Skip to main content

The balance between data privacy and personalized marketing

- By Kyra Kuik - May 20, 2019 Data Privacy

How we view data and our data privacy has dramatically evolved in the last few years. The EU’s GDPR gives us unprecedented rights over our personal data and the type of data companies can collect and store. While GDPR has received a lot of the press attention over the last 1-2 years, there have been a host of other data privacy regulations passed in California, Brazil, Hong Kong, Israel, Peru, and more.

One thing is clear: Data privacy is here to stay. Companies must bake data privacy into their processes, products, and marketing strategies.  

Data privacy laws around the world, according to global law firm DLA Piper  

For marketers, it can feel especially overwhelming to figure out what’s permitted or not under the new regulations. But instead of feeling limited by the new regulations, marketers should view this as an opportunity to run more personalized and higher quality marketing campaigns.

As we’ll discuss below, the new regulations inherently require that companies use higher quality data. As data quality increases, so does your ability to understand the nuances of your customers’ preferences, allowing you to communicate in a more personal and accurate way—which, in turn, drives customer trust and brand loyalty. 

But moving from the old way of processing data to a model that uses high quality data to drive value for your customers is easier said than done. These suggestions will help you craft a better data privacy model and guide your personalized marketing efforts.  


Step 1: Identify the data you own (AKA create a personal data inventory)

While this sounds like a simple task, there’s likely a lot of data to sift through. To be clear, GDPR and other data privacy regulations don’t require that you create a data inventory or data map. However, doing so makes it much easier to figure what you have access to, where it lives, who’s responsible for it, and the policies surrounding that data.

The first step in creating your personal data inventory is assessing your digital assets. If you’re a larger organization, there’s a high likelihood that you have multiple domains, subdomains, forms, etc., so this task might take some time. We highly recommend using an automated tool to help find and assess your digital assets. When you take inventory of your digital footprint, start with the following:

  • Domains
  • IP addresses
  • Cookies
  • 3rd party behavior tracking companies (Google Analytics)
  • Social share widgets
  • Forms

After you have an overview of your digital assets, you can take an inventory of the personal data you collect through those assets. Do you, for example, collect any of the following information through your domains, IP addresses, cookies, etc.?

  • First or last names
  • Home addresses
  • Personal or individuals’ work email addresses
  • Personal identification numbers
  • Location data (e.g. location data tracking through an app)
  • Individual IP addresses
  • A cookie ID
  • Workplace or educational data

As you take an inventory of the data you collect, you should also include elements that help you qualify your data

  • Names or titles of data owners (e.g. “Human resources”)
  • Types of data (e.g. “Job applicant data”)
  • Where to find the data within your system (e.g. “HR Intranet”)
  • Data subjects (e.g. “New job applicants”)
  • How the data was collected (e.g. “Online employment submissions”)
  • How the data is used (e.g. “Demographic research”)
  • How long the data will be stored
  • Who has access to this data
  • Policies for deleting or preserving the data 

At the end of this processes, you should have an overview of your digital assets, the personal data collected via those assets, and qualitative information about your data.

Step two: Assess the purpose of the data you collect

Now that you have a better overview of your digital footprint and qualitative information about your data, you can better assess the purpose that data serves.

Stricter data privacy laws mean that companies need to integrate data protection into business and marketing practices from the very beginning. This means a fundamental shift in how marketers think—instead of collecting as much data as possible, marketers need to constantly ask the questions “Do I really need this information? If so, why?”

According to the UK's Information Commissioner’s Office, under GDPR, companies must be much more clear in defining why they need to collect and process data:  

  • You must be clear about what your purposes for processing data are from the start
  • You need to record your purposes as part of your documentation obligations and specify them in your privacy information
  • You can only use the personal data you collect for a new purpose if it’s either compatible with your original purpose, you get consent, or you have a clear basis in law

While this framework is specific to GDPR, stricter data privacy laws also encourage marketers to critically assess why they want to process personal data and get explicit consent for using data in the way they want to. According to PWC, only 25% of consumers believe companies responsibly handle their personal information. Worse, only 15% think companies will use that data to improve their lives in some way.

But that’s changing now. Consumers and laws demand more protection for personal data. In order to assess the purpose of your data, audit the data you collected in your inventory from step one.

For each data entry from your data inventory, audit it by asking these questions:

  • How is this data currently used? / How do we currently process this data?
  • Are we covered by one of the six legal bases for processing this data?
    • We have consent to process this data
    • We need to process this data to fulfill a contract with the data subject
    • We have to process this data for legal compliance
    • We have to process this data to protect the vital interests of the data subject
    • Processing this data is vital for public or official interest
    • Processing this data is necessary for the legitimate interest of our company
  • Do we absolutely need to use this data?
  • Does processing this data provide a better experience for our customers?

Once you’ve answered these questions about your data, you can start cleaning up your website and database to ensure the data you process is necessary. This will give you a higher quality, cleaner dataset and a more customer-centric data collection policy. 

Step three: Be transparent with your users about how you use their data

Once you’ve gone through steps one and two you should be confident in your data—both what you have and why you collect it. Now it’s time to create transparency for your users and customers.

When it comes to transparency about your data collection and usage, there are two categories you need to cover: 1) content you’re legally required to communicate, and 2) content that fosters trust with customers and users.

What are you legally required to communicate?

Well, that depends on where you and your customers are located. But this probably includes a mix of the following:

  • Privacy policy
  • Cookie banner and cookie policy
  • Data breach policy
  • Third-party access to customer/user data
  • Users’ rights to their data
  • Details for consent (how can users give, withdraw, or decline consent?)
  • Compliance statement with your local regulations
  • Terms and conditions for use of your product/service

What should you communicate?

Given the amount of distrust consumers have around companies using their data, it’s probably a good idea to aim for transparency. “Customers want to know that if they’re willing to share their data that they can trust you, that you're not going to use it for the wrong purposes, you're not going to resell it, and you’re not going to give it to the wrong people,” said Ashley Stirrup, Chief Marketing Officer for Talend.

When it comes to fostering and growing that trust, there are many ways you can go beyond what’s legally required of you to build more trust with your users:

  • Include a data privacy FAQ on your website
  • Walk your users through your third-party engagement requirements. Assure them that all third parties have data privacy cultures aligned to your own
  • If your company has a GDPR or data privacy roadmap, consider making it public so users can see the ways in which you’re progressing
  • Explain the data privacy and ethics training requirements customer-facing teams have to go through
  • Release information on your internal data privacy policies and standards
  • Make it easy for users to submit feedback or complaints

Clean data + transparency = More effective personalized marketing

Once you’ve gone through step one and two you should be in a more confidence position about the integrity of your user data. Step three begins the process of fostering more trust with your users when it comes to handling their data. But where does that leave your efforts to create a more personalized marketing experience for your visitors and customers?

Well, it gives you a very healthy starting point.

A global survey by Deloitte and SSI found that 79% of respondents are willing to share their data if there is a clear benefit for them. The study’s authors go on to say, “This means that companies should consider thinking about giving consumers a return on data. Whether it is something that entertains, informs, or rewards the consumer, companies should understand that many consumers may provide information in exchange for something that benefits them.”

When you approach personalized marketing, you should ask yourself: Is the way I’m using this data in line with everything we’ve communicated to our customers about how we handle their data? Given the amount of distrust consumers have around companies using their data, it’s better to aim for transparency. 

The key to better, more effective personalized marketing is to provide ongoing value to customers who give you their data. When you provide that value, your customers will be inclined to share more data, allowing you to further delight them. 

A great example of this is Netflix. The streaming service collects a massive amount of data while you use it: the titles you watch, your search history, when you pause a show, when you stop watching a title halfway through, the device you use, your ISP, etc. Based on that information, Netflix will provide personalized recommendations, localized content, customize your Netflix interface (they even customize the film covers you see to show actors you’re more familiar with), and that’s only the beginning of their personalized experience.

Since Netflix uses the data they collect on you to provide value by suggesting more shows you might like or giving you a more pleasant interface, many of us are very happy to continue giving Netflix information. That makes Netflix the perfect example of how customer data and personalized experiences are wrapped up in a cyclical pattern. When brands provide us value as customers, we’re in turn much more likely to consent to more of our data being used to provide that richer experience.   

Key takeaways

Most digital professionals are trying to navigate a dramatically changing data privacy landscape right now. For marketers, changing regulations are a new opportunity to foster customer trust by providing a richer, more personal customer experience. But customer trust has to be earned. Start earning that trust by working on the following: 

  1. Identify the data you own (aka create a personal data inventory)
  2. Assess the purpose of the data you collect
  3. Be transparent with your users about how you use their data
  4. When customers consent to their data being used, use it to provide a personalized experience that drives value for them

 If you haven’t started looking into your data, consent, or how to better use your data to create a unique customer experience—don’t panic! Going through these steps will build a strong data privacy foundation that you can work confidently with in the future.