10 considerations for Responsible Customer Data Management

Transcript

Okay, good afternoon everyone and thank you for joining us with this webinar, which is going to explore Marketer’s Guide to 10 Considerations for Responsible Consumer Data Management. I’m Marjorie Ravine-Zanabria, I’m a Senior Editor at Digiday and I’m your host this afternoon. Following this discussion, we’ll have some time for Q&A, so be sure to take advantage of that. You don’t have to wait until the end to submit your questions. You can add them at any point during the session through the questions tab on the GoToWebinar platform. Everyone registered will also get a recording of this webinar in their inbox tomorrow, should you miss anything or want to revisit any part of the conversation. Today’s guests are Elizabeth Sexton, Senior Privacy Product Manager at Adobe Experience Platform, and Jason Zhao, Manager of Digital Acquisition at Scotiabank Digital. And with that, we’ll get started. Elizabeth, take it away. Good afternoon everyone. I’m Elizabeth A. Sexton and I’m, as mentioned by Marjorie, I’m a Senior Privacy Product Manager for Adobe Experience Platform and Adobe Experience Cloud. I’m delighted and honored to be here with you today and I look forward to our discussion on Responsible Customer Data Management. Also here with me today is Jason. Let me turn it over to him to introduce himself. Hi everyone. I’m Jason Zhao and I’m a Digital Acquisition Manager at Scotiabank. Scotiabank is one of Canada’s leading financial institutions and is a leader in digital banking and digital banking innovation. At Scotiabank, I manage our data management platform as well as lead our first party audience strategy. Great. Let’s just jump right in. What we have in store for you today, let’s quickly just go over the agenda. We’ll provide context surrounding what we mean when we refer to customer data management. We’ll review the market forces requiring marketers to evolve and adapt. We will share how marketers are also data stewards. We’ll provide 10 considerations for responsible marketing. And last, we will review several action items you can put into play when you get back to your desk. Our presentation today will not cover details of privacy, directives, regulations, or other laws. And today’s session is not legal advice. Please work with your internal privacy legal and IT teams to align on privacy data governance, policies and execution, which is applicable to your organization. So let’s get started. Let’s first talk about customer data management. Defining customer data management in the context of today’s presentations includes that every brand across industries and across regions will need to achieve two high level use cases. The first being finding and acquiring new customers. And the second one being retaining those existing customers. Traditionally, DMPs have solved for the use case on the left, providing value via audience creation, segmentation and activation, while leveraging pseudonymous data such as third party cookies and hashed identifiers. Emerging in the face of the market forces soon to deprecate the consumer data available are CDPs or customer data management platforms. Reduced access to third party cookies and data as noted in the press for the past few years and more recently, create urgency via Google’s announcement to deprecate the third party cookie. Have provided a catalyst for the marketer to start thinking about how to future proof investments, pivot use cases and reimagine customer data management strategy. Today, we use Adobe Audience Manager for our customer data management. In this platform, the anonymous data is ingested for audience targeting and digital activation. However, as Elizabeth mentioned, upcoming market forces, specifically the reduction and reduced access to a third party cookie, is leading us as an organization to reimagine customer data management and prospecting use cases. One of the results could be a potential shift from the Adobe Audience Manager DMP platform to a CDP or customer data platform. Whether you are using a DMP or a CDP, the tenets of customer data management are generally the same. The main difference is that a CDP can ingest personal data such as names, emails or phone numbers whereas personal data is always hashed before being ingested into a DMP. So in order to create an audience, we start with the data inputs, which are various data sources that ingest data into Audience Manager. Then segments are built based on signals from multiple systems. And finally, segments are mapped into an activation platform that matches our customer journey. Now I’ll be walking you through an example of how both autonomous data and known customer data can be used in tandem to target an audience of college graduates, to target them with a special first credit card offer. And first, we’ll pull browsing behaviour data from Adobe Analytics such as a user who has been browsing an Advice Plus article on tips after college. We have a lot of tips and content on our main website to help users through the life journey of their financial planning. This would be synonymous data that helps us find new prospects and we can pull in offline data such as CRM data. For example, customers with a specific type of loan such as a student loan. And finally, we can enrich the profile by layering in second party data around credit score. By creating an audience for the specific customer acquisition campaign, the qualifications for this statement would be, yes, they browse the page, they’re at the end of their college year and they have high credit score. We can then activate this audience in multiple channels and provide offers relevant for college students, students who may need their first credit card. Next let’s examine the market forces. When we examine the customer experience landscape, there are four urgent market forces at play. Those are the rapid shift in identifiers to a more durable identifier, the expectations of consumers for personalization, privacy and governance forces, and lastly, the consolidation of marketing platforms. Historically, there has been a perception that data management and governance as well as privacy requirements are someone else’s responsibility. Over the past three years, we’ve seen a blurring of the lines. One force in particular stands out and that is the proliferation of privacy and governance experience expectations by consumers. What data is procured and how it can be used is now everyone’s responsibility. Privacy and governance are essential to understand the expectations of the consumer when they entrusted you with our data and how that data is being governed within your organization to ensure its proper collection, use and storage. Marketers look to develop a trusted relationship with brands. In doing so, they expect to see similar values to their own as well as consistent alignment to the preferences the consumer has already stated. Thus, it is imperative that marketers are empowered with tools which are both lightweight and flexible to meet the experience and relationship demands that are now before them. Adobe recently commissioned a study with Advanus in an effort to not only learn brand readiness for a future without cookies, but also consumer perception of the issue. As brands and vendors, we are constantly thinking about revenue, innovation, retention and so on. But as we continue to build experiences, not products, the consumer perception can sometimes get lost during the discovery. With the Advanus study of 1000 consumers, here’s what we learned. 61% of consumers review the privacy policies, but only 71% of those that reviewed the policies represented that they quote mostly understood the policy. This is a net effective rate of less than half of the users understanding data policies presented to them. We observed an even more dramatic split when you segment based on age. The younger generations comprise the vast majority of those who are included in that quote mostly understand group. 63% of individuals were not at all familiar with the policies. Most of the remaining respondents were still only slightly to somewhat familiar with the data policies and practices. Of the consumers in the Advanus study, only 9% were in the very familiar group. Marketers need to mind the gap. Less than half of the consumers stated they read and understand policies and 60% of the consumers say they need simplified approach with more clarity on how to update, change or delete personal information, which are all basic tenants of privacy regulations such as GDPR for example. This is not aligned with the 500 marketers who participated in the study. 85% of the marketers were confident that their consumers understood the organization’s policies. 71% of marketers reported they provided consumers with options and details on how their data is collected and used. The most telling perhaps even optimistic is the almost half of these marketers say that they held weekly meetings with their privacy teams. As you reflect on today’s presentation, is this your cadence? How often are you meeting with your privacy team? And do you know who the leaders of those teams are? Developing a robust partnership with privacy, legal and other stakeholders is really key to everyone’s success. Whether or not the consumer understands the policies or does not understand them, they ultimately expect transparency. Transparency results in four key expectations. Clarity in articulating what data is being collected and how the consumer can change their mind at another time requires simple communication and information that is easy to read, follow and use, not just now, but well into the future. Creating a clear communication about the consumer’s choices and how they can make informed choices which align most often with the shared vision of their values. The choice consumers make is also deeply embedded in the relationship they have with the brand. Thus creating a strong consumer brand relationship is key. Consent may be necessary for some types of data. This is where that partnership will really come in handy based on your jurisdictions or your specific use cases. Governance requires communicating clearly how data will be governed and aligned with the values of your organization and will benefit consumers in their development of trust and rapport. If there’s one message to take away is that consumers have rights and they expect a brand to be transparent in their relationship. As a consumer develops a trusted relationship with a brand, they are more likely to share their data and more of their data and more rich data to assist in the continued development of the relationship leading to meaningful personalization and value delivery. So taking a step back and reviewing third party research not commissioned by Adobe, what we discovered is that by 2023, 65%, that’s over half of the world’s population, will have its personal data covered under modern privacy regulations. By 2022, 30% of consumer facing organizations will offer a self-service transparency portal to provide for consent and preference management by the consumer. For 2023, organizations that can instill this level of digital trust will be able to participate in 50% more ecosystems to expand revenue generation opportunities such as end party data shares. As we talk about marketing responsibly in today’s session, note that there are generally two concepts that tend to be used interchangeably. However, those concepts are mutually exclusive and they have different goals. Data governance refers to the management of data. The tools you need as a marketer to enable you to be flexible in creating policies and to label data based on your use cases. Collaboration with an IT team is key here. Privacy is more about the consumer rights focused on delivering on the use cases when your consumer provides the appropriate consent. Collaboration with privacy teams is your key. Knowing that they can help guide you on the definitions of personal data and directive guidelines to follow which are unique to your business and expectations you’ve established with your organization. Next let’s dive into the marketers putting on their data stewards hat. At Adobe, we’ve seen multiple personas take on double duty. And in many cases, they’re adding data steward to their responsibilities list. Data steward roles are often tasked with ensuring that proper usage of data and overseeing the lifecycle of that data. Marketers are the end point of the data governance chain. They request data from the data governance infrastructure created by data stewards, scientists and engineers. Marketers encompass a number of different specialties under the marketing umbrella, including the following. Marketing analysts require data to enable an understanding of customers, both as individuals and in groups, which are also known as segments. Marketing specialists and experienced designers use data to design new customer experiences. Let’s take a step back. Jason, if you don’t mind, would you tell us how this plays out for you at Scotiabank? Now more than ever in my organization, and I’m sure that most organizations, there’s a huge emphasis on leveraging our first party data as marketers. Whether pulling data for reporting or customizing web content via onsite virtualization, our known data about our existing customers is integral in how we plan, operate and function as marketers. At my organization, with first party data being the basis behind almost every marketing decision, marketers are now dealing with data more than ever and the line between data steward and marketers becoming less and less defined. As marketers are becoming data stewards, it’s important that marketers understand their responsibilities as data stewards and market responsibly. As the DMP leader within my company, in addition to the responsibilities we have to our own customers as a financial institution, it is critical that we follow responsible marketing usage of data throughout the customer’s journey. To build consumer trust and understand one’s responsibilities as a data steward, it’s important to remember the following concepts. First is clarity. Personal data can be defined in multiple ways and new directives broaden the definition beyond just email or phone numbers. I work with my privacy team to ensure that I’m clear on how my privacy team defines data types. For example, how does your privacy team define PII? By asking that question, we can gain clarity and expand our definition of what personal data is. Whether we’re talking about GDPR or not, all consumers should have access to update or delete their data. It’s their choice to invest in our products and our responsibility to give them choice on how we leverage their data. Choice of course goes hand in hand with consent, capturing permissions to follow through on the use cases that the consumer opts into. Finally, governance. Governance is key for someone like the A Here is how the data governance process impacts the work I do based on a single journey. The data that is collected when online, such as a customer’s anonymous browsing behavior, includes first-party cookies, hash identifiers, and authentication if they sign on to an authenticated channel. The data that is collected when a consumer visits a branch includes tying personal data back to their backend profile that is stored in a data warehouse, data lake, or even cloud environment. Finally, data is collected when a customer logs on. Authentication between their first-party cookie and customer profile occurs, and a customized experience based on their product selection is shown to the customer. It is important that marketers use clarity to fully understand what data is collected, what can be shared, and what is considered PII. When offering new products or when a visitor enters our site, we ask for permission, invoking both choice and consent from the consumer. Finally, behind the scenes, what our consumer doesn’t see and shouldn’t see, we are governing their data and dictating how it’s being used, labeled, stitched, updated, and activated. Now let’s jump into our 10 key considerations for responsible marketing. Providing clear options for your consumers. Consumers don’t always know the original and national laws or directives. However, the rights dictated by these directives should be easy for the consumer to act upon. For example, tenants of GDPR include the right for consumers to access, delete, and update their data. Do your tech vendors enable you to honor these requests and streamline the process? Your consumers will come to your site, not the vendors. For example, a social bank customer will come to our site, not Adobe’s Instance of Audience Manager. Thus, it’s important to provide clear options for consumers on our website. To access their data, we’ll have our back-end data honor these updates across systems. Listening to your consumers. This may be obvious, but when it comes to privacy, there is a different spin on listening to your consumers. During the consent collection process and experience, whether in-house or via a consent management platform, get granular about use case requests and permissions. For example, ask your consumers if they are comfortable with you tracking their data or even selling it. Additionally, ask them if they are okay with on-site personalization or other use cases that enhance the customer’s user experience. So number three, collaboration with internal privacy teams and other required stakeholders will be critical to everyone’s success. To help illustrate, it may be helpful to hear about how the Adobe Experience Cloud team approached GDPR. In 2016, when GDPR was passed, it was bound to have substantial impact to our customers and to our product operations. After spending some time evaluating the problem individually, we took a cross-team approach and banded together to bring about a common solution. The first thing we determined is developing a close partnership with our privacy legal, product and engineering teams would be essential. We first developed a common understanding by defining what was meant by personal data as it pertains to GDPR specifically. As we were crafting our collaborative solution, we had another team addressing the continuity of our internal policies and what impact policy changes might have on our systems. And ultimately, it was determined that we have a sturdy privacy framework to evaluate new and upcoming directives or laws, which would allow our teams the ability to pivot quickly as laws change, so do definitions, and it becomes a very delicate balancing act. After creating a close partnership across teams, we had a sustainable and repeatable model. Without the partnership, we would not be able to bring to bear the ever-changing landscape of privacy and data protection legislation. Working with our privacy team helped us to establish whether we were the data controller, which is the entity that decides what data is collected and bears the responsibility for governance of the data, or were we the data processor who acts as the entity which processes information at the direction of the data controller and is prescribed explicitly how to do so. We were able to identify that in many aspects, our products act as a processor, and so we are really looking to the data controller to set the parameters surrounding the data they have chosen to collect. The last piece of the puzzle is really appreciate the implications to use use cases. Quite honestly, use cases are often proliferated and reused. We work together not just within our organization, but also outside our organization to share experiences with use cases such as opt-in requirements under GDPR. The big takeaway is that the creation of the partnership that is collaborative allows the business to be shaped and to pivot to benefit the consumers who are building a relationship with our organizations. The fourth consideration is labeling data and managing usage. As a part of good data management hygiene, labeling data is important. Estify your data and categorize your data using label sections the following. You can use a label such as contract, labeling and categorizing data that has contractual obligations or is related to customer data governance policies. You can label data as identity, labeling and categorizing data that can identify or contact a specific person. Additionally, you can label and categorize data as sensitive or data related to sensitive data such as geographic data or demographic data. When defining policies, create policies such as policies for email targeting and separate policies for single identity personalization, which can be extremely granular. Finally, enforce your use cases. Work with your IT or MarTech admin to learn what is already available to you. Processes are starting to create automated tools for enforcement, violation messages and workflows via API integrations. If the process is manual today, it may be time to upgrade the solution and most platform tools have governance built in without additional cost. One essential aspect of consumer data management is setting an expiration date on data. This both ensures that the data is accurate as well as potent. We always need to recognize that consumers are considered in market for a finite period of time and expiration windows must be set for data affected by a unique shelf life. Thus, when retaining data and creating segment rules, it is imperative to define how long a visitor or profile remains in the segment. Additionally, when retaining data, ask yourself the following questions. When should visitors fall out of a segment? What defines qualification and how can you set an expiration date on the qualification or activation? How do we process the removed aged out accounts from datasets? By addressing these questions and thinking about how your data is retained, you’re on the way towards better data management hygiene and governance. All right, shifting to durable identifiers is a larger conversation. The transition is underway to durable identifiers is not just cookie based and is really about consent management and data protection policies and practice. Third party cookies are really only one of four identifier types and we are seeing a shift to these more durable identities. As you move from the left in the third party cookie ecosystem to the right with the hash customer identifiers, you are graduating across the durable identifier continuum. With data deprecation on the horizon, there is an urgency for marketers to start reimagining identity, moving from device based identity to people based identities. The seventh consideration is setting activation controls. It is equally important that activation controls are set, as it’s essential that only relevant and necessary data leaves the consumer data platform. When sharing cookie level data to DSPs, for example, it’s important to send the correct cookie data for activation. However, when exporting personal data for reporting analysis, activation controls must be in place to ensure that sensitive data that leaves the platform is being used by those with the correct access rights. When thinking about activation controls, think about the following concepts. First is control, ensuring that there are platform level blocks in place to prevent sensitive data from leaving the platform. Secondly, is governance, ensuring that access rights and existing policies are mirrored at the platform level. And finally, think about flexibility and using controls as needed at the data source and even destination levels. So we talked about setting activation controls and how data is exported in platform, but it’s equally important to set role-based access in platform so that admins are able to control the visibility of different data elements to specific business units. Another aspect of visibility is ensuring that users are deactivated as soon as possible so that individuals that lead various business units no longer have visibility into platform data. To enforce role-based access, different controls can be set at the user level or even at the group level, at a data source level or across the platform. Different users or groups should have different types of access on how they view, manage, create, edit, delete, or activate on platform data. Additionally, they should also have varying levels of platform and data source permissions so that they are only creating segments from data relevant to their business line. Blocking of data should also be set to ensure that sensitive data sources are blocked from some users. This is especially important when working with partners or agencies. By setting limited visibility and blocking access to sensitive data, agencies or partners can easily access the data that is relevant to them without being exposed to personal information. Next, develop a cadence for data audits. Data audits are a must for any data steward. At my organization, I perform data audits every time data is ingested into the platform. Data audits not only ensure that the data you’re using is accurate, but allows you to identify unused or old data for cleanup, just for good personal and data hygiene. Additionally, audits give you a chance to review your platform usage and review data sources, data types, ingestion, and activation channels. Some additional ideas for developing a cadence for data audits include setting up quarterly meetings with your IT and privacy teams, monthly reviews of data sources, ingestion, and activation channels, practicing good data hygiene by not storing or using more data than is necessary, reviewing permissions to ensure that correct access and visibility is given to each individual user, reviewing new or optimizing existing use cases. Some examples include using ingesting first-party data models or reviewing existing data partnerships. Finally, it’s a good idea to review suppression programs so that you can verify that you are suppressing audiences as intended. Additionally, you can use data audits to verify that you are only marketing to your customers that have opted in as intended. Number 10 is the culmination of all components coming together. It is the creation of the new skills into the toolkit or toolbox, as I like to call it. Get familiar with the terms. Knowledge is power and understanding the basic vernacular will assist in the clear communication. There are common terms across regions and regulations. Under GDPR, you hear terms such as data subject, which is the end consumer, or data controller, which in many cases is the brand who’s collecting that data. You also hear terms surrounding classifications of data, such as protected health information or Health Information Portability and Accountability Act, shortened to HIPAA, which sets practices and requirements surrounding healthcare data. It’s critical and important to understand these terms so that when you’re communicating, you’re all speaking the same language. It’s helpful to understand that many changes surrounding data protection and privacy is related to the desire of consumers. Understanding, appreciating, and honoring the consumer rights, such as access, delete, or update, will help to guide what tools are necessary to make the appropriate action occur. Technology serves to ease the requirements through customer data management platforms or consent management platforms, and even automation through APIs, which allow for automated integrations. Integrations are important across the MarTech stack, so consumers’ requests are honored. Regulatory standards continue to proliferate, so establishing a baseline gives an exceptional foundation to understanding everything from GDPR to CCPA or the upcoming CPRA. Basic frameworks are crucial to tweaking the tools at your disposal. They can include regular guidance or frameworks, such as IEDTCS. Those frameworks and guidance will help guide you as you adjust and develop your program moving forward. Now let’s get to that checklist you can begin to leverage upon returning back to your desk. Once you’re back in the office, think about completing this checklist to begin or strengthen your organization’s responsible consumer data management. First, meet with your privacy team and confirm the guidance required for your use cases. Secondly, understand the data ingestion processes and the definition of personal data as defined by your privacy team. Third, investigate built-in governance tools that may be already available to you. And finally, begin strategic conversations by moving to durable identifiers. Thank you. Thank you so very much for your time today. We have appreciated being here with you. Let’s go ahead and open the floor to questions. Well, thank you, Elizabeth and Jason for that terrific and fascinating presentation. So, we’ve got time for a couple of questions today. As a reminder to everyone listening, you can submit these questions via the question tab on this platform. So, our first question is for Elizabeth. What is the difference between terminology PII and personal data? That’s a great question. The difference between PII, which stands for personally identifiable information, and personal data is really based on region. They, personally identifiable information is actually most commonly heard in North America and predominantly in the US. Where you’ll hear the terminology, personal data, and general data protection regulation. It’s important to recognize, however, that these terms are actually starting to come together. And we’re seeing a move towards the use of personal data or personal information as we move forward to make it easier for everyone to be on the same playing field. And although it sounds like they’re super easy to understand, they do vary from regulation to regulation. So, it’s important to get the definition and guidelines relevant for your business and your use cases. Great. Our second question is for Jason. As a DMP lead, what lessons learned can you provide to your peers as they start adding data steward to their job qualifications? Thanks, Marjorie. That’s a great question. First, you’d be surprised at how much of these capabilities exist in the tools you already own. For example, we’re already labeling data, you know, Adobe tools, saving activation controls and TDLs, which is time to live, basically data exploration time periods. And this is a good starting point prior to reviewing new solutions. And obviously, like when you’re enacting any of these, you’re kind of already on the first step towards becoming a data steward. But next, to be proactive about being next, you really should be proactive about being informed. This is less daunting than it seems. We are the experts looking at our orgs for data ingestion, modeling, segmentation and activation. And that’s just a step to take is being the stewards of the data governance, trouble messages and processes to other teams we work with. I check in with my privacy team often to ensure that I’m understanding definitions, guidelines and priority directives. Knowing this empowers me to manage data more effectively while proliferating the educated, while proliferating the education to do so. To do the same with my counterparts in other marketing teams as well. All right. That will wrap there. So thank you, Jason and Elizabeth, for your insights today. I’d like to thank everyone for listening and submitting questions. Once again, I’m Marjorie Remines-Inabria from Digiday. Have a great rest of the day, everybody. And we’ll see you again soon.