ABM, Meet Your New Boss, GDPR – Part Four of Four

GDPR is set to hit on May 25th, which, depending on which source you read, is either the end of the marketing world, or a great way to increase conversion numbers on your email campaigns. Time will tell which is right, so, for now, this blog is concerned with understanding and adjusting the tactics for account based marketing (ABM) as they relate to the GDPR.

How GDPR Affects ABM Tactics

An ABM strategy usually employs a variety of digital marketing and direct marketing tactics, so it’s important to look at each one closely at how it might be affected by the GDPR. Keep in mind that the rules around the GDPR are still being finalized and interpreted, and this blog is written by marketers, for marketers: you should consult with your legal team and security officer for specific direction and guidance on how these rules may affect your organization

Solve for GDPR

For our company’s GDPR readiness, Treasure Data’s own ABM initiative was put to task by our very own product – the Treasure Data enterprise customer data platform (CDP). Using our own solution for GDPR has been exciting for both sales, marketing and product teams. Being that we have less than 250 employees, we aren’t subject to the GDPR yet so we didn’t HAVE to do this, but it was great seeing how our CDP works in the areas of database segmentation, opt in / opt out management, inbound leads, cold emailing and more.

This is a 4-part blog series covering how we achieved GDPR readiness. Over the month of April we will release the following sections:
Part One: Segment and Sync Your Databases, Consent, List Vendors
Part Two: Inbound Leads, Managing Opt in /Opt out
Part Three: Outbound Marketing Tactics
Part Four: Advertising

Or, download the entire white paper here.

Advertising

In our Marketers Guide to the GDPR, we cover different forms of digital advertising but this blog will focus on corporate IP targeting since that’s a popular topic in ABM.

-IP targeting

IP targeting comes in two forms:

1. Targeting the IP address (or device ID) of the individual user
2. Targeting the IP address of a corporate office

In the case of targeting an IP address (or device ID) of an individual user, you need to refer to how you handle cookies: an opt in pop up, with a link to terms and conditions outlining what the data will be used for, and linked to a page at which contacts can opt out or ask that you delete their information entirely.

IP targeting on a corporate office is still OK, but there seem to be some nuances. The current interpretation seems to be this: If you’re simply targeting the IP address (or a range of them) for a corporate office, you’re OK. Since this is a common tactic, this should come as a relief for many marketers.

If, however, you are using both IP targeting for a corporate office and using filters like “job title,” then it becomes a bit of a gray area. The rules on this are not 100% clear, but GDPR is built to protect personal information. It could be argued that a combination of IP address and professional titles can be traced back to an individual, so you might be in trouble. Our opinion is that you should take a “wait and see” stance for now and revisit this tactic once its application becomes clearer over time.

Data management platforms (DMPs)

By most accounts DMP service providers will need major changes to their operating procedures because of GDPR. From our interpretation, they carry a lot of additional risk because they frequently serve as a data processor for your data vs. a data controller. Let’s look at a few common scenarios for DMP service providers and how this might play out with GDPR.

-Programmatic advertising and DMPs
If you provide contacts to your DMP partner for programmatic advertising and you remain the data controller, the GDPR compliance burden is on you, not the DMP. So, if you’re going to do this, you need to make sure that you 1) outline the use of this data in your terms and conditions 2) provide only “opted in” contacts to the DMP and 3) have a mechanism for processing opt out requests that come from the contact through the DMP.

In addition to that, DMP service providers often also work with demand-side platforms (DSPs) and trade desks to source and fill ad inventory. Again, each one of these handoffs extends the data processor network and introduces a potential point of failure for which you, as the data controller, will be responsible.

If you’re going to go down this route, you should ask for an outline of the DMP’s data network, including where the data is stored for each part in the chain, what kind of encryption is used, and how opt outs will be passed back to you.

There are a lot of moving parts to this type of advertising and a lot of potential risk, so we at Treasure Data are taking a “wait and see” approach.

-Lookalike audiences and DMPs
This seems like the safest way to engage with a DMP service provider for the short term as you’re not passing any personally identifiable information to the DMP and therefore forcing the DMP to take on a role of a data controller. The flip side to this is that the data received back from the DMP will be high-level and general, which will prevent you from further targeting any individual contained within the DMP audience segment.

Of course, a DMP could provide more detailed information to you from contacts that went through an “opt in” process so that you could do more accurate targeting. This assumes, however, that the data from the DMP is clean and that’s a big risk as you’re going to be the one targeted by a fine if you retarget someone who did not opt in. Given that, it seems like this is another area where you’ll want to wait and see what happens.

-DMPs and data breaches
GDPR mandates that any data breach of personally identifiable information (PII) must be communicated to anyone who might have been affected within 72 hours. When dealing with a DMP partner and its larger network of partners and data processors, you need to make 100% sure that the DMP is as secure, if not more, than you are, and that the DMP has processes in place to communicate a data breach in time for you to meet the 72-hour deadline.

Remember, you’re the data controller in this scenario, so you carry all the risk.

Conclusion

The GDPR will require dramatic changes across cold emails, programmatic and targeted advertising, as well as how opt in / opt out processes are managed. However, cold calling, direct mail and lookalike advertising should remain “business as usual” for now.

The most important things you can do now are the following:

• Ensure all your different prospect and customer databases have consistent communications preferences fields that are synced daily
• Run an opt in / permission passing campaign for your current EU / UK contacts
• Update your lead capture forms and cookies to be opt in
• Revisit your programmatic advertising and strongly consider stopping any channel that relies on PII that you do not directly control
• Create a landing page on which contacts can see what data you’ve collected, and which automates opt in, opt out and “forget me” requests from a central location. If you need help on this one, you should talk with Treasure Data.

As with all things GDPR, caution and due diligence is advisable. Certain rules around GDPR are subject to interpretation, and will likely evolve over time. It’s best to consult with your own legal team and security professionals for specific direction and guidance on how GDPR may affect your organization.