Remember Why the GDPR Exists: Consumers Need Friendly GDPR Functions

You already accept that complying with the GDPR delivers a better consumer experience, right? Loads of articles have told you that. But what about the experience consumers have of exercising their GDPR rights? Writing exclusively for ExchangeWire, Fiona Salmon (pictured below), UK MD, 1plusX issues a reminder that businesses responsible for managing data need to make it easy for consumers to understand their GDPR rights and allow them to make informed choices over the use of their personal data.

As an internal research exercise – which admittedly has limitations – one of my colleagues performed a competitor analysis of how nine market-leading data-management platforms are enabling consumers to exercise their GDPR rights.

On and after 25 May 2018, consumers were supposed to be given the following rights over the collection and processing of their data: Opt-In; Opt-out; Data Access (a right to see the data collected); Data Deletion; and Data Rectification (the right to change the data held by data processors).

However, none of the DMPs within the sample provided self-serve functions for all of those consumer rights. Most notably, none of them offer a self-service Data Rectification function. The right to rectification enables consumers to have inaccurate personal data rectified, or completed if it's incomplete. Arguably, the Data Rectification functions aren’t really relevant to most data-management platforms because 'rectification' under GDPR concerns mostly sensitive and personally identifiable data (name, email, home address, credit card numbers, healthcare records). DMPs often prefer to process anonymous profiles, as processing personal or sensitive data imposes far greater legal, ethical, security, and technical responsibilities. However, integrating customer relationship management data with a DMP offers many benefits to marketers and publishers – including achieving the single customer view. Granted, the law states that rectification can be requested in writing, and even orally. That means a consumer would just need to email or phone the DMP, brand, or publisher to correct or complete the data being held and processed. But self-serve functions would be the ideal. They empower consumers and make data management far more efficient for the business.

There are also various degrees of consumer friendliness in the exercise of other GDPR rights via DMPs. Right now, many DMPs make consumers go through different procedures to exercise their various GDPR rights. Some even contract-out certain responsibilities to third parties, such as the opt-out process, to YourOnlineChoices.eu. When consumers find it difficult or confusing to exercise their rights, they are more likely to complain to authorities. Complaints to data regulation authorities risk costs as well as corporate reputations. Dealing with complaints is also an avoidable administration burden placed upon data regulators. Best practice will surely be for DMPs to offer consumers a one-stop-shop to exercise all of their GDPR rights in one place.

Fiona Salmon, UK MD, 1plusX

If there is one GDPR right that deserves the most optimum consumer experience, it’s probably the Data Access function. When a user wants to access a full record of their data, it's often because they’re nervous about their data, for whatever reason. Even if they aren’t nervous, unless they can get fast, clear, and transparent access to their data, they’ll get nervous pretty damn quickly. Fast and full access to their data is both empowering and reassuring.

Unfortunately, consumers wanting to exercise their data access right are rarely met with an efficient process. Some DMPs operate an extremely laborious and inefficient process, which starts with requiring consumers to fill in a form that must then be sent to the DMP. Sure, the GDPR gives companies up to 30 days to fulfil Data Access requests – but such a slow process will cause consumers unnecessary anxiety.

What’s more, Data Access reports aren’t always presented in a consumer-friendly format and with enough detail to be meaningful. Just one DMP directly provides consumers with a downloadable spreadsheet file that includes a full time-series of their recorded interactions. The next-best consumer-friendly function delivers a JSON data structure. Assuming consumers understand the Java or C programming languages to access their data hardly smacks of a good consumer experience. What’s more, the JSON file only contains general information.

Other DMPs only display an on-screen report to consumers rather than a data table they can truly analyse. The on-screen reports lack meaningful detail, simply displaying the audience or subject interests that the DMP has attributed to the consumer.

Just one data-management platform (DMP) enables consumers to exercise their data access, opt-out, and data-deletion rights together with one single click. It’s an excellent function for consumers who have decided (at least for the time being) that they never want to have their data collected or processed by particular companies. That said, conflating GDPR functions is not always a good idea.

Eight of the DMPs in the sample conflate the exercise of the opt-out and data-deletion rights. This isn't just losing a business asset for the DMPs’ customers, it impacts the consumer experience. Unnecessarily deleting data following an opt-out doesn't help a consumer to manage their opt-out most effectively. They may just want to 'opt-down' rather than 'opt-out'. Opting-down includes pausing their profiling for a certain time period, reducing the frequency of communications from a brand, choosing to accept certain formats, channels, brands, or subjects of communication, or only wanting certain information about them to be collected and processed. So far, just one DMP saves brands' and publishers' data by recognising that, although data deletion also mandates opt-out, a consumer’s request to opt-out does not mandate data deletion.

Compliance with the GDPR is in its early days – and the data regulators are rightly giving all businesses some time to attend to their new responsibilities. However, businesses that specialise in managing data need to demonstrate best practice in GDPR compliance. They need to provide consumers with the full array of choices over their GDPR rights with easy-to-use consumer functions. That will be good for their customers as well as consumers.