GDPR and Your Privacy on Palantir.net
We used the GDPR enforcement deadline as an opportunity to update our privacy and data retention policies, the annual review of which should become a standard part of your digital marketing plan.
When the General Data Protection Regulation (GDPR) took effect on May 25th, we had already put our plans in place. In George's previous post, we looked at what the GDPR requires and what it means. In this post, we'll walk through the steps we took and make some recommendations for our clients.
To recap from George's post, at the core of GDPR are four key principles:
- A person’s data can only be collected for a specific purpose.
- The person must be informed of and consent to the purpose for which their data is collected.
- Only as much data as is necessary to achieve that purpose should be collected.
- The collected data must be deleted at the request of the person from whom it was collected, or when it is no longer needed for the purpose which it was collected.
For Palantir, this meant that we had to perform an audit of the systems that we use to collect and store data about people who interact with us. That means understanding what software we use and how that software collects and retains data. We have two major applications that apply here:
- Google Analytics -- our system for tracking anonymous traffic and events on our site
- HubSpot -- our system for inbound marketing, CRM, email marketing, and contact forms
Google does mandate that all tracking data be deleted after either 26 or 14 months, however. So we set that value to 26 months, which is their default recommendation.
In the case of HubSpot, it's a little more complicated. When you submit a form via HubSpot, your contact information is directly linked to your visits on our site. That helps us understand why you've contacted us, and it's a fundamental piece of modern marketing technology (martech).
As a leader in digital marketing, HubSpot has put together an essential product guide and introduced new tools for handling user privacy. At Palantir, we're using two major provisions of these improvements:
- Recording the "lawful basis" for storing personal information.
- Supporting requests for the deletion of information.
It's the first element -- the "lawful basis" for storage -- that has lead to your inboxes being flooded with privacy updates and subscription renewal requests. That's because the GDPR asks businesses to track the means by which people opted in to the storage of personal information.
Like many companies, we're using the GDPR's new rules as an opportunity to update our mailing lists, asking people to opt-in again. The advantage is that only people interested in our content and services will re-subscribe, which helps us focus our marketing efforts.
While these new rules legally apply to residents of the European Union, we think they make good default behaviors for digital marketing to all our customers. For our clients, we'd be glad to talk through your options and help you set best practices. Here's a quick list to get you started:
- Set a data retention policy
- Set a process for responding to GDPR requests
- Review the privacy and data storage policies of all your external martech tools
- Replace martech tools that don't respect consumer privacy
- Set annual reviews and trainings for each of the above items
Instituting good policies and practices is good business. By making those policies part of your marketing plan, you can serve your customers while respecting their privacy.