Capturing first party data involves a value exchange between the customer and the business. Consumers provide personal information knowing that in exchange businesses will offer better customer experiences. This proposition is often made explicit when the data is captured. For example, visitors to an online retailer could be invited to provide personal information in exchange for a voucher for a discount on their first purchase. Some retailers now do this overtly by offering heavily discounted prices or offers exclusively to members of the loyalty scheme. Consumers are invited to provide details of their shopping habits with the incentive that this corresponds directly to preferential offers and a discount at the check-out. Consumers do this in the knowledge that businesses will profile and target them for offers using their personal data.
In a post GDPR consumer landscape, consumers are empowered and know the value of their data. They know organisations use their data to build profiles and target content based on their behaviour in the knowledge that it is done to deliver enhanced customer experiences and target relevant content. Consumers trust that this data is captured and stored in a compliant way because it is underpinned by regulations that allow them to access, modify, revoke consent or erase the data at any time. Organisations continue to invest in ensuring that personal identifiable information (PII) is stored in a compliant and secure way. But underpinning compliance is always consumer trust.
When consumers know the value of their data it is inevitable for them to use their right to access, correct or erase their personal identifiable information (PII). Simply storing customer data in a compliant way because it’s within regulations or allowing customers to struggle when updating or revoking consent isn’t good enough. Negative customer experiences relating to the way personal data is processed and stored poses very real financial and reputational damage to an organisation. Just because an organisation can store personal data, doesn’t always mean that it should. Consumers expect their personal data to be respected and valued.
To properly value first party data, organisations must engineer solutions that have privacy by design. This ‘Privacy Engineering’ must be transparent about what data is captured, how it is used, stored and its purpose, and provide the mechanism for customers to easily update preferences, revoke consent, unsubscribe, resubscribe, and self-exclude in a frictionless way. Privacy Engineering is the technology and processes that are used to capture, store and process customer data in a way that puts privacy at the centre of the solution design.
Retention policies should be in place and business cases defined for each data point that is captured to minimise the amount of PII that is held at any one time and prevent the over storage or duplication of data. Consideration should also be made for how data is segmented or tagged. In the event of a subject access request, or a breach; the over storage or inconsiderate storage of data can erode trust and damage the reputation of the organisation, the customer, or both.
Capturing and maintaining contact preferences should be simple for the customer, and the customer journeys should be mapped out to allow customers to easily control their marketing consent. Done well, customer preference centres are opportunities for showing the value of exchange when providing personal information, while simultaneously empowering the contact and showing that an organisation respects their PII. Leaving the door open for a contact to provide consent again in the future.
The technology underpinning Privacy Engineering should be customer centric, whether in a customer data platform (CDP) or more conventional database, the storage of data should be audited to ensure that data points are documented. The GDPR processes in place to correct, access or remove PII should be simple to ensure compliance and ensure that subject requests are efficient and don’t add a burden to the ‘business as usual’ (BAU) activities. The concept of privacy by design should make those GDPR requests part of the BAU.
The implementation of GDPR in 2018 took priority for many organisations, as they implemented policies to existing infrastructure to ensure they remained on the right side of the legislation. With high penalties in place to ensure Marketers continue to take it seriously. At the same time GDPR became part of common knowledge and now consumers are empowered with how their data should be used, and what power they have as individuals. The result has been better marketing strategies, that target more engaged contacts. Privacy Engineering is the next logical step, by implementing infrastructure, processes and policies that put the data subject at the centre of the solution organisations can maintain consumer trust and ensure first party data is valued because the consumer will find out.
If you would like to discuss how you can better maintain your data, do get in touch we are here to help.