Episode #005 - Privately on Privacy: 4 Questions Every Organization Should Ask Themselves

Recap of what I’ve learned when interviewing my guests and while talking to my clients about the impact of the GDPR on their digital analytics strategy.

Episode #005 - Privately on Privacy: 4 Questions Every Organization Should Ask Themselves

In today’s episode, I recap on what I’ve learned when interviewing my guests and while talking to my clients about the impact of the GDPR on their digital analytics strategy. I’ve distilled it into 4 questions that I think are relevant to ask yourself when trying to determine your next steps. Hopefully this is valuable to you! Please share your thoughts about this podcast format and the content via Twitter or LinkedIn.

This week's episode is also available on our YouTube channel.

In this episode we’ll explore the following questions:

  • How valuable is your data to you?
  • How much risk is your data worth to you?
  • How much of that risk can you minimize?
  • Do I have the right people to create the right process?
  • Do I have the right people to build or acquire the right technology?

Make sure you follow the show:

If you want to help us out, please share the link to this episode page with anyone you think might be interested in learning about Digital Marketing in a Post-GDPR world.

Talk to you next week!

-Rick Dronkers

Transcription Disclaimer
PLEASE NOTE LEGAL CONDITIONS: Data to Value B.V. owns the copyright in and to all content in and transcripts of the Life after GDPR Podcast, with all rights reserved, as well as the right of publicity.
WHAT YOU’RE WELCOME TO DO: You are welcome to share the below transcript (up to 500 words but not more) in media articles, on your personal website, in a non-commercial article or blog post (e.g., Medium), and/or on a personal social media account for non-commercial purposes, provided that you include attribution to “Life After GDPR” and link back to the https://lifeaftergdpr.eu URL. For the sake of clarity, media outlets with advertising models are permitted to use excerpts from the transcript per the above.
WHAT IS NOT ALLOWED: No one is authorized to copy any portion of the podcast content or use the Life after GDPR Podcast name, image or likeness for any commercial purpose or use, including without limitation inclusion in any books, e-books, book summaries or synopses, or on a commercial website or social media site (e.g., Facebook, Twitter, Instagram, etc.) that offers or promotes your or another’s products or services without written explicit consent to do so.
Transcripts are based on our best efforts but will likely contain typos and errors. Enjoy.

The Script:

Hey, everyone. I want to record this short in-between episode of the life after GDPR podcast. Where I'm evaluating what I've learned in the previous episodes that I recorded with my guests and also where I share what I've learned by talking to my clients who have all been struggling with the impact of the GDPR and after recent rulings about specifically Google analytics by the European data protection authorities. And how they should handle this new framework, these new realities that they have to deal with when it comes to their digital analytics to their digital marketing.

I've distilled it into, four questions that I think every organization should ask themselves. And at a high level, the four questions are.

Question one. How valuable is your data to you?

Question two, how much risk is your data worth to you?

Question three. How much of that risk, can you minimize

and then question four. Do you have the right people who can create the right process and either build or acquire the right technology?

And these are of course four very extensive questions. So want to dive a bit deeper into them, but I think these questions are the ones that you should ask yourself and that you should dive into with your company in order to evaluate how to handle this going forward.

Question 1: How valuable is Your Data to You?

So question one, how valuable is your data to you?

I think there's, two ways to approach this. First of all, how are you currently using data? When I talk about using data, usually what I show my clients is this probably well-known picture which shows line going up into the, right corner. And it describes four phases of how to use data. So one is descriptive. The next phase is diagnostic. Predictive and then prescriptive. So descriptive and diagnostic are mostly looking at either the past, or the current situation. And then predictive and prescriptive are trying to look at the future. So trying to look at something that has yet to happen or something that you want to try to *make happen.

So with descriptive analytics, you're simply describing what has happened in the past. So let's take a website, for instance, if you're simply reporting on, we had this many visits, we had this many transactions. This was our conversion rate. That's descriptive analytics.

Diagnostic analytics would be something more where you turn it into a use case of we see a dip of minus 5% in our conversion rate compared to the same time period last week. Automated alerting would be a, case of diagnostic analytics. So then, you're already, instead of simply reporting numbers, right? So this has happened. You're trying to give some more context and trying to perhaps highlight insights.

And when it comes to predictive analytics, You're trying to look at. How, you could use your digital analytics stack, to foresee what might happen when you do. A B or C, right? If you see a certain product category did very well last summer than you might expect that it would do very well this summer. And thus, you might. Order more of those products so you have a bigger stockpile, right?

This will be a very simple version. And then prescriptive would be that you are actually taking that to the next step when you were actually trying to use the data to influence the outcomes, right? So you're trying to influence. For instance, that product category.

If you look at them from another angle, it's hindsight insight, foresight, right? So hindsight looking back, insight look the current, what has happened and in foresight, what might happen? What might happen if we push. If we push on this, what might happen if we push on that?

And I think the more you move towards predictive, prescriptive and foresight. The more value you're likely to get from your data. Because in the end data is never valuable by itself. Data always requires some form of action. And that form of action. Needs to generate some results. You're maybe your analyst gets smarter simply by looking at reports, but your company does not get any better. If the analyst does not turn their newly inquired insights. Into. Some form of action. That generates a result for your company.

So the other part that you can think about when you're, when you ask yourself the question, how valuable is data to you? Is, can you turn your data into value? So do you have the people. Do you have to process. And do you have the technology to do that? If, you are still very much working with descriptive analytics, if you're working a lot with hindsight analysis, and if you do not have a lot of people or a process that allows you to actually optimize for the future. Then...

the amount of value you are able to get from data is also limited. Of course, it does not mean that you cannot change as a company, but it is something to keep in mind that if these constraints are there, then. You have to be honest with yourself, like. How much value can I actually get from data? Because simply staring at reports is... it's not generating any value.

So that's the first question. How valuable is data to you? And maybe you could create two categories, how valuable is data to you right now. And how valuable do you wish data would be to You If you had the right people, the right process, the right technology. But those are two separate things. And then if you're looking into the future, you also have to take into account.

How much time and effort, it will take you to get you there.

Question 2: How much risk is your data worth to you?

And then once you have figured that part out then it's interesting to look at how much risk is your data worth to you. And this is the, this one has changed a lot. Because of the GDPR and because of privacy laws worldwide.

Because before there was no risk attached to storing data. You could just take the approach of install, whatever tool we want. Whether it's Google analytics, Adobe analytics, or it doesn't really matter what. We install it and capture as much as possible. And then we'll figure it out later. What we do with it. Now, first of all, it's probably not a wise investment of resources, capturing all the data.

And also usually when you capture all the data, then nobody is inclined to actually use it properly. When you have an intent of capturing it for a certain reason, you're more likely to actually also use it. But besides those points right now, there's a new added risk, right? You cannot simply collect all the data.

Without having a plan of how you're going to use that data and also documenting what you're using it for, and also getting the proper consent, if needed, from the user, when you collect the data. There's now a  risk attached to collecting data. And what you need to figure out is how, much risk is there and if that stacks up to the value you can get from the data, which we just discussed in the previous question.

So things to think about  when we're talking about the risk of the data is first of all really, practically: how large of a fine could you get under the GDPR? You could check that with a privacy lawyer who is an expert on that.

How big could the PR impact be of getting a GDPR fine. Getting these complaints.

How big could lost consumer trust in your company, be . Maybe The long-term effect of it.

And also. If you're afraid that you will be forced to stop using, for instance, Google analytics within a year. How big will the switching costs be if you have to switch to another technology within that year. So that's also some form of risk that you have to categorize. So those are things  to think of that you want to write down and figure out what your team.

Question 3: How much of the risk can you Minimize?

And then the next question. Is how much of that risk can you actually minimize? Because. Sure. There are risks, but there are also a lot of options available to you, especially when you look at it through the technical lens. But also true to the organizational lens.

Figure out what, data collection can you either eliminate? So what data collection is truly needed and by eliminating the rest actually minimize the potential risk you expose your company to. Because if you don't collect the data, you also don't have the risk associated with, that data.

What data collection can you minimize? I'd say in a lot of cases If, you just need data to do a analysis on how people use your tool, but you don't actually need to use a need to know who these people are. Then. Fully anonymizing the data and stripping everything away from it that could be identified to any person. Would be a very smart idea, right? Because. If you really don't need it, if you've decided you only use it for like product analytics. Let's call it. Then please be, smart and eliminate everything from the data that you don't need.

So you could also look at data collection. Like you could look at obfuscation, you could look at hashing, you could look at detaching, certain data sets from each other that would allow a third party processor to stitch together users. If you wouldn't detach it. There's all these checks and balances that you can build into your setup that would minimize the risk. So these are interesting things to look at.

And then One of the top things to do is create your own data collection endpoint. Something like a server side tag manager. A solution where you are fully in control of the data you collect from your own first party website, app. And you're also fully in control of the end point where you sent that data initially. So the server side tag manager container. And then within there you have the ability to strip out everything before you send it to these third parties. So actually that's another. Another check and balance that you can introduce into your setup. That allows for. More control and also a more granular way of collecting data.

And then. Can you also clearly document your collection process and be transparent about it, both to visitors, but also to auditors. Alright cause. We're increasingly creating a more complex solution. If you decide that you want to use the data and that it's worth the risk. Then you're going to move towards a more complex solution. And then one of the additional steps will be that you will have to, both for your own sanity sake, but also, especially for when you get an audit and also towards., visitors for transparency. You want to be able to document what you are collecting, how you are collecting it, where you are storing it. Who is sub processing it like the whole flow of how you collect data?

This is going to be needed. So, take this into account and it's also form of risk minimization because once you document it clearly, and once you keep that up to date You're also able to see for yourself where the weak spots might be in your collection strategy. So that's the question on how much risk can you minimize?

Question 4: Do you have the Right People, Process & Technology?

And then the fourth question. It's actually already a little bit of, part of the first question is, do you actually have the right people to create the right process? And to either select or build the right technology.

From a people perspective.

In the episode with Steen Rasmussen we talked about. The management buy-in. This is something that. It's essential right now . In the last 10 years, it would be common that a digital analytics professional at the lowest level in the company would be responsible for implementing the tools, picking the tools because if you implement a free tool like Google tag manager and Google analytics on the website, there's no executive decision to be made. They just say, we need the tool the tools free. People say, yeah, that's fine. Implement it!

For a lot of companies, there's nobody who's actually responsible for implementing the tool. Which is bizarre if you think about it, but  it is how things work in business right now. So implementing something on the website a lot of, companies don't have somebody in management who signs off on what is implemented on the website.

And you need people to, be responsible for that because every tool you implement will have an impact on your data privacy aspect of your business. So getting somebody involved from a management level. Who carries responsibility is going to be essential.

Another person that you probably need. If, data is valuable to you, and if you decide that you're going to figure out how much risk you can take for the amount of data that is that you want to collect, and that is valuable to you. Then likely you also want to have a data protection officer, who is in charge of the documentation, the orchestration together with the technology, all the legal contracts with all the sub processors. Who can just be the lead in this project. That's another cost that you want to add to. Evaluating, whether the data is valuable to you. And if this is worth it

And then do you have a data engineer or an analytics engineer or somebody who has a technical background or is technical enough to make this work. Who can make sure that the implementation of your consent management platform together with your tag management platform, together with your backend CRM.

That everything is connected that it works that it's functions as designed as intended. That's another costs that is additional in a sense that this person will have new tasks to complete, besides simply just adding new tags and adding more marketing tags and adding more analytics tracking, it will not also include making sure that the privacy aspect of all these tags is taken care of.

And then from a process point of view:

If, you are not able to work through all the steps required to go from data collection to generating value for your business and do this in a privacy compliant way and make sure that you are continuously also taking data privacy into account.

The process that you set up as a business will also have to support this. So that's also something to take into consideration, you will need to involve your data protection officer, with your marketing department, whenever you set up new campaigns that require new types of tracking, or that use new pieces of data from users.

These are all things that you need to take into account and that they also all incur extra cost, right? Whether it's just on the people side, the time side. And sometimes on the technology side.

Once you've figured those questions out

And then once you've answered these four questions, right? So you, figured out how valuable is data to you. How much risk is your data worth to you? How much risk can you minimize? And do you have the right people, the right process? Then you can figure out. What type of technology do we want to use?  Technology, both from the vendor point of view. So who supplies the technology? Whether it's Google or whether it's some open source self built.

It's both from the vendor point of view, but also from the technology itself, point of view and of course tied to every choice in technology there's also features that allow you to potentially generate more value.

Let's say if you decide to go for Google analytics and you're an EU based company. Let's say you're a heavy advertiser. And you figured out that the integration of Google analytics 4, with the advertising suite, which you heavily use. It generates so much value for your marketers because they are able to quickly create an audience in Google analytics. Use that in Google optimize for testing. Use it as a remarketing audience in DoubleClick and in Google ads. You figured that this value, that this creates is essential to you and maybe your, people are already used to it. So the cost of switching is also something that you save by not switching. So you decide that the data has a really high value to you.

You figured out the risk and you looked at minimizing the risk by implementing all the privacy features of Google analytics. Implementing server side tag manager and making the collection and the consent process really transparent. And of course you still have a risk, right? it could still be that google analytics truly becomes illegal across the EU. But at least. You've taken all steps that you could, you can also show this  to any data protection authority that that might knock on your door. And if push comes to shove, you still have the option to switch to something else.

You've made a clear plan of: what is it worth to me? What are the risks and what are we going to do to minimize those risks? And you see how your people can actually use that data to turn it into value. So you actually know what the data is worth to you and where it generates value.

Let's take another scenario. Let's say you have Google analytics implemented. But you actually do not advertise that much. And you use Google analytics. Mainly for looking at how many visitors did your blog post get?

In this case. How valuable is the data to you?

Not that valuable, right? Because you're not directly generating any direct value from the data itself, you're mainly using it in a descriptive diagnostic way. But how big is the risk? The risk is just as big, right? Because it's still Google analytics on a EU based website. You could minimize it, but then the risk is still there.  You could use server side tag manager. But the risk would still be there.

And then. The choice for a different technology becomes really obvious, right? Because why would you risk using Google analytics on your website? And the risk of GDPR fine, and a PR impact. If you don't get any benefits from Google analytics in this case.

Why not go with matomo or simple analytics or there are so many tools out there right now that can easily show you how many visits your blog posts got. And how well your blog posts are doing. That have. Either no, or almost no risk tied to it. So the cost-benefit analysis becomes really clear in that case.

And so maybe the only incurred cost is that your people have to learn how to use a different tool. Which in this case, if you're only looking at the statistics for a blog post, you're going to be okay.

And of course, these are two really clear cut cases. And in most cases it's going to be somewhere in the middle, but I think you have to have this discussion together with  a C level person who is. In the end when, push comes to shove, who is responsible for these kinds of things, when you get a fine.

So we can push on the risk side of things and then your marketers and , your digital marketers and your  website content people. Who should be getting the value from the data. And figure out. Which path you should take as a company.

In Closing

So this is a discussion that's I've been having with my clients as well. And. By having these conversations on the podcast. I got a better framework to look at it. So hopefully. Going forward with new rulings by European data protection authorities and also with the new transatlantic data protection framework, we get some clarity on  what the future looks like.

But I suspect. That we're far from done. I suspect that there will be a new framework and then there will be a Schrems III and then we are back to the drawing board. So I suspect that this topic will stay relevant. So I think it's important to have these discussions internally and  to just decide  is the risk of using something like Google analytics and I think it will be more than this, right? It will be facebook tracking it will be. Whatever tool, right? In the end, these things will go broader than just Google analytics, but Google analytics right now is the focus.

You have to figure out how valuable is it. How, much risk is tied to it? How much risk can you minimize? And then do you have to process and the people and the technology in order to actually get the value from the data, right? So you have, how valuable is it in theory and how valuable is it in practice? Then you can, decide. What's the right path forward for you?

So hopefully this helps a short in between episode. Like a recap of what I've learned and what I've been discussing with clients. Yeah, be sure to let me know on social media, what you thought of this. And if you like episodes like this in between the interviews. And we'll talk to you next time.