Why You Need a Privacy Specialist
Jun 7, 2017 | By Subscription Insider
Doug Smith, SVP, Customer Success, Vindicia
A third-party specialist ensures that you’re in compliance with the world’s rapidly evolving data privacy regulations, so you can focus on your business.
Data privacy is once again in the headlines. In the U.S., the House and Senate recently overturned Obama-era protections that placed limits on what internet service providers can do with their customers’ personal information, such as browsing habits, app usage history, location data, etc. Going forward, Internet service providers will have the green light to sell information about their customers’ browsing history without obtaining explicit user consent.
The EU General Data Protection Regulation (GDPR)
The European Union is moving in the opposite direction. The new General Data Protection Regulation (GDPR), set to become law across the EU in May 2018, is the most significant overhaul of EU data protection regulations in recent years and will replace all current data protection regulations.
Of course, these new EU privacy rules will impact the way that all organizations—not just those in the EU—handle data. Any company dealing with data relating to EU citizens will be required to comply because the GDPR covers not only businesses operating in the EU but also those outside the EU that offer goods and services to people in the EU. This data may include names, photos, email addresses, banking details, posts on social networks, medical information or a computer’s IP address.
The GDPR applies to companies in two broad categories: “controllers” and “processors.” Controllers are companies, such as merchants, that collect personal data like credit card information and make decisions on what will be done with that data. Processors are companies that act on the behalf of controllers, storing and cataloging that data. Both groups are covered by the new European regulations.
The Right to Be Forgotten
A vital aspect of the new EU data privacy rules is the right to “erasure.” It expands the so-called “right to be forgotten” recognized by the European Court of Justice in 2014. Under the GDPR, controllers must erase personal data “without undue delay” if the data is no longer needed or if the data subject objects to the processing.
The new privacy law requires all companies to reexamine how they hold and manage data. This is especially important in the subscription economy. If you have a subscriber in France who terminates her subscription, you have certain obligations related to what you can do with that customer’s data now that she is no longer your client.
This is very different from the way that subscription companies operated in the past. Before, you could create a new record for every customer who signed up and retain that record in perpetuity. But with the GDPR’s right to erasure, you must now purge your customer records without delay.
This is a problem for subscription businesses. Subscription businesses thrive on data. We track everything about customer habits—the affiliate who referred them, the Google AdWords they clicked on, what offer they buy, how long they stayed on the service, whether they encountered any payment problems, how they used the service, when they left, and even the reasons they left the service. All of this data is extremely valuable to help tune a subscription business, so merchants tend to gather and collect as much data as possible.
But if you’re required to purge this customer’s record, you lose all that data—data which can provide critical businesses insights. For instance, you lose the ability to measure the effectiveness of one particular marketing channel over another.
That’s a problem. When a customer leaves and you delete his personally identifiable information (PII) wholesale, you lose all clarity. You lose the ability to drill deep into the data and discover, for example, that this particular acquisition channel delivers an average customer lifetime of 19 months and an average spend of $315.
Anonymizing Customer Data
There is a way to retain some of your customer data—and the insights that it holds. You must anonymize the data so that it can never be traced back to a particular individual. To accomplish this, however, you have to overhaul your entire infrastructure so that you have the ability to retain a subscriber’s data while not retaining the subscriber’s PII.
This is not easy. To anonymize customer data and derive value from it while still complying with the new EU rules requires a highly complex solution. What information do you strip out? What data do you transform so it can’t be tied back to specific individuals? What customer data will you need in order to make critical marketing decisions a month or a year from now?
Maybe that’s an engineering project you can do in-house. But is it something you want to do? Do you want to divert engineering resources to solve the EU’s data privacy rules? Or do you want your engineers to focus on improving and enhancing your core product? This is a challenging business question.
Even more challenging—the data privacy landscape is continuing to shift with the shifting geopolitical climate. EU member states are evaluating additional rules to further protect their citizens. For example, Germany is considering a rule that would require all data connected to German customers to reside on serves physically located in Germany.
Given the ever-shifting data privacy landscape, you must ask yourself some bottom-line questions. Do you really want to dedicate a large percentage of your engineering capacity simply to stay in compliance with all the new privacy rules? Or do you want to outsource that function and focus on what really makes your company successful?
If your business is selling software online or operating a dating site, you probably don’t want to spend all your engineering effort optimizing your data privacy compliance. It comes down to this: Do you want to build new features on your platform to attract new customers or would you rather spend your time knee-deep in data privacy rules?
There is a growing number of third-party processors that specialize in handling PII and data privacy. The advantage of outsourcing to a third-party processor is that you don’t devote your internal resources to keeping up with the ever-changing state of regulations. Instead, more and more companies are choosing a third-party partner that does the job of staying current and compliant with the wide array data privacy rules around the world.
All subscriptions businesses are global, no matter where they may be located. This means that it’s critically important to comply with global requirements from the get-go. It’s critical because governments expect it. And it’s critical because your customers expect it.
It’s in your company’s best interest to stay compliant with global privacy directives because it sends a strong message to customers that you respect their privacy and you will handle their data in a legal and respectful fashion. I believe brands that take data privacy seriously will perform better in the long run. And a third-party processor can help your business reap the benefits of data while shielding you from privacy pitfalls.