Consumer Rights Management and GDPR Overview - Salesforce DMP

Transcription

1 Consumer Rights Management and GDPR Overview - Salesforce DMP How Salesforce Accelerates Compliance & Customer-Centricity with GDPR Maxwell Anderson, Director Product Management Debra Kadner, Sr. Director Product Management

2 Agenda 01. Revisit Solution Components 02. Review Technical Options 03. Product Demo 04. Implementation Best Practices 05. Further Resources & Questions

3 Key Areas of Focus Four key areas of focus across Salesforce Marketing Cloud & Salesforce DMP Right to be Forgotten Consent Management Restriction of Processing Data Portability

4 Salesforce Commitment to you... We are not your legal counsel - but we are your trusted partner. -Ourcommitment to you is we are going to give you a toolkit that empowers you to make decisions about policy that meet the needs of your business and your customer.

5 Key GDPR Terms & Concepts

6 Physical Entities Overview Processing Internet User ( Data Subject aka consumer ) Processing AWS for Salesforce DMP ( Sub-Processor ) DMP Customer ( Controller ) You Processing Salesforce ( Processor ) Salesforce Data Subject : individual the Personal Data relates to (aka consumer) Controller : primarily responsible for Privacy compliance (aka DMP customer) Processor, Sub-processor : act upon instruction of Controller; also responsible for Privacy compliance Processing : any handling of Personal Data

7 Actions Overview Consumer Rights Management features introduce four new actions in the DMP Salesforce DMP Action Action Meaning Action Response Provide Consent (set) Used to set consent information for a given user input. Blacklists for downstream activities updated. Get Current Consent Status (get) Used to get consent information for a given user input. Consent settings provided to requester. Delete Data (remove) Used to request data deletion for a user. All data deleted in DMP, all consent settings set to false. Get User Data (portability) Used to request all data for a given user. Specific data feed created and delivered to customer via S3.

8 Methods Overview 5 methods exist to request Consumer Rights Management actions </> API SDK JS Tag File DMP UI

9 Action Impact Overview When an action is taken, what does it apply to? 1 Device Level Defaults 2 Bridge Key Level Actions Supported Action Request Customer ID / User ID / Bridge Key 3 Predictive CDIM Actions Not Supported Device 1 Targeting = YES Device 2 Targeting = YES Device 3 Targeting = YES

10 Action Impact Overview When an action is taken, what does it apply to? Device + Organization Organization Linking Supported Legal Standardization Requirements Customer responsible for ensuring legal standardization across organization / organizations.

11 Consent Management

12 Consent Flags Overview DMP functionality gated based on consent for 6 activities Salesforce DMP Term Interpretation Data Collection Collecting and storing events. Targeting Sending a device to a 3rd party for campaign execution or other uses. Analytics Any processing of data. Cross Device Using data to link one device to another. Sharing Data Sharing data or linkages with 3rd parties. Reidentification Taking data collected with a pseudonymous or anonymous key and merging it to a PII key.

13 Consent Management Basics 1. All devices in each organization must have a consent setting for all flags - null consent is not possible. 2. Customer responsible for obtaining consent and passing the consent to the DMP through one of the 5 methods. 3. Regardless of customer actions DMP functionality is gated based on consent settings for each device within each organization.

14 Understanding Consent Sources First Party Direct Consent: - Direct consent obtained directly from a consumer and passed to the DMP - Highest signal quality - Applies to - Files - SDK - API - UI

15 Understanding Consent Sources Second Party Indirect Consent: - Used when direct consent is absent - Inherited from customer defined configuration - Applies only to users in - ad_impression.gif heartbeat.gif DT 2.0 media_analytics.gif event.gif

16 Understanding Consent Sources Third Party Indirect Consent: - Used when second party and first party consent do not exist - Applies to all users from 3P data providers - Data providers contractually obligated to provide consented data for - Targeting Analytics

17 Understanding Consent Sources Industry Opt Out: - Addresses opt outs from NAI, DAA, and DMP Privacy Page - Applies across all organizations - Trumps any other consent source

18 Unknown Consent & Policy Regime Unknown consent is interpreted differently based on policy regime Policy Regime: A specific set of privacy policy regulations that apply for a specific device. ` GDPR Global Standard

19 Policy Regime Association Each device has an associated policy regime within each account, but how? All devices in account associated with a single Organizat ion Level policy regime. Each device in account associated based on geographic region OR customer designation. User Level

20 Unknown Consent - Policy Regime Based Defaults Consent defaults are assigned based on policy regime in absence of other signals GDPR Global Standard Data Collection: Data Collection: Targeting: Targeting: Analytics: Analytics: Cross Device: Cross Device: Data Sharing: Data Sharing: Reidentification: Reidentification:

21 Consent Resolution Hierarchy Consent is based on the most recent signal from the highest priority consent source Industry Opt Out Example 1: First Party Consent Used Priority First Party (Direct) Second Party (Indirect) 3rd Party (Indirect) Unknown Recency

22 Consent Resolution Hierarchy Consent is based on the most recent signal from the highest priority consent source Example 2: Second Party Consent Used Industry Opt Out Priority First Party (Direct) Second Party (Indirect) 3rd Party (Indirect) Unknown Recency

23 Consent Resolution Hierarchy Consent is based on the most recent signal from the highest priority consent source Example 3: Third Party Consent Used Industry Opt Out Priority First Party (Direct) Second Party (Indirect) 3rd Party (Indirect) Unknown Recency

24 Consent Resolution Hierarchy Consent is based on the most recent signal from the highest priority consent source Example 4: Opt Out Honored Industry Opt Out Priority First Party (Direct) Second Party (Indirect) 3rd Party (Indirect) Unknown Recency

25 Consent Conflicts Some consent signals have dependencies which can result in conflicting consent settings Conflict Example: Analytics Targeting, Cross Device, Data Sharing, and Reidentification all depend on positive analytics consent. Targeting Cross Device Data Sharing Reidentification A device cannot consent to targeting without consenting to analytics.

26 Consent Conflict Resolution Some consent signals have dependencies Analytics Analytics Positive R esolution Targeting Cross Device Data Sharing Reidentification Negative Resolution Targeting Cross Device Data Sharing Reidentification

27 Consent Backfill Overview Optional method for addressing day zero population fluctuations 1. All devices in account set to consent settings per designation in UI. This can be based on your interpretation of rights / consent from pre-gdpr worldview. 2. Helps ensure populations stay high while you work through consent implementations. Settings applied once, and never repeated again. 3. Customer responsible for defining with their legal team which approach makes sense.

28 Data Deletion & Portability

29 Data Deletion Overview - After requested ALL data in the DMP is deleted for that account - Data not deleted includes consent history (aka audit logs) and BK-KUID relationships - this is due to audit purposes

30 Data Portability Overview - After requested ALL relevant raw data in the DMP will be delivered to customer for the requesting user - Files delivered within 14 days - Customer responsible for delivering to the consumer / data subject

31 Method Overview

32 Methods Overview 5 methods exist to request Consumer Rights Management actions Considerations when determining the appropriate method Ease of implementation effort and maintenance (automated vs manual) Speed of processing consent signal (real time vs batch) Dependencies (requires existing DMP infrastructure or not) Real-time API SDK JS Tag DMP UI File Batch Manual Automated

33 Method: API, SDK, and JavaScript Consent Tag API, SDK and Consent Tags are the recommended method for passing consent signals where possible Ease of implementation Fastest processing of consent signal Recency rules inherently reflect the user preference Krux('ns:mynamespace', 'consent:set', { idt: 'device', dt: 'idfa', idv: '6D92078A BA4-AE5B E7DC', dc: true, al: true, tg: true, cd: true, sh: false, re: false }); Note: Consent Tags require DMP Control Tags on page

34 Method: Consent File File uploads are supported, but put ongoing burden on the organization to ensure timely delivery and proper file format Consent files uploaded to S3 Only records in valid format will be processed Data is processed daily, so requests are not registered until after processing is complete Recency will be determined by the record timestamp (if submitted) or the processing timestamp of the file device^kxcookie^abcdef123^set^global^dc=1&tg=1&al=1&cd=1&sh=0&re=1^ device^idfa^6d92078a ba4-ae5b e7dc^set^gdpr^dc=1&tg=0&al=0&cd=1&sh=0&re=0^ bk^ _sha256^f660ab912ec121d1b1e928a0bb4bc61b15f5ad44d5efdc4e1c92a25e99b8e44a^remove^^^

35 Method: DMP UI DMP UI requires manual administration, and recommended only for one-off cases This method is intended to support set, remove, and portability requests coming via other sources such as support tickets Manual recording of identifiers in UI is inherently error-prone Recency will be determined by when UI Administrator clicks Submit

36 Audit Logs Overview - All activities triggered (regardless of method) are stored in audit logs - Audit logs delivered to customer daily (S3) and can be used for troubleshooting or general auditing Device: idt^dt^idv^kuid^orguuid^consentsource^ts^{flags}^action^pr^prsrc^ip^reqid Bridge Key: idt^dt^idv^kuid^orguuid^consentsource^ts^{flags}^action^pr^prsrc^ip^reqid

37 UI Demo

38 Implementation Best Practices

39 Implementation Key Takeaway You MUST pass consent signals as functionality will be gated regardless.

40 General checklist and timing of activities May 25, 2018 Daily/Weekly INITIAL SETUP Define company approach and collect consent Define company approach to GDPR Setup and confirm organization configuration settings Select and implement UX for consent Connect consent experience to the Salesforce DMP Review SuperTag and mark applicable tags Ad hoc REVIEW & ADJUST Modify default settings/approach if required View Consent Reports to understand consent distribution Monitor populations within the DMP for population drop-offs Adjust configuration settings based on risk profile and population sizes ONGOING MAINTENANCE Revisit settings with changing business Link any new organizations during the DMP implementation phase Change Policy Regime Association based on new regulations Ensure SuperTags are marked correctly for data collection where applicable

41 Review/Confirm Default Settings INITIAL SETUP - Policy Regime Association = User Level, GDPR Conflict Overrides = Consent flags set to false to avoid conflicts Non-consented data collection via 2nd party sources will be deleted nightly 2nd Party Consent Defaults = data collection, analytics, targeting, cross device are true, data sharing and reidentification are false (same as Global Standard Policy Regime defaults)

42 Linking Organizations INITIAL SETUP How are organizations delineated and managed? Do organizations span different policy regimes? Is consent management centralized? BU 1 Example 1 Example 2 Parent Org Parent Org BU 2 BU 3a BU 3b Market 1 Market 2 Market 3 Market 4 Market 5

43 Defaults Determine Data Flow and Usability INITIAL SETUP Thoughtful implementation can mitigate collection risk Collection Filter Best Practices Policy Regime Association Consent Conflict Resolution 2nd Party Defaults User True All On Org & GDPR False All Off Reduce Unknown devices by getting consent, and using user level setting instead of organization level Deploy clearly-defined privacy page to reduce the likelihood of conflict Drive 1P traffic to explicitly obtain consent

44 Importance of Backfill Settings Vary by Implementation In the absence of backfill, devices will be considered to as unknown Setting Influence Segment Lookback Window Amount of Historical Data Return Visitor Status 180+ days Large Seldom 90 days Small Often Real-time segments and short-term windows don t rely on rich historical data Newer implementations have less historical data Frequent visitors provide quick opportunities to get consent post May 25 INITIAL SETUP

45 Select and Implement UX for Consent Requires coordination across legal, UX team, technical team, DMP Administrator INITIAL SETUP Determine consent model Create UX around consent Document mapping between privacy page and consent signals Determine process, SLA and audit records required for obtaining and passing consent For File and UI-based consent process, determine owner and process for passing consent </> API SDK Salesforce DMP Consumer Rights Management S3 UI

46 UX Implementation Considerations INITIAL SETUP Showing user current settings requires GET consent method 4 hour deltas between SET and GET showing the recent settings via API/SDK/JSTag Complete consent queries are required else default to false - consider implementing a save button with checks to avoid possible conflicts and partial sets Contemplate SLAs in defining UX

47 Specifying and Connecting Consent Model Determine the level of consent granularity that is appropriate for your business 1:1 Consent Model Example 1:Many Consent Model Example Hybrid Consent Model Example Please provide your consent to the terms and use of this website Please provide your consent Please provide your consent Data Collection Analytics Targeting Cross Device Data Sharing Reidentification dc: 1 al: 1 tg:1 cd:1 sh:0 re:0 I agree dc: 1 al: 1 tg:1 cd:1 sh:1 re:1 Interest-based advertising Cross-device ID Matching dc: 1 al: 1 tg:1 cd:0 sh:1 re:1 INITIAL SETUP

48 Ensure Process Covers All Consent Modes Define approach and determine consent model Document process, Consent mapping, Consent audit trails, and SLAs for offline requests INITIAL SETUP Maintain audit logs Build UX Implement API/SDK/JS and Connect to UX DMP ADMIN Train DMP Admin on Consent UI Fulfill requests via UI OFFLINE TECH ONLINE TECH UX LEGAL May 25, 2018 Establish S3 Access and File Specs Upload Files as requested

49 Stepping through implementation scenarios How setting defaults and implementation decisions affect data flow and population size What is your main source of traffic? (1P / 2P / 3P) Where does your traffic originate? (EU / Other) Are you planning on passing consent? (Y / N) You MUST pass consent signals as functionality will be gated regardless.

50 Scenario 1: Tight defaults, no consent integration Populations will be dramatically reduced Consent Source 1P Traffic Source EU & Other Policy Regime Level Organization Data Collection: Analytics: Targeting: Cross Device: Policy Regime GDPR Passing Consent N Backfill Set N Data Sharing: Reidentification: All traffic is treated like EU, and in the absence of consent, all flags are set to FALSE

51 Scenario 2: Standard defaults, no consent integration Data collection and use will vary based on organization traffic Conset Source 1P Traffic Source EU & Other Policy Regime Level User Data Collection: Analytics: Targeting: Cross Device: Policy Regime GDPR Passing Consent N Backfill Set N Data Sharing: Reidentification: 30% traffic originating outside EU will follow Global Standard consent flags

52 Scenario 3: Standard defaults, backfill, no consent integration Backfill settings defaults will influence data capture and use Consent Source 1P Traffic Source EU & Other Policy Regime Level User Data Collection: Analytics: Targeting: Cross Device: Policy Regime GDPR Passing Consent N Backfill Set Y Data Sharing: Reidentification: Backfilling allows for more devices to be counted for consent

53 Scenario 4: Establish backfill and pass consent Backfill and consent efforts allow for more opportunities for data capture and use Consent Source 1P Traffic Source EU & Other Policy Regime Level User Data Collection: Analytics: Targeting: Cross Device: Policy Regime GDPR Passing Consent Y Backfill Set Y Data Sharing: Reidentification: This assumes all devices came to 1st party property and ⅔ accept 1P consent across all flags

54 Scenario 5: Pass consent despite limited EU traffic Consent efforts in place, but EU unknown devices not appropriately treated Consent Source 1P & 2P Traffic Source EU & Other Policy Regime Level User Data Collection: Analytics: Targeting: Cross Device: Policy Regime Global Standard Passing Consent Y Backfill Set Y 2P traffic drives consent across some devices Data Sharing: Reidentification:

55 Scenario 6: Rely on defaults but may have legal implications 2nd party defaults drive consent, but EU unknown devices not appropriately treated Consent Source 1P & 2P Traffic Source EU & Other Policy Regime Level Org Data Collection: Analytics: Targeting: Cross Device: Policy Regime Global Standard Passing Consent N Backfill Set Y Data Sharing: Reidentification: New 1P devices are assigned Global Standard consent flags, irrespective of location

56 Review SuperTags for Data Collection INITIAL SETUP Train DMP SuperTag Administrator(s) on new SuperTag control Plan a tag audit and review process in advance of the May 25th timeline based on the number of tags your company is firing via SuperTag Update your tag deployment process to includes data collection reporting and verification Determine any additional audit trail you may want to maintain for inbound tag deployment requests

57 Monitor Reports and Populations Post-launch DMP population drop-offs may illuminate gaps in consent framework What is the consented population? Are the defaults correct? Is consent resolution appropriate? Are organization links constraining non-eu business? REVIEW ADJUST

58 Revisit Settings Based on Changes in Business Changes should be made ad hoc based on changing business needs New organizations may need to be linked Defaults may need to be adjusted SuperTags should be evaluated and audited Parent Org BU 1 BU 2 BU 3 Market 1? BU 3 Market 2 ONGOING

59 DATA INGESTION AUDIENCE ANALYTICS AND SEGMENTATION Build audience segment with 1st party data X X X X X

60

61 Data Rectification GDPR Article 16 The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

62 Data Subject Request The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to that personal data and certain other information, such as the purposes of the processing and the recipients of the personal data, among others. GDPR Article 15

63 Security GDPR Articles 32 The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

64 International Transfers of Data GDPR Articles Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country (i.e. outside of the European Economic Area) shall take place only if: - that country has received a decision from the European Commission that it is deemed to be adequate ; - there are appropriate legal safeguards in place (e.g. Binding Corporate Rules, Standard Contractual Clauses, etc.); or - there is an applicable derogation (e.g. consent, necessary for the performance of a contract)