E13: GDPR Wedding Day & Beyond (🎧Podcast)

One of the best analogies this week will be that May 25th is the big wedding day where GDPR gets “hitched” to businesses and their privacy platforms forevermore.

Unfortunately, as in real-life, the long marriage may not be as festive as the wedding day. The Ward brothers outline how businesses need a stronger approach for ongoing marital happiness.


Jay: ‘Are You DataSmart?’, a weekly podcast on data security, information management, and all things related to the data you have, how to protect it and maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. And today we’re gonna talk about the GDPR wedding day. Jay, it’s up soon. We’re only a few days away from the big day.

Jay: Oh my god you guys, I can’t believe it’s already here.

Christian: I’ve got to be honest Jay, when I read the articles out there and I listen to people at conferences talking about GDPR and being ready on May 25 and the big day, I mean, you made some funny analogies in a blog post just how it’s springtime here in the U.S. and everyone’s excited about that May wedding day.

I’m a little concerned that we’re all once again losing sight of what many, many people do as they approach their wedding, which is they are so focused on the day, they are forgetting the lifetime of marriage that is just on the other side of that day.

Jay: Yeah, I mean, Jim Gaffigan does a pretty great bit about how two people get together and they decide that they love each other. So, they pretend that it’s 800 years ago and they have a kingdom, and we’ll bring your family together and mine and we’ll have a feast, and then you’ll go on a totally unjustified vacation.

Christian: Yes, yes.

Jay: For me, I think the wedding analogy is really apt because what happens is there’s a cottage industry that’s been built up around getting you ready. You spend so much money to make all the preparations. No one really knows how it’s all gonna work out. You’re worried about whether or not you’ve done what you need to do to be ready. And you’ve got people from out of town who are concerned, you’ve got people who are trying to put their own imprint on the way it’s all gonna be done, and weddings are pretty bad too.

Christian: Yeah, I’m sure none of the listeners had any external influences trying to affect the way they prepare for their wedding day. That’s so rare, but that is a great analogy. I mean, it literally describes the build-up to this May 25 date, we have our data partners, we have our users, we have the legal counsel telling us what to do, you have the CEO driving in one direction trying to get a valuation for the company based on its data assets, you have the CIO trying to get their arms around where all the data lives, you have things like Master Data Management, what we call MDM in the business initiatives, all across these companies trying to better wrestle their data about their customers into a strategy for reaching out to the consumer. Every one of these people has a stake in this wedding. And I think what’s fascinating is, I wanna talk a little bit today about what’s the difference between the wedding and the marriage afterward?

Jay: Well, as they say, the wedding is for your guests, not for you. And I think that’s right because, in this instance, talking about May 25 as though it’s the be-all, end-all, is a mistake. You need to think about May 25 as the starting point. That’s the day when you need to have your framework in place or you need to at least, at the very least, you need to have thought about what you want to do and you’re starting to make it happen.

That’s why I think the wedding versus marriage analogy is so apt because if you’re only focused on that one day, what’s gonna happen is, you’re going to have spent countless hours redrafting your privacy policy, and you’re gonna have new approaches to data security, and you’re gonna have a vendor who did a gap analysis for you, and you’re gonna do all of these things and you’re gonna spend so much money and so much time.

And then if you don’t pay attention to those policies, and pay attention to your practices, and constantly be thinking about and paying attention to your data security plans, your GDPR compliance, in two years you’re gonna be like, “How did we get here?” And that’s what you want to avoid.

You don’t want to be in a position where you’re thinking, “Boy, we spent a lot of time and money to do something that we could have been putting into product development if I knew we were gonna end up here, which is really no better than where we were before the GDPR ran into effect.”

It’s about the long-term goals, it’s about the long-term planning and focus. And that’s why, for us, when we’re advising clients, when we talk to our clients about how to think about GDPR, it’s May 25 is when the starting pistol goes off, that’s when it’s time for you to really commit and be focused. And that’s hard, that is really difficult to do.

Planning for weddings is difficult, but they can be pretty fun when you’re there. There’s no way to truly plan for a marriage because you have no idea what you’re doing before you get into it. And ask any husband, you have no idea what you’re doing when you’re in it, but you still have to do the hard work, you really have to put in the effort. And that’s exactly what a truly compliant, a good data security and GDPR compliance plan looks like.

Christian: Well, I think a lot of people in the past have been able to get by sort of just scraping someone else’s privacy policy and pasting it in. And that does feel like what a lot of businesses have thought about also at GDPR. That being said, if the analogy is a wedding, then May 25 is the new Singles Day. I don’t know if you’re familiar with the Chinese holiday November 11, so 11.11. It’s Singles Day where literally thousands of people gather, I think principally in Beijing, but now it’s in other cities as well. And they all get married at the same time.

The amount of mass excitement around that holiday is quite amazing. But I think it’s really…that is what every business and every company around the world is now having to deal with. When I think about some of the recent customers that we spoke into our prospects, something I think that’s really important for people to think about and judge is that we don’t really live in a world anymore where your Chief Data Officer or your Data Protection Officer is a secondary thought. It needs to be a primary thought.

I recently met with a business that is looking at a completely new undertaking in their master data management approach. And they have a ton of data, I mean, millions of users at both an app level and interaction with stores that they own, and purchasing data. They have so much great data and they wanna track users as they go over to Pinterest and like something, if they’re on Facebook and pause over a particular ad for some period of time, if they’re on their website and they pause or dwell, as we would call it, on a particular topic. They want to gather all of that and be able to make a better experience.

And look, I’ll be honest, I think they have the best of intention of creating good experiences with their customers. This is not a nefarious plot to take over the world and rewrite the circle. This is very much a company really trying to do and provide great service.

That being said, I’m sitting listening to them going, “Well, where’s your DPO? Who is your CDO? Who is the person that’s sitting and watching the compliance regime?” Because while all these things are great and drawing circles and lines, connecting dots on whiteboards is great, in the end, it is all becoming a liability. And it’s a liability that is a worthwhile risk, but it must be managed.

And, Jay, I think we’re gonna see a trend. And obviously you and I support the concept, but I think the trend is going to be that the undertaking of any major data initiative, businesses and companies are going to need to not just invite occasionally to the working group meeting, but to literally get their data compliance, their privacy compliance, their regulatory oversight group involved from the very beginning so that they can be part and parcel to every decision as to what data is used, what data is necessary, and really importantly, what data is going to be purged because that is sort of the missing element of so many of these master data management approaches. These MDMs where they literally, like, unsubscribe does not mean remove all the data.

Unsubscribe means actually more data. It means that you have the date, the time that they said that they unsubscribed. And now people then sell those contacts to other people because even though they unsubscribed from you, it didn’t mean you had to delete the data. We’re now moving into a world where you have to delete the data. That’s a whole new ball of wax that I don’t think a lot of people are thinking about.

Jay: I don’t think so either. And, for me, when you talk about having the privacy team involved from day one, to me, that’s privacy by design, which is not a new concept. Privacy by design has been around for a very long time. And it’s something that European data regulators have focused on for a very long time. It’s just now you have to do it. There’s no option to be like, “Well, I guess I’ll integrate it into some of my new products.” No, no, no, no, this is the way that you do things across the board now.

And so, for me, what that means, from a lawyer’s perspective, is how do we counsel clients to be able to integrate data security and privacy into every aspect of what the business does. And that means you need a team, you need a data security team. And it’s not just your Chief Data Officer or your Chief Privacy Officer, it’s the team being able to say, “Well, here’s how we can integrate data security into our new product offerings. Here’s what our new cookie policy is gonna look like. Here is what it’s gonna look like when you register for our service and what our disclosures to you are gonna be.” It touches every aspect of your business because every aspect of your business is touching personal data. And whether you believe that or not, it’s true. Everything that you do, in one form or another, touches upon personal data.

So, if you don’t integrate privacy by design, if you don’t integrate these principles across all aspects of your business, you’re missing the opportunity, number one, to avoid problems down the line, but, number two, you are missing the opportunity to get the privacy worked into your operations now so that you don’t have to undergo an expensive retrofit later.

Christian: Yeah. And that, I mean, that really is what I think a lot of companies do have to deal with right now, which is for businesses that are just embarking on their new data strategy or they’re rewriting their data strategy, you have something of an opportunity to think about privacy by design in your new effort.

However, if you have already a massive platform where you’ve got datasets from, let’s say, 50 different databases, whether they’re third-party, first-party, or user data, or user suggested data, in the end, you are soon going to have to be able to not only remove a record very quickly and easily, you’re also going to have to be able to demonstrate what data you have on any individual person. And if a site like the ‘do not call’ list is created where people can just submit their email address to have to then blast every compliance department, every major company around the world to say what data do you have on me? I don’t think the world’s ready for that and I do think…

Jay: I don’t either.

Christian: What’s that?

Jay: I don’t either.

Christian: I just think it’s ultimately…it’s gonna be a massive undertaking. I don’t think people quite realize how big of a drain on resources that will be because most platforms are not designed for this. And look again, if you don’t disclose exactly what you have or it’s later discovered that you have more, that’s a pretty big regulatory infraction, at least from my perspective, because it shows you just didn’t prepare enough in terms of cataloging all of your data assets and the linkages between them.

And the last thing I’ll say about this, because I think it is such a good point, is in every wedding, that’s one day. The marriage is every day thereafter and hopefully on for the rest of your lives.

Jay: I think that’s right and we’re gonna talk about this next time. But you talked about transparency, you talked about sharing a worldview, I think, in this context, security and consistency are the other two aspects. We’ll talk about why those are important.

But as we…now we’re in the last week here. We’re gearing up towards GDPR. Think about what you’re going to do in the next few days, few weeks, few months, few years to really incorporate what the GDPR means and to the way that you operate your business because if you don’t, you’re gonna miss opportunities.

Christian: Absolutely. So, join us next time where we break down Jay’s three pillars of GDPR and the GDPR marriage, if you will, of transparency, security, and consistency. And we look forward to speaking with you then. Thank you for listening to this episode of ‘Are You DataSmart?’

Jay: Thanks again.

Leave a Reply