Over the last couple of years marketers have been forced to rethink the way they use third party data. A study by Demandbase and Demand Metric found that four in five respondents were concerned their tech vendors could put them at risk of violating GDPR.
So, how do you manage the risk?
We’ve sought the views of data privacy experts and industry insiders to:
- Weigh up the dangers associated with third party data
- Explore the impact of GDPR on third party data use
- Establish best practice approaches for utilising it safely and securely.
Is third party data worth the risk?
Marketing leaders across Europe (and even beyond) have been forced to weigh up risk versus reward. Some opted to play it safe by jettisoning all the data out of their control and instead just relying on their own ‘first party’ data.
The thinking is understandable. Companies can be sure of their own processes and procedures for complying with regulations, but it’s rather more difficult to ensure third party data aggregators are playing by the rules.
A study by Soha Systems found that 63 per cent of all data breaches can be linked directly or indirectly to third parties. Furthermore, only 37 per cent believe they would be notified if there was a data breach at a third party.
No wonder marketers are worried! But is scrapping third party data really the answer?
There is a downside to this approach. After all, it could mean companies missing out on an important source of insight that first party data alone cannot provide. First party data is only able to look at customers and prospects already within a company’s grasp. What about those you’ve yet to meet? How can you learn about their behaviours, needs and desires?
The DMA, the trade body for the UK data marketing industry, certainly feels that dumping all third party data would be a mistake. The DMA’s research reveals that organisations’ reporting the highest return on their data-related investments are more likely to use third party data to enrich first party data.
Nicola Howell, Senior Compliance & Privacy Attorney at Dun & Bradstreet, agrees with the DMA. But she also says that neglecting third party data doesn’t just undermine marketing efforts but also, counterintuitively, the attempt to comply with regulations:
“We have obligations on us in the EU to know your customer. The first party data you have will not likely show you the complexities and the depth of data that third party providers could offer through providing very complex corporate linkages and corporate family trees.
“A company itself may appear bonafide, but when you widen that picture out to its corporate structure, you might find it’s loosely connected to a business you don’t want to be doing business with.”
Graham Field, Managing Partner, Digital at MediaCom UK, takes a more measured view about the value of third party data.
“For a long time there have been challenges with some sources of third-party data, as it typically provides a moment in time, a snapshot. That can be a disadvantage when you’re considering the next best action and the sorts of things that retailers want to do.
“However, there are use cases and areas where a good third-party dataset is useful. A lot of it comes down to risk and post-GDPR you would definitely want to be confident that the data had been collected with consent.”
The impact of GDPR on third party data
As Graham Field reflects:
“The number of approaches I’ve had from providers or from people who’ve been trying to sell me specific audience sets or datasets has definitely dropped in the last twelve to eighteen months.”
Has he noticed a shift in approaches to third party data since GDPR?
“I think many organisations got a bit carried away and GDPR effectively put a halt to some of those questionable practices. Certainly from a group perspective – at a WPP level – we went through an incredibly thorough process and put a lot of man hours into making sure that our systems, our people and our processes were absolutely ready for the change.”
“What that’s meant from our media buyer or media owner perspective, is that we’re seeing that some of our providers have reduced scale. There’s no question that some of the people who were offering media and inventory had reduced audiences – because those consent levels dropped. Some dropped significantly because they probably weren’t gathering consent in any useful way.”
Nicola Howell notes that GDPR has provided more clarity than under the old regime:
“If anything, companies can have more confidence in taking third party data as long as they’ve gone through the right steps. A lot of companies are appreciating the clarity and control it gives them.
“If it’s approached in a sensible and proportionate way, it does make data sharing easier. If you were sharing data lawfully under the old legislation then you should absolutely be able to share it lawfully under the new legislation.
“I think the reason why a lot of people are focused on what it’s stopping is because they’re focusing their minds on data protection for the first time and they weren’t really aware of their position under the old law.”
The industry has been forced to mature quickly. While there have been growing pains, Alex Cash, Sales Engineer Team Leader at privacy management software providers OneTrust, believes companies are getting better at understanding and managing the risk.
“The risks posed by third parties is generally better understood than they once were. I think many organisations prioritised their internal controls and governance, and now that’s in place they’re focusing on their partnerships, supply chains and relationships.”
He believes the number one problem is not only understanding who the third parties are, but also – from a data controller’s perspective – who the fourth and fifth parties are too. Data controllers need to ensure they know where their data is going along the supply chain; while processors need to know the policies and procedures that a data controller has in place to legally source data.
Download our report in association with OneTrust: Data governance in a post-GDPR world
How to responsibly source third party data
“Data protection does not prevent data sharing, as long as you approach it in a sensible and proportionate way.”
– The ICO
Clearly, then, the key question is how do you ensure your data partners have sourced their data correctly in full compliance with the law?
It all comes down to due diligence, as Nicola Howell explains:
“I think it’s always going to be a risk if you are trading with an unreputable company. But if you are trading with, and taking third party data from, a company that knows what it’s doing in the data protection sphere, then you’ve got a very good insurance policy.”
“The key is always going to lie in your due diligence.”
A good place to start, she says, is understanding why you want to take the data and what you’re going to do with it. But you’ve also got to be asking companies some key basic questions, such as: how does your supplier comply with GDPR?
“That answer alone can be very indicative because if there is no answer forthcoming, or takes a long time to receive, or the answer is very vague then you know it’s a risk. But if they can be very exact on particular aspects of third party data then you should feel more confident in it.”
A data provider should be able to provide a step-by-step account of the processes and procedures they have in place to ensure they are sourcing data in a legally compliant way. For example:
- Have they conducted an information audit to map data flows?
- Have they documented what personal data they hold and where it came from?
(See the ICO’s ‘Controller’s Checklist’ for a full list of questions to ask.)
While there are no official certifications under GDPR, there are some good indicators. A company which has ISO27001 suggests that they take their obligations seriously and operates within a secure environment.
Another way of drawing on third party data in a safe and secure way, is through avoiding the personal stuff. Graham Field from MediaCom is keen to emphasise the importance of using anonymised datasets which can provide insight without linking to an identifiable individual.
Customer behaviours (even public conversations) can be modelled by algorithms, creating high level insight without tracing it back to an individual. It’s this trend which interests Graham:
“The industry became obsessed with audience buying and getting personal data from third parties, because there was this incredible surge in technology, particularly ad tech, which enabled people to do it. How much better it made things we weren’t really sure, but the technology promised big things and the data was there so it seemed like the obvious thing to do.”
“What we’re now seeing, particularly with these new regulations, is that people are considering new strategies and thinking about other ways of doing things.”
The road ahead
The industry is still getting to grips with using third party data post-GDPR. But there are some key steps that organisations should be taking:
- Streamline data gathering on the areas most important to their business (and jettison the data feeds they are failing to use effectively)
- Perform due diligence on third party data providers, taking on-board ICO guidance and demanding specific and detailed assurances.
- Consider a more varied approach to data that combines first party and third party data, with the latter being a combination of anonymised datasets as well as personal data if required and appropriately sourced.
GDPR has not augured the end of third party data, but it is demanding a far more responsible approach to gathering it. Arguably, this is the case not just in the UK and Europe, but also wider afield as legislators attempt to follow suit and offer greater rights and protections to citizens around the globe.
The journey has just begun…
Got an opinion? We’d love to hear it! Please share you thoughts in the comments below…
Title image by PIRO4D from Pixabay
Graph image by Pexels from Pixabay
Tree image by Gerd Altmann from Pixabay