By Scott Logie, MD, Insight at REaD Group
At the recent Data IQ event I jointly chaired a table discussion on the GDPR ready Single Customer View (SCV). This turned out to be a very interesting experience. First of all, there was a huge range of requirements, from B2B SCV development to “How do I get started”, “How do I get funding for an SCV” through to “How do I make my SCV real-time” and “How do I connect Google Analytics data into my SCV”.
This obviously created a lot of discussion with different brands, at different levels of development, able to share their experience with those who are just getting started. Hopefully everybody enjoyed the discussion and got a lot out of it.
From a GDPR point of view, there were three main areas of interest that came out:
- How do I keep the data in my SCV current and up to date?
- How do I structure the SCV so that I can hold permissions and consent correctly?
- What do I need to do to ensure that I share the correct information with my customers, as and when this is required?
So, taking each of these in turn:
Keeping the data up to date
What became apparent during the conversations was that there are different levels of understanding of what is required under GDPR in terms of keeping data up to date. This isn’t that surprising as most of the concentration to date has been on consent and ensuring that we have permission to contact the consumers we want to engage with.
However, we have an obligation as well to keep the data we hold current and clean. And to archive or delete what is no longer needed. In some cases this has not been considered, in others it was seen as a lower priority.
From a REaD Group point of view, our advice is very clear; with the GDPR Article 5 requiring that personal data be kept clean and accurate (or be deleted!) choosing a trusted solution to optimise the quality of your data and maximise compliance is now business critical. Whether this is ad hoc but planned updates, real-time access via APIs or licencing of the different industry suppression products there is no choice but to make sure there is a solution that works for your business in place.
Structuring the SCV for holding consent
To be honest, there is no easy way to answer this. We have tackled it by building a consent table that holds each of the key pieces of information – which allows us to manage change over time – that is then referenced on each customer record. This allows us to ensure we keep the most recent permission against a record, by channel, but also enables us to track changes over time. This does result in a very large lookup table but better that than extending customer records.
The other thing to bear in mind is to hold both what consent was gained, where and when but also what the usage you have agreed for that customer record by channel. For example, you may have gathered consent to contact by Direct Mail but have chosen Legal as the reason for contact and this needs to be held. In addition, note that this needs to be managed by customer, by product, by channel so can become cumbersome if not managed correctly.
Giving consumers access
Finally, from a consumer access point of view, I think there are two key things to consider in terms of contact: managing subject access requests (SARs) and also allowing consumers to see what information is held on them for permission management.
From a SAR point of view, there were two clear messages:
- Be very clear what is going to be shared as part of a SAR. It’s not my place to advise what the content should be but what was interesting was how varied and differently detailed each SAR response format was going to be. I think this is something to be tackled early, agreed with your legal teams and shared as appropriate.
- Having an SCV doesn’t sort out SAR responses but it helps a lot! Having as much data held in one place as is possible makes the tracking of information needed for a SAR substantially easier.
From a permission management point of view, again there were a lot of different views and positions. Some organisations, the more digital email only brands in particular, seem to be using their ESP to manage and share permissions with customers. For others there was a work stream to agree what was to be shared and how. Interestingly, no-one stated that they were fully on top of this.
There are many approaches to be taken here. At REaD Group we have partnered with a business, My Life Digital, who provide a Permission Management solution. We are implementing this for our own use and also recommend it for our clients. Other solutions are available!
Overall, tackling GDPR compliance from an SCV point of view isn’t a luxury but a necessity. Keeping the data current, tracking permissions and consent and ensuring that SARs can be responded to quickly and accurately are all part of the new world of data management. It was very clear that there is a lot of work to be done, by big brands and smaller businesses, to meet the basics never mind the nice to haves. It’s going to be a fun year!