The General Data Protection Regulation (GDPR) is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data and a wide reach, affecting any company that markets products and services to individuals in the EU. As your trusted data processor, we’re committed to compliance and to helping you on your GDPR compliance journey.
Many of Adobe’s data processor responsibilities are already being met by the product functionality available in Adobe Campaign today. We are taking this opportunity to add additional functionality to help facilitate your readiness for GDPR, where possible. Among the areas we are working on are enhanced capabilities to enable you to respond to individual (Data Subject) rights requests (data access, correction, and deletion requests). Ultimately, we are here to work with you and do our part in helping you, the data controller.
Your Customers’ Rights as Data Subjects
Adobe Campaign already provides capabilities to facilitate data access, correction, and deletion requests, but we are working on new functionality to simplify configuration needed for data controllers.
- Identify a process to receive/respond to Data Subject requests.
- Review the various customer data types stored in Adobe Campaign and determine unique identifiers (there will likely be more than one).
- Determine a validation/authentication policy and process for Data Subject identity confirmation.
- Consider the Data Subject response and make sure it is easy to understand.
Guidance on Obtaining Consent
Enabling our customers as data controllers to manage opt-in and opt-out preferences has always been a fundamental part of Adobe Campaign. Adobe Campaign comes standard with tools to help data controllers manage all aspects of opt-out management within the service — from opt-out flags in our standard data model to a prebuilt unsubscribe page hosted by Adobe Campaign to allow your consumers to opt out, if desired. While GDPR does not change when consent must be collected, it does change how consent must be collected. And email marketing best practices and local laws both still apply on top of new GDPR regulations.
- Inventory and update, as necessary, all touchpoints for email capture for compliance with GDPR (e.g., consider language, mechanism for consent, and consent logs).
- Ensure all marketing emails include unsubscribe links.
- Assess global strategy for email marketing to determine geo-specific implementations.
To address GDPR’s data minimization principle (i.e., limiting data collection to what is necessary for a particular purpose), take this opportunity to review your data collection practices.
- Review all data import and capture sources where data is flowing into Adobe Campaign, and document which fields are being used for your marketing efforts.
- Remove any unused data attributes from your Adobe Campaign database.
- Use data available in Adobe Campaign for the purpose for which it was captured and give your recipients better personalized experiences.
Adobe Campaign supports detailed user setup, specifying not only what data a user or groups of users can access, but also specifying what capabilities are granted to those users or groups to help ensure they are allowed only to perform their required business functions. For example, Adobe Campaign allows you to configure which users can send out a delivery or export data. Managing permissions appropriately will go a long way toward reducing risk.
- Review and update data access permissions to help ensure users of Adobe Campaign can fully leverage only the data needed to run their campaigns, but not access any data beyond this.