Back to blog

How to Stay Privacy Compliant With Your Data Management Platform (DMP)

Data management

Written by

Published September 15, 2016 · Updated July 10, 2019

How to Stay Privacy Compliant With Your Data Management Platform (DMP)

Data management platforms (DMPs) and data privacy — a tricky combination. Both are pretty hot topics these days, though perhaps in different ways.

Research indicates there is strong continued interest in DMP adoption among advertising and marketing professionals looking to leverage data for more effective campaigns.

DMPs remain at the top of the list for advertisers and marketers.

Data-privacy regulations, including the European Union’s recently enacted General Data Protection Regulation, have gained headlines, too. Sadly, some of this attention is due to low awareness and pitifully poor preparation among companies ahead of the May 25, 2018, start date for the statute’s enforcement.

Because implementing a DMP automatically carries with it the implication of data-privacy compliance, it’s a good idea to understand how the two areas overlap, and more importantly, how to use your data-management platform to remain compliant.

Start With Data Collection

The first key to privacy compliance with your DMP is to start early. This means getting the data collection process right.

Proper collections methods are the key to keeping a DMP privacy-compliant.
Proper collections methods are the key to keeping a DMP privacy-compliant.

Just to review — a DMP can draw data from several different sources, including:

  • Tags: Used to track online behavior of visitors/customers, send cookies to analytics tools, track conversions.
  • Mobile SDK: To track behavior within mobile applications.
  • First-party (offline) data onboarding:This can include, among other things, names, email addresses, telephone numbers, purchase history, etc.
  • Ad pixels: Reporting ad engagement from ad-serving platforms.
  • Third-party audience segments: Paid data drawn from various vendors (publishers/ad networks, etc).

Some sources, such as tags, ad pixels, and purchased third-party audience data generally provide Non-Personally Identifiable Information (non-PII).

Others, like CRM databases, contain Personally Identifiable Information (PII) or Personal Data (the rough European equivalent of PII) and require anonymization prior to uploading to a DMP.

Therefore, one of the most basic questions you need to ask yourself when starting out with a data-management solution is:

What kind of data will I be collecting and from what sources?

As we will see later on, the answer can play a key role in how you use your DMP while staying privacy-compliant.

Customer Data Platform vs. Data Management Platform

Learn over 25 key differences between Customer Data and Data Management platforms and decide which of them will be a better fit for your business

Download FREE Comparison

Data Compliance and Tag Management

One of the most popular means of collecting online data is with the help of tags. If you’re serious about collecting the online data you need to drive your organization, you are already using tags to gather behavioral information about your customers and site visitors.

The tags, however — both those you implement personally and third-party tags from external vendors or advertisers — and the cookies they set, are subject to GDPR regulations on both consent and opt-out.

How can you use your DMP to work with these regulations?

First, make sure you have an integrated tag-management system (TMS) connected to your platform. A TMS gives you a tool to control all the tags on your website all in one place. This has several advantages:

  • You can more easily separate which tags are being used to collect different kinds of data and make it easier for users to consent or opt out of different steps of data collection.
  • You can see which third-party tags are running on your site. A good tag manager will allow you to add an opt-out option for all tags, not just the ones you implement yourself.
  • You are better equipped to monitor where data is being sent by the tags on your site — in other words, if data is being sent to vendors across national borders, which might put you at risk for fines.
  • You can also help reduce piggybacking, when third-party tags ride on top of your own tags, something that is a definite no-no for anyone wanting to maintain control of their data.

As mentioned already, giving online visitors the option to consent to tracking by a clear affirmative action, request NOT to be tracked or opt-out at any time of tracking is central to GDPR.

By using a DMP that has these options available for each and every tag at the collection stage of the process, you can avoid getting stuck processing data you shouldn’t have or not being able to locate data in the event you need to delete it.

Moving Forward With Your DMP

Moving on from the data collection part of a DMP’s functionality, it is a good idea to be sure your application has a clear data pathway, or in other words, a well-defined outline of how the data you intend to use moves through the application. This way there is less risk that you will lose track of it and therefore less risk that it will eventually end up being used improperly.

A clear data pathway can eliminate a lot of headaches.
A clear data pathway can eliminate a lot of headaches.

Additionally, you will be able to show, should you need to, that you are fully compliant with every aspect of data-privacy regulations.

Data Compliance and Storage

Clearly, your DMP will be storing data and most likely in large quantities, but unlike applications that simply store information, such as Dropbox or even iCloud. a data-management platform is designed to process the data and push it onward, most often to advertising and marketing technology applications.

For this reason, you will need to consider two things:

  1. Will the data be stored in-house or in a public cloud?
  2. Who (or which API-connected apps) will have access to the data?

If you’re looking for maximum effectiveness from a DMP, you will be interested in onboarding first-party data to your DMP, which can help you get a more complete view of your customer, but this means you will be processing potentially sensitive data, so using a public cloud solution could be very risky, if not out of the question.

There is also the question of who will have access to the data. Here, there is a balance to be struck between easy access (for members of your internal team — marketers, data analysts — who need to be able to change settings, add data-collection channels, and monitor the process) and security (to prevent data from being used inappropriately or possibly even leaking out).

Access is also important because the GDPR authorizes persons about whom data has been collected to request access to it at any time and to request a copy for themselves.

Complex access permissions are also important to maintaining privacy compliance.
Complex access permissions are also important to maintaining privacy compliance.

Of course, it is not only physical individuals who may be accessing the data from your DMP. Other applications may also plug into it via an API. While this can make your DMP very versatile and useful, it becomes more important to control which apps can use which data and for what purposes (as per users’ consent).

With all this in mind, a system of granular permissions is recommended. Your DMP should offer the flexibility to change access rights at any time while making it clear who or what apps can share information with users who may request to see their data.

Data Compliance and Usage

Even more important than the issue of data storage, how you use the information processed through a DMP is critical to staying in line with privacy regulations.

The most common use cases for a data-management platform include pushing audience data to a large number of advertising or marketing platforms – ad exchanges, demand-side platforms as well as marketing automation tools.

However, regulations stipulate that a person whose data is being collected must give clear consent by an affirmative action for all actions to be taken with his or her data. They also mandate the possibility of removing consent at any time and that the “data subject” be made aware that he or she can withdraw consent at will.

So what does this mean for your DMP?

  • You will need to have a clearly defined idea of where and how the information will be used so your customers or visitors are sufficiently informed and can agree or disagree.
  • You will also need to know exactly where your data will physically be traveling, depending on the vendor you are working with. As mentioned above, crossing borders increases risks.
  • Your DMP should also have an integrated system that stores information about how the data was collected and what consent was given for its use. This data about the data itself should be passed along throughout the data pathway.
  • Similarly, you will need to ensure that third parties you share data with, such as an ad exchange or demand-side platform (DSP), are also privacy-compliant.

These factors further underscore the need for your DMP to make it easy to outline the entire pathway your data will travel from collection to activation and usage.

There is another reason:

In the event of a data breach, you must notify supervisory authorities within 72 hours and individuals concerned “without undue delay.”

Having your data’s path mapped out clearly, step by step, will not only make it easier to control its use as per your users/customers’ consent, but also isolate any breaches and fix them quicker.

Data Compliance and Deletion

There is one final and very important aspect when it comes to keeping your DMP privacy-compliant — data deletion.

As the amount of online data grows, it becomes harder and harder to keep track of; that’s one of the reasons a DMP is so useful in the first place.

These vast amounts of information also make it more difficult to delete data if it should become necessary; and it may, since this is one of the core features of data-privacy rules: the Right to Be Forgotten.

Imagine you have implemented a data-management solution offered by a popular vendor. All seems to be going well until that vendor changes its pricing system and you can no longer afford to use its services — or worse, it goes out of business.

Where is your data? How do you access it? What will you do if you receive a Right to Be Forgotten request? Can you prove to regulatory authorities that you have complied?

These may not be very comfortable questions, but they are essential if you want to use your DMP the right way.

If you have a DMP built with transparency and a clear data pathway, and it is fully under your control (ideally self-hosted or hosted in a private cloud), you can save yourself a lot of headache.

Customer Data Platform vs. Data Management Platform

Learn over 25 key differences between Customer Data and Data Management platforms and decide which of them will be a better fit for your business

Download FREE Comparison

Author

Ian Simpson

See more posts by this author