GDPR Compliance with Treasure Data

Customer trust is something to treasure

Treasure Data has always protected the data we store for our customers to establish a foundation for data privacy. And, in light of the General Data Protection Regulation (GDPR), and our own privacy program, we wanted to present our best knowledge of the law and how our enterprise Customer Data Platform (CDP) assists in your ongoing compliance. Below we’re presenting our interpretations of the regulation for your marketing organization and our key related product capabilities.

The GDPR Overview

The General Data Protection Regulation (GDPR) is enforceable as of May 25th, 2018. The law was adopted by the European Union in April of 2016 and provisions a set of privacy rights for all EU citizens. It applies broadly to all EU citizens in 28 member countries and protects their rights to be informed about and control the use of their personal data. They have rights to correct and delete any personal information that is collected, processed and used by any individual, company and government agency–no matter where it’s gathered and no matter where the information resides. For marketers, this presents a challenge, but one that can turn into an opportunity with sound legal advice, strong compliance processes and help from your customer data platform (CDP).

Find out more about your customers’ rights.

See Rights of “Data Subjects”

Our view on the GDPR – it’s about trust. Period.

Customer trust is the ultimate outcome of value. When customers come to love your products and services, they reward you with not only more of their wallet, but more of their time. They advocate for your brand, shun your competitors, engage directly with you and expect that you continue to deliver even better products and services. These are the customers you want to cultivate and keep, and that demands transparency and respect for their data. When you think of the GDPR, don’t just focus on the intricacies of compliance. Imagine the possibilities of earning a customer’s trust. Think about the GDPR as a chance to turn that trust into your long-term advantage and stay competitive.

How Treasure Data can help

As you continue your privacy program and readiness for GDPR, we’ll be communicating our product capabilities, processes for GDPR – compliant solutions, and marketing best practices here. We’ve been ensuring our own compliance as a “data processor” since the GDPR was adopted in 2016 and building on our strong foundation of data security.

See our privacy statementView our terms of service

Treasure Data takes data privacy seriously and we’re taking our privacy-by-design development philosophy further to assist our customers (“controllers”) with adherence to people’s rights (“data subjects”) under the law. While compliance is a shared responsibility between controllers and processors, ultimately the right solution is one that combines both technology, process and people – there is no “one-stop” product that covers everything. That’s why we want to help you build your GDPR solution your way.

Here is a condensed version of the seven general principles of the GDPR, our key capabilities to help with compliance and what we’ll continue to work on:

Disclaimer: Interpretation of the GDPR is up to your organization. While we’ve done our homework, the GDPR isn’t explicit in defining the principles for compliance. With language that makes it difficult to interpret, we advise you to consult your GDPR experts, legal counsel and the national data protection authorities in the EU. You’ll want to include them in your CDP requirements planning.

The GDPR Principle Explanation How Treasure Data can help

EU citizens’ personal data should be processed in a “fair and transparent manner”.

Each EU citizen has explicit data rights (see What is a “data subject” under the GDPR and what’s my responsibility).

If your processes for personal data collection and management respect these rights, you will have provided for “fair and transparent” processing of their data.

Treasure Data’s enterprise CDP is typically used as a central repository for customer and prospect data. Our customers collect this data from different sources enabling their marketers to analyze it for segmentation and activation (i.e. advertising and mail campaigns).

With our current integrations to most marketing and CRM systems, we can help:

  • Extract all personal data from their source and keep them in raw format

  • Document the sources for all your data

  • Easily export personal data for further analysis or access

  • Report on export jobs that send personal data to external systems

You need a lawful and legitimate reason to collect an EU citizen’s data. You must make that reason clear to data subjects and get explicit and affirmative consent.

Some reasons are automatically considered “legitimate” under the law, such as the fulfillment of a contract or legal obligation, but if you can prove explicit consent you will have a lawful reason to keep and use an EU citizen’s personal data until they exercise their right to be forgotten or erased.

Note: Consent must given by a “positive” opt-in and be explicit with all information about personal data use and processing (i.e. promotional offers) provided clearly at the time of consent.

Treasure Data CDP can integrate with other third -party consent management systems for the consent preferences of your EU customers and prospects. Our CDP provides the core capabilities to easily model those preferences for an accurate accounting of which records to process and for what purpose.

When EU customers and prospects opt-out of marketing programs, you can use Treasure Data to filter these people from “processing” and keep them out of your profiles and segments for activation.

We also have a specific feature that will allow you to block personal data collection through our mobile and javascript software development kits (SDKs).

We are currently working with leading consent and preference management vendors to integrate their solutions with Treasure Data. This effort is ongoing.

Personal data on a EU citizen should be accurate and kept up to date.

An EU citizen has the right to access and rectification. This means they can request to see their data (kept by you) and correct it when it’s incomplete or inaccurate.This is to ensure that their data is “fit for purpose” based on their original consent. To comply, these requests need to be fulfilled within a month.

Treasure Data CDP allows you to update or delete customer attributes, so any inaccurate personal data can be corrected before and after customer profiles are built and segmented. Our pre-built integrations can push those updates and deletions to other systems (i.e. SaaS marketing solutions) for a consistent record of personal data across your company. As our software partners begin to support GDPR-specific features, we will be evaluating and adopting their endpoints in our standard integrations to maintain consistency of all the personal data records you keep. This development is currently ongoing.

EU citizens’ personal data must be kept for no longer than the time needed for the legitimate business purposes you disclosed at the time of consent.

The personal data collected should only be used for its intended purpose, so personal data should only be kept for the time it takes you to use it. This means that you should have ways to archive or delete an EU citizen’s data when you are finished with it or when they ask you to forget them. (See What is a “data subject” under the GDPR and what’s my responsibility).

While CDPs typically, store and manage personally identifiable data on customers and prospects, Treasure Data also manages anonymous data from web visits and Data Management Platforms (DMPs). When data is no longer needed for the purposes for which you have consent, it needs to be archived, you can choose to anonymize that data within our platform or to delete records completely. Treasure Data is a cost-effective way to keep and protect customer data for the long-term, so proof of compliance can be provided with ease at any time. Our underlying data platform also supports automated data retention and purging based on age.

Keep any EU citizen’s personal data secure and protected from data breaches, unlawful use, accidental loss or destruction.

This is probably self-explanatory, however its intent expands beyond the security of your database. It is also meant to provide protection of personal data processed by a third-party organization and handled by your own employees.

Treasure Data has a strong security foundation. We built Treasure Data for trust. We’re compliant with EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and protect personal information transferred from the EU and Switzerland to the U.S.

With 50% of our global CDP customer base storing personally identifiable information (PII) on our platform we’ve invested heavily in industry standards that also include:

  • ISO/IEC27001 certification

  • SOC 2 Type 2 audit

GDPR Principle: EU citizens’ personal data should be processed in a “fair and transparent manner”.

Explanation: Each EU citizen has explicit data rights (see What is a “data subject” under the GDPR and what’s my responsibility).

If your processes for personal data collection and management respect these rights, you will have provided for “fair and transparent” processing of their data.

How Treasure Data can help: Treasure Data enterprise CDP is typically used as a central repository for customer and prospect data. Our customers collect this data from different sources enabling their marketers to analyze it for segmentation and activation (i.e. advertising and mail campaigns).

With our current integrations to most marketing and CRM systems, we can help:

  • Extract all personal data from their source and keep them in raw format
  • Document the sources for all your data
  • Easily export personal data for further analysis or access
  • Report on export jobs that send personal data to external systems

GDPR Principle: You need a lawful and legitimate reason to collect an EU citizen’s data, you must make that reason clear to data subjects and get explicit and affirmative consent.

Explanation: Some reasons are automatically considered “legitimate” under the law, such as the fulfillment of a contract or legal obligation, but if you can prove explicit consent you will have a lawful reason to keep and use an EU citizen’s personal data until they exercise their right to be forgotten or erased.

Note: Consent must given by a “positive” opt-in and be explicit with all information about personal data use and processing (i.e. promotional offers) provided clearly at the time of consent.

If your processes for personal data collection and management respect these rights, you will have provided for “fair and transparent” processing of their data.

How Treasure Data can help: Our CDP can integrate with other third-party consent management systems for the consent preferences of your EU customers and prospects. Treasure Data provides the core capabilities to easily model those preferences for an accurate accounting of which records to process and for what purpose.

When EU customers and prospects opt-out of marketing programs, you can use Treasure Data to filter these people from “processing” and keep them out of your profiles and segments for activation.

Before May 25th, we will have a specific feature that will allow you to block personal data collection through our mobile and javascript SDKs.

We are also working with leading consent and preference management vendors to integrate their solutions with Treasure Data. This effort is ongoing.

GDPR Principle: Personal data on a EU citizen should be accurate and kept up to date.

Explanation: An EU citizen has the right to access and rectification. This means they can request to see their data (kept by you) and correct it when it’s incomplete or inaccurate.This is to ensure that their data is “fit for purpose” based on their original consent. To comply, these requests need to be fulfilled within a month.

How Treasure Data can help: Treasure data allows you to update or delete customer attributes, so any inaccurate personal data can be corrected before and after customer profiles are built and segmented. Our pre-built integrations can push those updates and deletions to other systems (i.e. SaaS marketing solutions) for a consistent record of personal data across your company. As our software partners begin to support GDPR-specific features, we will be evaluating and adopting their endpoints in our standard integrations to maintain consistency of all the personal data records you keep. This development is currently ongoing.

GDPR Principle: EU citizens’ personal data must be kept for no longer than the time needed for the legitimate business purposes you disclosed at the time of consent.

Explanation: The personal data collected should only be used for its intended purpose, so personal data should only be kept for the time it takes you to use it. This means that you should have ways to archive or delete an EU citizen’s data when you are finished with it or when they ask you to forget them. (See What is a “data subject” under the GDPR and what’s my responsibility).

How Treasure Data can help: While CDPs typically, store and manage personally identifiable data on customers and prospects, Treasure Data also manages anonymous data from web visits and Data Management Platforms (DMPs). When data is no longer needed for the purposes for which you have consent, needs to be archived, you can choose to anonymize that data within our platform or to delete records completely. Treasure Data is a cost-effective way to keep and protect customer data for the long-term, so proof of compliance can be provided with ease at any time. Our underlying data platform also supports automated data retention and purging based on age.

GDPR Principle: Keep any EU citizen’s personal data secure and protected from data breaches, unlawful use, accidental loss or destruction.

Explanation: This is probably self-explanatory, however its intent expands beyond the security of your database. It is also meant to provide protection of personal data processed by a third- party organization and handled by your own employees.

How Treasure Data can help: Treasure Data has a strong security foundation. We built Treasure Data for trust. We’re compliant with EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and protect personal information transferred from the EU and Switzerland to the U.S.

With 50% of our global CDP customer base storing personally identifiable information on our platform we’ve invested heavily in industry standards that also include:

  • ISO/IEC27001 certification
  • SOC 2 Type 2 audit
Treasure Data runs Treasure Data

Beyond our readiness as a processor, Treasure Data will continually work to ensure compliance with the GDPR as a controller. Our marketing department uses Treasure Data for personalization, attribution and up-to-date daily reporting, which means we have to understand and comply with the GDPR just as our customers do. We’ve gained a proficiency in privacy compliance and are working towards a marketing center of excellence in data privacy. Our goal is to turn our GDPR insights into your guidance. We’ll be updating the site frequently with information on the GDPR for your marketing organization.

Check out the blog

We continue to update our white paper, A Marketer’s Guide to the GDPR. Rather than filling it with technical chatter or cleverly disguised sales pitches, we wrote it with down-to-earth advice and practical tips for consent, database segmentation, inbound lead management and opt-outs. It’s a great asset to share with your entire marketing team.

Download it now!

What is a “data subject” under the GDPR and what’s my responsibility?

Any EU citizen that has provided their personally identifiable information (PII) to you is a “data subject.” PII under the GDPR is broad and includes any identifiers that could reveal (now or in the future) an EU citizen’s identity. And, if you are collecting this PII data from them and keeping it, you are a “controller” under the law. Unlike previous EU directives on data privacy, the GDPR imposes liability on “controllers” and their “processors” for privacy rights violations. If a complaint is filed by a data subject with any Supervisory Authority, the regulating body of the GDPR, fines can be significant–as high as €20M or 4% of annual revenues, whichever is greater. Not to mention the civil suits that could be filed for higher awards and the costs associated to data breaches, let alone the impact to business continuity. So, “controllers” need to assure “data subjects” rights.

IMPORTANT: The following list is our interpretation of the UK’s Information Commissioner’s Office (ICO) summary of the GDPR’s data subject’s rights. It’s not a substitute for your own legal interpretation and judgement.

Under the law EU citizens have the right:

  • To be informed – They need to know what data is being collected and how it’s being used. This needs to be communicated to them at or before the time of collection.
  • To access – They need access to their data, and the means by which you acquired it (including any third-party data) provided on demand and free of charge.
  • To rectification – When a data subject finds inaccuracies in their data, they have a right to correct or complete the information. The responses to corrections need to be made within a month of the request.
  • To erase – If for any reason they want to have their data deleted, those requests also need to be carried out within a month. They also must be carried out across all records and systems where their information is kept.
  • To restrict processing – They can also request that their data is retained and not used for any purpose. The responses to corrections need to be made within a month of the request.
  • To data portability – They also have the right to move their data wherever and whenever, so they can request to have their records moved from one service (i.e. IT environment) to another.
  • To object – While you may have a legitimate reason to use a person’s personal data (i.e. fulfill a contractual obligation), the GDPR provides them the right to restrict any and all use of it.
  • To refuse automated processing decisions, including profiling – In the case that their data is being processed automatically, without human intervention, the GDPR allows them to have information about the processing and request that people be involved.

The law also will provision for data protection and privacy processes that will need to be followed for compliance. While it touches on a number of areas where companies have responsibilities under the GDPR and suggests questions for consideration, it only scratches the surface. Your company will certainly require legal counsel to guide your compliance with the GDPR and advise on the decisions such as the one to employ an objective external privacy “advocate” as a data protection officer (DPO).

While the GDPR is now enforceable upon us, the process for compliance will be ongoing and we’re here to lend a hand.

Stay tuned for more! And in the meantime, discover what Treasure Data CDP can do for you.

Learn More