GDPR and Your Experience Business.

GDPR is a great opportunity to further focus on customer experience.

GDPR and your Experience Business.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. We believe this presents a new opportunity for marketers to strengthen their brand loyalty by focusing on consumer privacy while delivering amazing experiences. Think of it as experiential privacy — having privacy be a key part of the customer experience, through relevant privacy notices presented in context and choices that are on brand.
Alisa Bergman, Chief Privacy Officer, Adobe


“Adobe is leading the charge in helping brands transform into experience businesses, and GDPR presents the perfect opportunity for brands to lean in to customer centricity, build trust through transparency, and improve the customer experience with privacy in mind.”
Alisa Bergman
Chief privacy officer, Adobe


What is GDPR and how does it affect brands and marketers?


GDPR is the European Union’s new privacy law that harmonizes and modernizes data protection requirements. While there are many new or enhanced requirements, the core underlying principles remain the same. The new rules have a broad definition of personal data and a wide reach, affecting any company that markets products and services to individuals in the EU. As your trusted data processor, we’re committed to compliance and to helping you on your GDPR compliance journey.
What is Adobe doing toward GDPR readiness?
Adobe either already meets or is implementing our obligations as a data processor. We have a strong foundation of certified security and privacy controls by design and will continue to make product enhancements in advance of the May 2018 deadline. Enterprise customers will have the responsibility to implement these enhancements, as well as update any necessary policies and procedures.
A strong foundation of security and privacy compliance
A strong foundation of security and privacy compliance
We’ve implemented a set of certified security processes and controls to help protect the data entrusted to us through the Adobe Common Controls Framework. This helps us comply with several security and privacy certifications, standards, and regulations, including SOC-2, ISO 27001, and the EU-U.S. Privacy Shield.
Privacy by design
Privacy by design
Our mission is to help you responsibly unlock the power of data. Adobe has a long-standing practice of incorporating a proactive product development effort, also known as “privacy by design.”  For example, Adobe Analytics, Adobe Audience Manager, and Adobe Target all have the ability to obfuscate IP addresses and allow individual-level opt-outs. Audience Manager also has rules-based access controls and patent-pending data export controls.  
Data transfer
Data transfer
We’ve certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks for customer-related data. This provides our customers with the option of relying on these frameworks or entering into Standard Contractual Clauses (also known as EU Model Clauses) for the transfer of data from the EU to the U.S. You can find more information on this in our Privacy Center, along with information on how to request Standard Contractual Clauses.
Contract terms
Contract terms
We’ve updated Adobe’s Data Processing Agreement to account for GDPR requirements.
Records of processing
Records of processing
We’re working to more formally document the privacy practices we have in place to comply with the enhanced record keeping requirements.
Data protection officer
Data protection team
We currently have a chief privacy officer, an Irish data protection officer, and a dedicated privacy team, and will continue to evaluate whether we need to take any additional steps in light of the new requirements.
Product & process innovation
Product and process innovation
We are constantly listening to our customers and looking for ways to simplify and further automate our product and service offerings to better support their GDPR needs.
GDPR readiness: A shared responsibility.
GDPR is a shared compliance journey, with the regulation setting out the obligations for the various parties. The example below from Adobe Experience Cloud sets out the roles for brands or “data controllers,” technology providers or “data processors,” and the places where the processor may need to help or partner with the controller either through tools, processes, or documentation to help the controller.
GDPR workflow
GDPR workflow
Your customers’ rights as data subjects.
Your customers’ rights as data subjects.
A key part of GDPR is letting individuals choose what happens to their personal data. Individuals can ask companies to:
• Access and correct errors
• Delete personal data
• Object to its processing
• Export it
Your role as a data controller.
As the data controller, you will determine the personal data we process and store on your behalf. If you use Adobe cloud solutions, we may process personal data for you depending on the products and solutions you use and the information you choose to send to your Adobe account or service. As a controller, you will provide privacy notices to individuals who engage with your brands detailing how you collect and use information, and obtain consents, if needed. If those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will respond to those requests.
Your role as a data controller.
Our role as a data processor.
Our role as a data processor.
When we provide software and services to an enterprise, we’re acting as a data processor for the personal data you ask us to process and store as part of providing the services to you. As a data processor, we only process personal data in accordance with your company’s permission and instructions — for example, as set out in your agreement with us. Where your data is in one of Adobe’s cloud solutions and you need our assistance with any individual consumer requests, we will partner with you through processes, products, services, and tools to help you respond.  
It’s time for a marketing assessment.
GDPR puts increased emphasis on data collection best practices, data controller transparency, and consumer choice — all of which play a meaningful role in the customer experience. With an eye toward customer experience, you may want to think about how the following GDPR principles affect your marketing efforts.
Reduce unnecessary data collection
Take stock of the data you’re collecting. Gather only the data you need to be effective.
Obtain appropriate consent
When will consent be required and what form will it take? How will you provide delightful customer experiences with consent and without unwanted surprises? Consider the value proposition for consumer privacy, which can help drive conversion and loyalty.
Provide the required notice for data collection
Review and update your current privacy notices, policies, and any information provided at data collection points.
Remove unique identifiers
Consider when to make some data anonymous or pseudonymous (by replacing obviously personal details with another unique identifier, typically generated through hashing, encryption, or tokens) to help minimize compliance obligations and the risk of data and privacy breaches and claims.
Fulfill data access and delete requests
Understand how your customer will reach out to you to make data access or delete requests. Know how to define internal data retention and deletion policies and procedures.
Get started.
Here are five steps you can take to help prepare for GDPR readiness.
Inventory your digital properties
Inventory your digital properties, including mobile apps and websites, to assess which cookies, tags, or other data are necessary.
Map your customer journey
Map your customer journey and tell your privacy story through meaningful notices and choices.
Develop a consent management
Develop a consent management strategy with an eye toward customer experience.
Authenticate user identity
Think about how you will authenticate user identity to address data subject access requests.
Capitalize on existing processes
Identify or capitalize on existing processes to help respond to data subject access requests, including appointing a privacy point of contact.
Take the long view on privacy.
Think and design today with tomorrow’s privacy in mind. While GDPR will soon go into effect in Europe, GDPR-inspired privacy regulations are already cascading into other regions and countries. Putting in the work necessary to comply with GDPR will position you well for future privacy compliance efforts in Asia and other parts of the world.
Make experience your business.
Adobe Experience Cloud gives you access to an integrated set of solutions to build campaigns, manage your advertising, and gain deep intelligence about your business.
Adobe Audience Manager
Adobe Analytics
Adobe Campaign