This is part 5 of our blog series on data enrichment. Feel free to catch up if you missed the first four posts: Introducing the Data Enrichment 101 Series, Determining the Processes the Data Will Support, Determining Your Target Market, and Selecting Data Vendors. In this post, we’ll focus on data enrichment GDPR compliance.

If you’re not yet aware of General Data Protection Regulation (GDPR) from the European Union that’s going into effect May 25, 2018 and the impact that it will have on your marketing operations, you need to. The impact of GDPR is wide and severe, Don’t underestimate it. It will take you 6 to 12 months to get ready for it, so don’t procrastinate either. The clock is already ticking. Learn more about GDPR now.

If you have European Union citizen data in your marketing and sales database, you’re subject to GDPR compliance, and GDPR can severely limit your choice of data enrichment providers. In the GDPR terminology, any data provider you use is a “Data Processor”. In order to send any EU citizen data to any Data Provider for any purpose, including enrichment, you must have a Data Processing Agreement (DPA) signed with the vendor. Here’s an example from Salesforce: https://www.salesforce.com/assets/pdf/misc/data-processing-addendum.pdf

It is worth clarifying that GDPR doesn’t just apply to EU companies, but it applies to any company worldwide that holds EU citizen data.

A compliant DPA must contains EU’s Model Contract, which requires the Data Processor to follow a set of standard security and privacy protocols. What it boils down to is you can’t send any EU citizen data to any partner and vendor unless you have a compliant DPA in place, and not all data providers will sign a DPA. So if you have a non-trivial amount of EU data and you’d like to include them in your enrichment and prospecting effort, you must pick a data provider that’s willing to sign a DPA.

It’s also worth clarifying what constitutes a transfer of data to the data provider. It includes all these consumption channels:

  • Sending a spreadsheet or flat file to a data provider for bulk match.
  • Getting per-record enrichment using any vendor-provided plug-in for your sales automation or marketing automation platform. Any “inquiry” that requires sending any personal information to the vendor for match purpose, including any API call, is a data transfer event. This include any “smart form” technology that does dynamic lookup as the prospect fills out a form.

Remember we discussed many of the data providers source data from other third-party providers? GDPR mandates the entire data supply chain to be secured and compliant. Once a DPA is signed with a Data Processor, part of the liability is further passed down the supply chain. In other words, if any of the data providers is not GDPR compliant and is not willing to sign a DPA, then the data provider who is looking to source data from them also cannot be GDPR compliant. This domino effect within an industry that has complicated sourcing relationships can make GDPR compliance extremely challenging.

Yes, it’s bad and painful, but it’s the new reality of marketing data management.

Comments (1)

Ed King

Grant Trotter

Feb 05, 2018 at 2:26 PM

Great points on GDPR. I don’t think any of us truly know the long-term ramifications and impact of this massive piece of legislation, yet I would argue that regardless of what plays out, its’ a watershed moment for privacy, one that is probably long overdue. While I can’t really speak to the level of understanding for GDPR with regards to EU controllers and processors, it’s unfortunately surprising to witness the complete lack of knowledge and understanding of the GDPR for U.S. based processors and controllers.

Will be interesting to see what happens post May, 2018 in the U.S. with enforcement. One of the biggest challenges for GDPR compliance for U.S. companies is trying to dig through the almost endless blogs, white papers, and other technical writings on this topic. Everyone has their own expert advice, and the vast majority of content is great and well-written, it’s just that it is overwhelming in terms of volume of content.

Regardless, I think the biggest advice I can take – and give – regarding GDPR compliance for U.S. businesses is the need for documentation. Specifically, I.T., privacy, consent, and other operational policies, procedures, and processes. Documentation is without question necessary for GDPR. Good luck everyone.

Reply

Leave a comment