The General Data Protection Regulation (GDPR) is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data, and they have a wide reach, affecting any company that markets products and services to individuals in the EU. As your trusted data processor, we’re committed to compliance and to helping you on your GDPR compliance journey.
Understand Your Data
In addition to the other steps in place that we’re taking in our role as a data processor and as part of Adobe Experience Cloud, here are a few Audience Manager specifics.
Privacy by Design Heritage:
Privacy by design has been and continues to be a foundational pillar of Audience Manager’s product development process. With the new GDPR requirements, customers need tools to appropriately manage data and the associated restrictions.
Managing Data Sources
Audience Manager customers have full control over how and what data is ingested into the DMP. Per Adobe policy, data that would allow Adobe to directly identify an individual (such as, but not limited to, email addresses, first and last names, and phone numbers) is not permitted in Audience Manager. For data types that could fit into this category, customers are required to convert the data into hashed IDs prior to ingesting it into Audience Manager for segmentation and activation.
With GDPR in mind, we recommend working with your Adobe Consulting team member to understand which data sources and associated data types fit best for your required use cases. Adobe offers various tools and privacy-enhancing technologies to support your needs (e.g., hashing, obfuscation).
Additional Areas of Consideration
Data Governance: Start thinking about how your consumer data is managed.
- Review the various IDs (including mobile IDs) your marketing teams use to identify users in Audience Manager along with the data sources in which they are stored. This will streamline the process for requests (like delete or access requests), since certain data types will be hashed by your teams prior to ingestion in Audience Manager.
- Determine a validation and authentication policy and process for Data Subject identity confirmation. This will be an important part of making sure you properly return data in response to the Data Subject.
- Consider using Data Export Controls to block audience activation to technologies that house personal data. For example, segments with third-party data should not be syndicated to email service providers. Set a Data Export Control to help ensure that no one in your organization can accidentally activate this data.
- Begin utilizing Role-Based Access Controls to help ensure the right teams have access to intended data.
- Review identity linkage, privacy policies, and legal requirements to see when and where it is appropriate to tie identity sets together. Use these appropriately via Audience Manager’s Profile Merge Rules.
Organizational Readiness: Establish a business process.
- Identify a process to receive and respond to Data Subject requests. Consider building an automated tool to submit requests.
- Appoint a privacy point of contact within your DMP center of excellence. Connect your organization’s privacy point of contact with your Audience Manager product usage team to understand how you might manage your input ID requirements.
- Conduct a data review prior to providing the Data Subject access to their data. Document the steps you put in place to help you establish an audit trail for records of process requirements.