Combining Consent Management and the DPO Controller Portal

Combining the DPO Controller Portal with Consent Management

The General Data Protection Regulation (GDPR) influences all organisations that do business within the European Union or processes any kind of personal data that belong to European citizens. Complying with the GDPR rules should not be underestimated, as it takes a lot of time and effort from all each department within an organisation. The complexity has to do with, among other things, the differences between the preferences, processes and permissions of all departments. But taking the next steps is necessary to prevent any type of fines and – even more important – to preserve customers trust.

The marketing department
The risk for the marketing department concerns the complexity of the data they collect and that it might be used for purposes a user didn’t approve. The cookie request for overall marketing purposes that is used by most companies at the moment does not meet the requirements of the regulation. The GDPR provides a much-needed, updated definition of consent, defining it as:  “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”. This means companies need to specify their requirements and the marketing department can only use the collected data for that purpose.

The right of the users
Before an organisation can collect any kind of information about a visitor, they need to ask for consent. And as the GDPR states, each individual has the right to change their preferred setting at any time. Organisations should adapt to this feature by implementing privacy by design principles in their processes. One of biggest concerns is that there are a lot of companies that use Google Analytics (GA). GA will gather the data of the users before they can decline anything and the result is that a company is not compliant – before the regulatory authorities even checks their other processes. With a solution such as our consent manager, individuals can change their preferred settings at any time. This way the user does not only think they have control over their settings, they actually do. Every time an individual uses the consent manager, it will change instantly.

The influence of the DPO
According to the GDPR, many companies require assigning a DPO along with their name and contact details. The most important role of the DPO is managing the data streams that take place within the company and control the data agreements with third parties. When there is the need for a new connection between a data source (of any kind) and a destination, it needs to be requested to the DPO of the organisation. Firstly, the DPO checks the purpose and estimates whether this is legally permitted. After that, the DPO informs the requester if the data stream is approved or not. The Datastream portal makes it possible for the DPO to control all the data streams that exist within a company and its trusted parties. It also shows the DPO insights of which data is collected, what settings the user chose and for what purposes the user gave opt-in.

The complexity of technology
Luckily Datastreams.io understands the complexity of technology and that it might be difficult for companies to comply data streams between systems and with the different roles of sources and destinations. Not only might the complexity of technology be a burden, but to adapt to the GDPR in all processes, it demands a lot of effort from the IT department. This is why Datastreams.io provides a GDPR compliant solution that only requires a Single Line Of Code, the SLOC. It is not designed to replace any kind of technology or tool an organisation currently has, but it is meant to provide the controller portal for the DPO and to provide secure, privacy by design transport between internal and external systems. Why not start today?

Collecting data on a colaboration data platform Datastreams

Data loves to speak, we just need to listen

We humans, by our very nature, are storytellers. The hundreds of myths and legends spread throughout history are a poignant indicator of the human drive to create and share stories. Stories have always been closely interwoven with data. Data provides the start for every story, the wellspring for tales both real and fictitious. From the moment, we are born and commit our date of birth to the world, we leave behind trails of data in everything we do, until we finally close out our story with the date we die. An autobiography, in a way, written in the data we leave behind.

Data speaks to those willing to listen. “Where do you get your inspiration from?” Is a common question to writers and innovators of other types. The answer, often, is something we have all observed: an idea we’re all familiar with, an event we have all witnessed or a fact we all know. The question “Why didn’t I think of that?” often rises when we see innovations or hear stories. When the stories are told to us and we look at the data they are based on, it seems to clear what the data had been telling us all along. Why, then, didn’t we hear it talk before? The answer is simple: we weren’t listening.

Companies have realized the potential in data for quite a while. As companies, we love collecting data from our customers, running analytics and crunching data until it churns out results. We know the percentages, the uptakes in sales, the averages. When we see data (and we see a lot of data) we are prone to asking ourselves: “What can we do with this data?” when we should be asking “What is this data telling me?”

Professor of Economics Robert Coase was right when he said: “If you torture the data long enough, it will confess.” Indeed, if we analyze the enormous amounts of data available, we will find the cold, analytic information we are looking for. But as is the question with all information obtained through torture: how truthful is the story we are told? It is time we stop torturing our data and start listing to it, start looking at it through the eyes of an artist. Only then will we come to ideas that will make our competitors scratch their heads and think: “Why didn’t I think of that?”.

CRO, GDPR and e-privacy regulations optimisation with a risk

CRO – Optimisation with a risk

In the world of marketing, CRO stands for ‘Conversion Ratio Optimisation’. A quick search on Wikipedia for the definition of CRO, yields a different result. Here, the abbreviation CRO is also explained as standing for ‘Chief Risk Officer’. That same Wikipedia explains the main task of a CRO as: “To ensure that the organisation is in full compliance with applicable regulations and to analyse all risk related issues”.

Considering the impending GDPR and e-privacy regulation, each marketer looking to improve his conversation ratio, should first look to that other CRO. Similarly, each CRO should pay a visit to the marketing department to see what happens there. Time for a short introduction for both.

What is CRO?
Conversion Ratio Optimisation is a generic term for a combination of processes and techniques that aim to optimise the conversion ratio. Often, improving the customer experience is named as the target for these processes, but eventually this improved CX is supposed to lead to a higher conversion ratio.

Coen Huijsmans, strategist at TamTam, gave a good explanation (Dutch) of what CRO entails and what it takes to get the best results. Google Analytics is hailed as ‘your best friend in CRO’.

On the contrary, for the CRO, Google Analytics is the biggest enemy. When you use Google Analytics, you share personal information with Google and where personal information is used, consent needs to be obtained. When you just use Google Analytics for Analytics and don’t collect Personally Identifying Information (PII), you can do this before asking consent, though you’ll still need to pay close attention to the settings in Google Analytics. However, Google Analytics is fairly easily integrated with marketing tools like Google Doubleclick and Google Optimze. As soon as you start doing this, Google Analytics will have to be used only after asking users’ consent. If you fail to obtain this consent and continue to measure using Google Analytics, you are in violation of the GDPR and risk being sanctioned.

GDPR and e-Privacy Regulations
By now, nearly everyone in our sector knows that the GDPR comes into effect May 2018. At that same moment, the e-Privacy Regulation will also come into force. For the e-Privacy Regulation might be accompanied by a two-year transitional period, but that is by no means a guarantee.

The e-Privacy Regulation complements the GDPR and mostly concerns the things a marketer seeks to do online. According to the GDPR, direct marketing is allowed without consent, but the e-Privacy Regulation clearly states that so called ‘unsolicited marketing’ without consent isn’t allowed. A direct mailing per post is therefore allowed, but for a DM using e-mail you will need to ask consent first.

Sanctions
The sanctions for violating both laws are the same. They can be enforced per violation, so when you continue to violate one or both of the laws, you can encounter the same sanction again. When we talk about GDPR sanctions, fines may seem like the biggest threat. In relation to CRO, you could make a business case: how high is the fine and what does the optimisation bring us? However, in this case, don’t forget to take damage to your reputation into account for this business case. How many clients leave the company and how difficult will it be to find (and bind) new clients, after you’ve been caught breaching regulations. This impact, of course, depends on what kind of business you are. A big dating-site will suffer more reputational damage than a fairly small web shop.

Of course, we would never advise anyone to purposefully violate the law. If you decide to this, any decent CRO will prevent you from giving in to this temptation! A good thing, because one of the most dangerous sanctions is rarely discussed, but will most definitely still be enforced: a ban on the collection and processing of personal information.

Let that sink in. A complete ban on processing personal information. What can you do if you are no longer allowed to process personal information. Does your company even have a ground for existing in that case, or would you need to close shop immediately?

CRO and GDPR
It is viable to optimise conversion ratios, improve customer experiences and (re)target your campaigns under the GDPR. A lot is still possible, but not without a concerted effort. Only after obtaining consent in a valid way, are you allowed to use data for this purpose. Do you tell your customers in your consent pop-up that you use Google Analytics for analytics purposes? Then you’re not allowed to use the data for targeting and can not link your Google Analytics to Doubleclick or Optimize. Did you tell your customers that you measure your customer’s behavior to increase your conversion ratio and have customers consented to this? Then nothing is stopping you in optimising your conversion ratio.

A final word: if you link your Google Analytics to Google Optimize, you are only allowed to use Google Analytics after a visitor has given consent for the tracking of his behavior for marketing purposes. This is because when you send ID’s from Google Analytics to Optimize, Google assumes that all ID’s have already given their consent.

Data dreams of: American Express, data-driven company

Data dreams of: American Express

It is sometimes said that everything starts with a dream. To help you kickstart your own dreams, we are sharing the dreams of some of our clients. Today we are looking at the dreams of American Express, who leveraged the power of visualized data to gain improved insights into their marketing campaigns.

From ambitious data-dreams
American Express dreams of a way to gain better insight into their key touchpoints within the approval process for credit card applications. This would allow Amex Acquisition teams around the world to improve their marketing campaigns at any time based on data that is up to date, trusted and easy to understand.

For their data-driven challenge

  • Collect data from master sources and configure them into new data models.
  • Speed up the collection, collation and reporting of data from different sources
  • Configure data models and visualize them in an understandable manner.
  • Allow the end user to easily segment and filter data themselves.
  • Provide a high-level overview of campaign tracking data, allowing the detection of trends that require deeper analysis.
  • Be flexible and scalable across Amex in different countries
  • Enable compliance with the impending GDPR demands.

To a data-driven solution
Datastreams.io teamed up with Adversitement to make the dreams of Amex come true. Datastreams.io provided the Data Stream Manager (DSM), which allowed Adversitement to collect data from different sources and build new data models. By connecting these data models to Tableau, Adversitement can create and maintain clear, insightful dashboards of clearly visualized, valuable and timely information.

For a data-driven future
With our solution being implemented in Amex companies in different countries, American Express can look forward to a future of easily accessible insights in key touchpoints with their clients. Amex acquisition teams no longer have to wait for reports put together by hand at the end of each month. Instead, they can rely on data that is batched on a near daily basis, meaning that they can monitor and implement changes in campaigns based on reliable data at any time. Users can also enjoy insightful dashboards that allow broader and deeper segmentation than before. They can clearly understand channel and campaign data without spending hours building their own reports. Finally, Amex is for the privacy standards of the future, as our data governance layer makes worries about the GDPR a thing of the past.

Consent, transparency, security, protection of data, Datastreams

Dear Santa, we need to talk about the GDPR

Dear Santa Claus, it has come to our attention that you are among the biggest collectors of personal data in the world. By our calculations, you collect personal information on more than 30% of young children in families around the world. Information gathered concerns whether subjects have been ‘naughty’ or ‘nice’, the geographic location of the bedrooms of children, knowledge about wishes and dreams and most peculiarly: sleeping patterns.

We can only assume that this information has been gathered through extensive data-gathering operations, rumored to be accomplished via a program termed ‘Elv3s’, distributed through the Rud01PF platform. With the GDPR fast approaching, we are concerned about whether your data collecting and processing activities are being conducted in a way that complies with the GDPR-regulation that comes into effect May 25, 2018. Because at Datastreams.io we are big fans of your charitable behavior, we would hate to see you fined up to 4% of your annual turnover. To avoid this, you might want to take a hard look at the following elements of your data processing:

• Consumers consent. While at Datastreams.io we know that you have nothing but good intentions, we also know that it is important to establish the lawfulness of your data processing activities. We believe that the lawful processing basis for your activities should be consent. We therefore advice to look at your consent policies, which are no longer up to date. Under the GDPR you will also be required to ask consent from parents before gathering information on their children. We’ve already written a guide on GDPR consent that may be useful to you.

• Transparency and disclosure. We understand you are a very secretive person, but it’s time to disclose some of your secrets. Specifically, which data you collect and how this data is collected and stored. You have clearly attempted to disclose some of this behavior in songs like ‘Santa Claus is coming to town’, but we believe this disclosure of information is not sufficiently written in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” as the GDPR prescribes. Furthermore, data subjects will need to know where to contact you if they want personal data deleted or lodge a complaint. It’s time to reveal where on the North Pole your company is, exactly. 

• Security and protection. Because you are, as far as we know, the only data processor working with the Elv3s software, we hope that you have taken possible privacy concerns into consideration when implementing your data solutions. Encrypting data and regularly testing your cybersecurity solutions will be integral to keep operating in a compliant way. Make sure you don’t forget to inform your data subjects in the event of a data breach. Because you regularly monitor data subjects on a large scale, you will also be required by law to appoint a Data Protection Officer. You can appoint one of your current employees as a DPO, or bring in help from outside. We’re sure many ‘little helpers’ will be happy to take on the role.

These are just a few concerns we have with your data processing policies, Mr. Claus. The Data Protection Officer you will hopefully appoint will likely point out more issues, such as the profiling of children as ‘naughty’ or ‘nice’ and the reliability of kept records. You might find your current data architecture incapable of dealing with GDPR demands, but no fear: our data stream manager & consent manager solutions will help you comply with GDPR demands in time, so you can work on getting us those presents we asked for…

Merry Christmas, Santa!

Control and protect data, collaboration data platform Datastreams

GDPR and data-driven collaboration

Many of us have heard about the EU General Data Protection Regulation (GDPR) and understand there are various obligations and requirements to comply with. If we don’t adhere to the GDPR, we are also aware there are big fines which will be levied by the data protection authorities. However not everyone is actively involved as part of their day to day role in working out how to bring all this together before the deadline is reached on 25th May 2018. Business carries on as usual, deadlines and KPIs need to be met…but increasingly the question is asked “are we GDPR compliant?” For those of us that are involved with answering this, it seems that some form of collaboration is inevitable.  There are very few organisations who can manage all of this themselves.

To deliver GDPR successfully, clients (data protection authorities, data controllers and data processors) and suppliers with relevant expertise in policy, people, platform and process need to work together. We’ve created a GDPR collaboration model of overlapping service and solution expertise from suppliers on the one side in order to meet obligations and requirements from clients on the other.

GDPR delivery for clients and suppliers, GDPR collaboration model

This is what we are seeing with our partners and their clients. At Datastreams.io we have expertise in GDPR ready, privacy by design software. In keeping with the “4 P” (Platform, Policy; People, Process) right hand side of this model, we therefore deliver a technology “platform” for our partners. These partners are in the main, data processors working on behalf of their clients, who in turn are data controllers. We empower data-driven collaboration by providing governed access to trusted data sources. Our Data Stream Manager (DSM) ensures instant, compliancy first data logistics for our partners and their clients. With the DSM they get the right data, in the right place, in the right format, at the right time.

Ok, so far so good and in terms of data-driven logistics – this alongside our consent manager – is what we are predominantly bought in to deliver. However, we completely recognise that this by itself is not enough to do everything that is required under the GDPR. Other software platforms might be required for other requirements and/or client use cases, for example tokenisation and pseudonymisation. In order to do this, our DSM easily connects with experts in that domain, such as our partner Protegrity. We therefore openly work with other experts across this collaboration model to help our partners.

Taking this model further it’s clear that if you want to achieve compliance across your organisation, you need to work collaboratively with experts in other areas as well. Do you have in house people expertise in the form of a Data Protection Officer (DPO) or do you need to outsource one? Do you have consultants (in house, or externally) who can deliver the technical and business-related process expertise for effective data management and governance? What about the legal advice you need to understand how GDPR applies to your organisation, your contracts, data processing agreements, policies and procedures etc?  Even the largest organisations aren’t always able to do all these things in house and this naturally this applies to SMEs as well as a practical step take a look at this next model, then think about these four areas within your organisation and plot the people or teams or partners you need to work with for each one.

Data processing, policies and procedures of Datastreams

You will soon see that to achieve what needs to be done in terms of GDPR at your organisation, will require some degree of data-driven collaboration. This collaboration will need to be resourced, contractually agreed, then managed and operationalised so that all parties are clear on what they are doing to deliver and do what is required in a GDPR compliant way. This collaboration needs to be robust enough to not fall foul of the data regulatory authorities and satisfy the individual rights of each and every EU citizen, whose data you might be collecting and/or processing. Don’t forget, this applies even if your organisation resides within the EU, or outside of it, come May 25th 2018!

We are open to data-driven collaboration to help our partners and their clients meet their GDPR requirements and obligations…are you?

Collect, manage and stream data, data driven challenge with Datastreams

Data dreams of: Infinity

At Datastreams.io we love dreamers. To inspire you to dream a little bigger, we love to talk about the dreams of our partners and their clients. Today we share Infinity’s dreams, and how they became a reality.

From ambitious data dreams
Italian streaming provider Infinity dreamt of a way to enhance the online experiences of their customers by providing real-time, individualised information to their customers. Already having established strong foundations for customer engagement, Infinity was ready to dream a little bigger. Together with our partner Mapp Digital, we were happy to make Infinity’s dreams come true.

For their data-driven challenge
To improve their service for their customers, Infinity sought a solution that would allow them to gain insight into specific use cases such as successful and unsuccessful logins, promo code validations, payment information, and registration results. This information would allow them to provide their customers with an improved experience and to further excel in customer engagement. To achieve this result, our solution needed to:

  • Collect the right data rapidly from the right place.
  • Manage the data streams to ensure information ends up where it needs to be while ensuring safety and privacy along the way.
  • Stream the data from the infinity.tv website to the Mapp Digital Customer Engagement Platform.

To a data-driven solution
Datastreams.io provided the Data Stream Manager (DSM), which allowed data to be streamed quickly and safely to the Customer Engagement Platform provided and set up by Mapp Digital. This allowed Infinity to easily gain valuable insights about their use cases and use this information to communicate in real-time with customers to provide them with relevant, helpful information before the customer could even ask.

For a data-driven future
Infinity can now look forward to a future of enhanced customer insights based on reliable data. Our collaborative solution allows our partner Mapp Digital and their customer Infinity to locate roadblocks in customer journeys and improve customer care. The flexibility of our DSM means that Infinity can easily adjust the data that is captured as customers evolve. Finally, our built-in GDPR based data governance layer, makes complying with this important EU wide regulation a breeze.

With even more ambitious dreams
Customer centricity doesn’t have to clash with data analytics. On the contrary: we believe that data is the key towards better customer care. Infinity and Mapp Digital certainly dared to dream of meaningful customer connections through big data. Do you dare to dream too?

Ambitious data solutions for Vodafone in The Netherlands

Data dreams of: Vodafone the Netherlands

At Datastreams.io we love fulfilling dreams. To inspire you to dream a little bigger, we share the visions of some of our partners and their clients. Today we are happy to share to dreams of Vodafone Netherlands, and how we helped them come true.

From ambitious data dreams
Vodafone Netherlands (VF NL) dreamt of a way to combine their online and offline data on their journey towards true data-driven decision making. In order to do this, relevant information needed to be at the right place at the right time. Luckily, this is what we’re good at Datastreams.io.

For their data-driven challenge
VF NL sought a solution that would allow them to capture, store and utilise data across their channels. To accomplish this, a solution needed to:

  • Simplify the process of capturing the right clickstream data at the right time.
  • Create specific data models of clickstream behaviour from multiple websites.
  • Stream these models to the UDA environment for further analysis.

To a data-driven solution
Datastreams.io provided the Data Stream Manager (DSM) in partnership with Teradata. This enabled Teradata to collect data from multiple VF NL branded websites and integrate it into Vodafone’s Unified Data Architecture (UDA) environment. This way, VF NL can be sure the right data is at the right place, in the right format, at the right time. Any time, all the time.

For a data-driven future
VF NL can now look towards a future of extensive data discovery on rich, streamlined data sets. Our Data Stream Manager enables them to effectively use the right customer journey data and make powerful, data-driven decisions for improving ROI and customer engagement. All quick, safe and GDPR proof, of course. That’s the Datastreams.io promise.

With even more ambitious dreams
The world of Data science never sits still. The VF NL digital team has already continued dreaming up future uses such as analysing downtime effects, multichannel relations and customer journey roadblocks. What’s your data-dream?

Prevent your company, zombie data: rising from the Dead

Zombie data: rising from the dead

It’s Halloween, meaning that zombies, witches and ghosts will likely be running amok in your city today. Whilst moaning and shambling zombies out for brains might not scare you anymore, there’s still one type of zombie to be afraid of this Halloween: zombie data.

Zombie data is data that you consider dead in your company, but that still lurks around somewhere, waiting to be called to life again. If you own a computer, you probably have a few zombies inhabiting it right now, because deleting a file doesn’t immediately remove the file from a system (popsci.com). The data can remain in the system for a while, even after you clear your bin. Clever Frankensteins can use programs to raise it again. Similarly, businesses may have data zombies lurking in their system or online. Whether caused by data silos that retain data that should have been deleted, data that has been passed to third parties, data traces left on hardware, or data stored in the cloud (which may be particularly good at producing zombie data), data that has not been fully deleted, can come back to haunt your company when it (accidentally, or with malicious purposes) gets raised from the dead.

With the General Data Protection Regulation coming into effect in May 2018, ensuring the data you collect can be killed forever, is important. The GDPR includes the right to be forgotten, meaning you need to be able to effectively delete personal data from your subjects (and all copies of that data) and ensure it stays dead. If data is not truly deleted when it should be, companies are in danger of being fined for non-compliance. Even worse: if clever hacker manages to bring the dead data back to life, what follows might be a proper zombie data-apocalypse.

Knowing where your data is stored, who it is sent to (inside and outside your company), how third parties manage data, where copies and backups are stored and what happens when data is deleted, is crucial for ensuring data you delete is truly dead and gone, forever. At datastreams.io we are happy to play our part in preventing the zombies from taking over your system and ensuring that the only zombies you will have to deal with this year, are the ones trick-or-treating down your street. Happy Halloween!

Consent, explicit vs. unambiguous, the difference Datastreams Blog!

Explicit vs. unambiguous consent: what’s the difference?

Consent is as crucial as it is complicated. As one of the legal grounds for data processing, asking for consent is often an important part of personal data collection. While the GDPR clarifies a lot of the confusion and vagueness about the meaning of consent, there is still some confusion over one thing: Explicit consent. The GDPR defines consent as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” 

Delving deeper, according to various sections within the GDPR, there are two types of consent: Unambiguous consent (Article 4) and Explicit consent (Article 9.1). If the data is ordinary, non-sensitive personal data, “unambiguous” consent suffices. However, “explicit” consent is required if the data in question is sensitive data (data concerning physical or mental health data, racial or ethnic origin etc.) So, what exactly is the difference?

Explicit versus Unambiguous consent
The difference between “unambiguous consent” and “explicit consent” is not immediately a clear one. Since consent must always be informed, specific and communicated through affirmative action, it seems that any type of consent will require a data subject to be fully aware of what they are agreeing to and clearly indicate their agreement with this. Isn’t all consent that is unambiguous and informed automatically explicit? Not necessarily.

Explicit consent
Let’s start with explicit consent. Explicit consent requires a subject to clearly and explicitly agree to their personal and (crucially) sensitive data being processed.

Under GDPR Article 9 explicit consent is required for the processing of certain “special” types of personal data. Examples include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Explicit consent must be obtained through a statement that should: “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. (Directive 95/46/EC, Article 29).

Explicit consent, then, consists of nothing less than presenting the data subject with an explicit statement regarding the specific personal data to be collected and an explicit action by the subject agreeing with this statement (such as ticking a box saying ‘I agree’). Simply stated: the data subject should quite literally and explicitly say “I consent” for consent to be considered explicit.

Unambiguous (implied) consent
Consent for regular, non-sensitive personal data doesn’t necessarily need to be explicit, but it does need to be unambiguous. We can call this unambiguous, implied consent. Unambiguous, implied consent is best explained through an example.

Say a person wants to answer an online competition. They enter several optional pieces of information, including their email address. Above the field it is stated that ‘we will use your email to keep you up to date on special offers’. By entering their email address after reading the notice, the subject consents to giving their information (that is, their email address) without ever explicitly stating ‘I consent’ or ‘I agree’. The affirmative action of entering their email is enough to constitute unambiguous consent, even though it is implicit and not said ‘out loud’.