The General Data Protection Regulation (GDPR) is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data and they have a wide reach, affecting any company that markets products and services to individuals in the EU. As your trusted data processor, we’re committed to compliance and to helping you on your GDPR compliance journey.
Building on the certified security controls underlying Adobe Experience Cloud solutions, Adobe Analytics is working to incorporate additional functionality to better support organizations as they prepare for GDPR.
Things to Consider
In advance of the GDPR effective date, Adobe recommends customers evaluate the following areas.
Your Customers’ Rights as Data Subjects
GDPR provides individuals (Data Subjects) with enhanced rights to information that companies maintain about them. As a data controller, you should be prepared to handle these types of requests (e.g., data access and data deletion).
- Review existing consumer rights workflows, internal processes, and points of contacts to determine how collecting analytics data will align with current processes.
- Identify a process to receive and respond to Data Subject requests. Consider building an automated tool to manage those requests.
- Consider how you will collect identifiers from Data Subjects (e.g., privacy mailbox, web-based form, etc.).
- Consider authentication and validation requirements, particularly since data in Adobe Analytics can often be described as indirectly identifiable data (e.g., IP addresses or cookie IDs rather than authenticated data, such as where a user provides an email address).
- Conduct a data review prior to providing the Data Subject access to their data. Document the steps you put in place to help you establish an audit trail.
Organizations may need to obtain consent for certain types of analytics activities. Adobe Analytics customers are responsible for how and what data is ingested into Adobe Analytics. With GDPR in mind, you should understand which data sources and associated data types fit best for your required use cases and consider whether consent may be required for each case.
To assess the need for consent and to develop an approach, consider the following:
- Determine what data you currently are collecting and want to collect in the future.
- Assess how you will use it and your legal basis for processing.
- In those instances where consent is needed, determine how you, as the data controller, will get consent or If your current consent approach is sufficient. This can be managed internally or by using a third-party consent manager. A list of some of the privacy tech vendors in this space, some of which offer consent managers, can be found here.
- Decide whether to design a contextually relevant and on-brand consent experience (think Experiential Privacy) while determining the best approach for honoring consumer opt-outs or withdrawal of consent.
Data Minimization and Data Retention
To address GDPR’s data minimization principle (i.e., limiting data collection to what is necessary for a particular purpose), take this opportunity to review your data collection practices.
Evaluate and balance the cost of keeping, securing, and responding to individual rights requests against your business needs by taking the following steps:
- Review your current tags and cookies to align with current use cases. Tailor your data collection practices to your marketing objectives.
- Consider removing any unused data from your instance of Adobe Analytics..
- Understand your contracted Adobe Analytics data retention policy and contact your Adobe representative to ensure that your organization’s data retention period is set appropriately.
Data governance helps set the framework to define strategies, processes, policies, and technologies to manage data. We recommend being proactive when it comes to data governance. Among the many benefits, this approach will help facilitate Data Subjects’ access or delete requests, and your consumers will have a positive, differentiated experience with your brand.
Adobe recommends that you review your processes for managing your data by taking the following steps:
- As discussed above, define your identity resolution strategy and process.
- Understand what data you collect via Adobe Analytics and why, with whom you share it, for how long you keep it, and what security measures are used to protect the data. This may also be helpful for your records of processing activities.
- Adopt the data labeling tools offered in Adobe Analytics in order to operationalize your data governance practices and policies.
- If applicable to your use case (e.g., certain EU visitors) proactively engage with your Adobe representative to obfuscate the last octet of IP addresses or delete them completely after initial processing.
- Consider managing the lifecycle of e-marketing tags or web beacons with a tag management system, such as Launch by Adobe.
- Develop a process to review changes to your use of Adobe Analytics to help ensure that you remain compliant over time.