Data Enrichment Part V: GDPR Compliance
This is part 5 of our blog series on data enrichment. Feel free to catch up if you missed the first four posts: Introducing the Data Enrichment 101 Series, Determining the Processes the Data Will Support, Determining Your Target Market, and Selecting Data Vendors. In this post, we’ll focus on data enrichment GDPR compliance.
If you’re not yet aware of General Data Protection Regulation (GDPR) from the European Union that’s going into effect May 25, 2018 and the impact that it will have on your marketing operations, you need to. The impact of GDPR is wide and severe, Don’t underestimate it. It will take you 6 to 12 months to get ready for it, so don’t procrastinate either. The clock is already ticking. Learn more about GDPR now.
If you have European Union citizen data in your marketing and sales database, you’re subject to GDPR compliance, and GDPR can severely limit your choice of data enrichment providers. In the GDPR terminology, any data provider you use is a “Data Processor”. In order to send any EU citizen data to any Data Provider for any purpose, including enrichment, you must have a Data Processing Agreement (DPA) signed with the vendor. Here’s an example from Salesforce: https://www.salesforce.com/assets/pdf/misc/data-processing-addendum.pdf
It is worth clarifying that GDPR doesn’t just apply to EU companies, but it applies to any company worldwide that holds EU citizen data.
A compliant DPA must contains EU’s Model Contract, which requires the Data Processor to follow a set of standard security and privacy protocols. What it boils down to is you can’t send any EU citizen data to any partner and vendor unless you have a compliant DPA in place, and not all data providers will sign a DPA. So if you have a non-trivial amount of EU data and you’d like to include them in your enrichment and prospecting effort, you must pick a data provider that’s willing to sign a DPA.
It’s also worth clarifying what constitutes a transfer of data to the data provider. It includes all these consumption channels:
- Sending a spreadsheet or flat file to a data provider for bulk match.
- Getting per-record enrichment using any vendor-provided plug-in for your sales automation or marketing automation platform. Any “inquiry” that requires sending any personal information to the vendor for match purpose, including any API call, is a data transfer event. This include any “smart form” technology that does dynamic lookup as the prospect fills out a form.
Remember we discussed many of the data providers source data from other third-party providers? GDPR mandates the entire data supply chain to be secured and compliant. Once a DPA is signed with a Data Processor, part of the liability is further passed down the supply chain. In other words, if any of the data providers is not GDPR compliant and is not willing to sign a DPA, then the data provider who is looking to source data from them also cannot be GDPR compliant. This domino effect within an industry that has complicated sourcing relationships can make GDPR compliance extremely challenging.
Yes, it’s bad and painful, but it’s the new reality of marketing data management.