The Age of the Pseudonym
Category : Blogs
In October 2016, Claudio Gatti, an Italian journalist, “solved” what he claimed was a mystery of our time by exposing the identity of Eleni Ferrante, the best-selling author of My Brilliant Friend and the Neapolitan series of novels. He did this with great fanfare and with the air of a great detective. Broadly speaking, it seems the literary world did not agree, and his actions have been castigated as a breach of the unspoken code that an author’s pen name should be kept secret.He didn’t, however, get fined 4% of his global revenue, but that’s just the scenario that would have affected him if he had been a Chief Data Officer and subject to the General Data Protection Regulations. And it’s not just CDOs who need to get their heads around them; Chief Digital and User Experience Officers also need to plan for this. But few of them, I’d wager, are looking to the writings of Voltaire, Molière, Grant Naylor and Lemony Snicket to look for inspiration.The General Data Protection Regulations (GDPR) are due to be introduced across the EU (including Britain) in May 2018. In many ways, these are an extension of the European regulations, written in 1995, which led in the UK to the Data Protection Act 1998. The new directive is an entirely sensible development in response to the technical evolutions of the last two decades. The DPA was written before the development of the smartphone, the tablet (let alone the phablet!), online social networks, one-click shopping, personal fitness tracking devices and instant messaging apps – to name but a few! All these innovations include, access or process information that contains key personal information about the individual using them. But all of them redefine, if only slightly, what “personally identifiable information” means, or at the very least how valuable it is. A fitness tracking device collects highly personal health data about the individual using it, and can help provide motivation for consumers. Even if this is not linked to their customer profile (which of course it normally is anyway), this information is still unique to the individual. Which makes it, by definition, personally identifiable.So, this evolution of the law is perfectly reasonable and good. But it’s here that the two main challenges start for companies, and in particular those in digital divisions, as they plan for the implementation of the GDPR. However, it’s also here where the opportunities begin.What is PII?The reclassification of what constitutes Personally Identifiable Information (PII) is the first challenge. The GDPR definition of personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.That’s pretty comprehensive, and manages, fairly efficiently, to cover the range of digital development over the last 20 years. This now clearly includes my fitness tracker, but more importantly, it defines an “online identifier” as personal; this could be as standard as a combination of IP address and cookie. Previously, this was only treated in this way if it was linked to an actual customer record. This is a subtle change, but has quite big ramifications.Most digital behavioural analytics, targeting and personalisation tools use such online identifiers to recognise the individual to deliver a customised experience. These are generally anonymised, or at least use an identifier that is separate to the personal information for that individual, securely stored behind the firewall of the organisation. But now, this identifier will be personally identifiable.It therefore has to be handled differently. One of the issues at the moment is that many of the software vendors in this space have not as yet confirmed exactly how they are going to manage these changes to ensure that they will be compliant. Obviously, these vendors face the biggest impact on their business, so it is not unreasonable for them to take time to get it right, but their clients also need to plan, and this is causing some nervousness in the industry. To be fair, this is not helped by articles in the press hyping up the topic – the following is a literal quote from one such article I read in the last few months: “the biggest legal themes that you can think about are nowhere near as big as the GDPR”.And breathe! And count to ten. Has the big scary thing behind the curtain gone away now? Okay, good. Because now our novelists come to the rescue. In Praise of Mary Ann Evans, Gerald Wiley and Amantine DupinFortunately, the GDPR also introduces a new concept of “pseudonymous” data. As the word suggests, this is a bit like the idea of a pen name, a name that disguises the real identity of the author of a novel. In terms of the GDPR, “pseudonymous” data essentially means personal data that has already been hashed or encrypted, so that it can’t be identified as an individual without additional information or unhashing.Just like the pen name, this protects the individual – as a test, see if you can identify who the authors mentioned are, without using a search engine, which is the equivalent here of unhashing. That’s why the exposure of Elena Ferrante matters in this context – it’s the literary equivalent of a hacking or data breach of the individual’s right to privacy.Whilst pseudonymous data is still technically personal data, and so still subject to the regulations, because any data breach of such data would be unlikely to cause harm to the affected individual, there are certain relaxations of other requirements under the GDPR. These relaxations include data breach notification and possible exemption from having to comply with data correction and erasure requests. Perhaps most significantly, though, using pseudonymous data techniques could provide greater flexibility to profile customers based on their data, without having to seek their direct consent; this consent requirement is another element added in the regulations, and could significantly restrict many of the targeting and personalisation programmes are currently running.In other words, your company will be strongly incentivised to encrypt or hash your digital data. It will reduce your corporate risk and legal liability, allow you to gain a competitive advantage over those that don’t do so, and, lest we forget that business is all about the customer, it’s also just what you should be doing with individuals’ personal information. So, in fact, it’s possible to see this as an opportunity. Are you good at remembering?The second challenge is, to my mind, also a clear opportunity. Perhaps the most contentious part of the GDPR is the new principle of an individual’s “right to be forgotten”. This is the principle that you can ask for your personal data to be forgotten (in certain circumstances). The difficulty at an organisational level is in a multichannel world, how can you be certain that you have removed all of a customer’s record? It is a commonplace now that customers engage with your brand across multiple channels. So if you just suppress the record in one channel, but that customer returns in another, and the cookie is recognised, then you have not actually forgotten that customer. You have just forgotten them in the channel that’s easiest for you.However, there is a more positive way to think about this. In order to be forgotten, you need first to be remembered. And that means you need to join the records of customers across all the channels they engage in. In other words, you need to build a single view of the customer. Fortunately, there are tools out there that enable you to do this; it is much more straight-forward than it was ten, or even five, years ago, and we work with many clients to build, deliver and maintain these environments. But these systems allow you to do your targeting and to recognise your customer in a much more holistic way, which is in line with customer expectations. Customers expect that they are recognised whenever they interact with your brand.And this is where the opportunity lies. The GDPR is not (or at least not just) a threat to or legal restriction on what you currently do, it also represents an opportunity to gain competitive advantage. Many organisations are behind in terms of setting up a single view of their customer. However, in effect, there is the chance to do so not just because of the possible increase in sales, but also the reduction of risk and liability; the business case almost starts to write itself. So, if it wasn’t compelling to the C-Level before, it definitely will be now. Practical TipsSo, here are some tips on how to approach the GDPR, especially if you run a multichannel business:
- If you think it could be regarded as personally identifiable information, it almost certainly is.
- If in doubt, encrypt it.
- If not in doubt, encrypt it; it’s what you should be starting to do anyway, and you will get the legal equivalent of “bonus points” if you do.
- Start writing the business case for investment for a Single Customer View, as it should be at the top of your CEO’s agenda.
- Challenge your analytics and targeting providers to update you on their plans and timetable to be compliant.