scope and efficacy, particularly here in the states," he said. "MarTech vendors do not recognize the extent of the overhauls they need to make, and are waiting for the legislation to take effect in May to see what pans out."

Anne P. Mitchell, attorney and CEO/President of SuretyMail, believes far too many are behind the curve, and very few are ahead of it."In the industry groups to which we belong," she told CMSWire, "we're only just starting to see the panicked questions."

MarTech Vendors on GDPR

Let's crack the vendor code, shall we? We caught up with a few MarTech providers about their GDPR compliance plans.

Related Story: The GDPR Deadline is Looming: Here is How To Get On The Road To Compliance

Janrain

Headshot of Lewis Barr of Janrain, who discussed Janrain's compliance with the GDPR.
Lewis Barr
Lewis Barr, general counsel and vice president of privacy at Janrain, told CMSWire that the Portland, Ore.-based company conducted a gap analysis to determine the work it would need to do in separate roles as a data controller and a data processor. "We are a data controller with respect to the personal data we collect from business prospects and other individuals, such as those submitting their data on our website to request a whitepaper or sign up for a webinar, and we are a data processor with respect to the personal data we receive from our customers' online properties and store for our customers as part of our services," he said.

Janrain had already implemented EU-U.S. Privacy Shield self-certification and third-party audits and security controls for compliance with ISO 27001:2013 and the SOC 2 Type 2 Availability, Security and Confidentiality Trust Principles.

On Tuesday, Janrain formally announced two cloud security certifications, including one specifically for PII handling, which is a central part of the GDPR legislation, company officials said.

Sitecore

Ryan Donovan, SVP of product management for, Copenhagen-based Sitecore said the company is reviewing its internal practices and product features. "In the upcoming versions of Sitecore we will add new features to help our customers address GDPR compliance, including a renewed focus on personally identifiable information (PII)," Donovan said. "We are improving encryption (data at rest encryption) to personal data in the Sitecore Experience Database (xDB), and ensuring that specific features our customers may choose to implement in response to GDPR, such as Right to be Forgotten and Data Portability, are supported."

Campaigner

EJ McGowan, general manager at Campaigner, a j2 Global company, said Campaigner supports both single and double opt-in formats, provides forms to ensure acceptance and confirmation and permanently stores the IP address and timestamp of the confirmation.

"The platform will not send to customers who are in the 'pending' state of opt-in," McGowan said. "For customers who may not have opt-in information, we currently provide all the tools necessary to reengage them. We are considering wrapping these tools into a specific feature for reengagement if we find it something that will help them in their businesses."

Acquia

A spokesperson for Boston-based Acquia said the company is building on work it's done to obtain and maintain its EU-U.S. Privacy Shield framework certification, as well as work with customers around the EU model clauses that Acquia has also implemented. "We're focused not only on meeting our own obligations, but also on providing the tools that our customers will need to help them meet their obligations under GDPR as well," the spokesperson said.

BloomReach

Headshot of Irina Guseva of BloomReach, who discussed GDPR compliance in the BloomReach marketing technology toolset.
Irina Guseva
Mountain View, Calif.-based BloomReach started its GDPR-compliance work one version ago for its web content management offering.

It continued to stress GDPR compliance in a release on it BloomReach Experience web content management platform last month.

"As a result, we have built out an end-to-end, privacy-by-design framework to help organizations comply with their GDPR obligations with out-of-the box tools available as part of the Bloomreach Experience platform," said Irina Guseva, senior director, product marketing.

BloomReach has built out custom data collectors, consent cookies and forms, the right to be forgotten and deleted upon request, ability for customers to specify what types of personal data they are allowing to collect and how it should be used, etc. All of that is already available directly in the BloomReach Experience solution, Guseva said.

Oracle

Redwood City, Calif.-based Oracle is working to operationalize the new data protection requirements applicable to Oracle's processing of online marketing and advertising data throughout the entire Oracle Marketing Cloud and Oracle Data Cloud service data lifecycle, a spokesperson told CMSWire. With the GDPR's focus on pseudonymization, data science, analytics and related technologies, Oracle intends to continue enhancing its current data handling practices toward that goal.

Oracle Marketing Cloud and Oracle Data Cloud priorities for GDPR readiness are:

  • Reviewing the systems and processes that handle personal data
  • Assessing the GDPR's enhanced privacy and security requirements
  • Enhancing the diligence process surrounding the Oracle Data Cloud's data sources and Oracle's service providers
  • Creating trainings and guidance for employees
  • Monitoring developments and guidance provided by data protection authorities
  • Updating contracts and privacy policies before May 25, 2018

Acxiom

Headshot of Sheila Colclasure of Axciom, who discussed GDPR compliance.
Sheila Colclasure
Sheila Colclasure, chief privacy officer and global executive for privacy and public policy at Conway, Ark.-based Acxiom, said Acxiom has a mature robust data protection and data governance program built on Ethical Data Use (EDU). "We are using the GDPR as a catalyst to improve and strengthen our program," she said. She went on to note that Axciom is focuing on the Data Privacy Impact Assessment (DPIA) requirement under GDPR. "We are actually deploying our own 'compliance tech' to help us meet GDPR compliance obligations, including helping us make our DPIA process faster and more agile," she said.

Episerver

Episerver's recent EU-U.S. Privacy Shield certification and Peter Yeung's appointment as global data protection officer are part of a larger security and compliance initiative at Episerver to ensure comprehensive preparation for GDPR legislation.

Stockholm-based Episerver's Privacy Shield Certification is just one of many ongoing initiatives to reinforce its commitment to data protection and privacy and market leadership in cloud security, Yeung told CMSWire.

Episerver's focusing on privacy by design, affirmative consent, data encryption, retention, deletion and pseudonymization policies and procedures.

Demandbase

Dom Lindars, VP, product and marketing solutions at San Francisco-based Demandbase, said Demandbase has not historically captured or stored PII, but data protection and privacy is becoming a serious part of how they "manage data and work with customers and individuals." The organization is currently in the process of hiring a chief privacy officer.

SDL

UK-based SDL is getting ready for GDPR by using not only guidance from the Article 29 Working Party and Supervisory Authorities, but interactions with worldwide customers. "As SDL is a potential data processor — for a range of customers both in the regulated and non-regulated industries — we learn from our customers' interpretation of the GDPR requirements, which helps us develop commercially pragmatic solutions for GDPR compliance," an SDL spokesperson said. "We are monitoring progress with the promised UK Data Protection Act as it will be a key factor in considering the likely situation post-Brexit for processing personal data in our global business."

Act-On

David Fowler, head of digital compliance at Act-On Software, said it's "all hands-on deck" for GDPR compliance. 

"We have evaluated all aspects of our business that may be impacted by GDPR," he said, "and have conducted both internal and external analysis of any gaps that we may need to address."