January 10, 2020
| Season

Data, GDPR and enforcement


Aurelie Pols




Rick Dronkers




A live discussion about the future of data governance, data, privacy, GDPR and enforcement together with Rick, Aurélie and the audience.
This is some text inside of a div block.
Audio only:

Episode guest

Aurelie Pols

Data Protection Officer, Privacy Engineer, and Data Scientist
View full profile

Rick Dronkers

Consultant in Marketing & Analytics
View full profile

Episode host

Guido X Jansen

Guido has a background as Cognitive psychologist and worked as CRO specialist on both the agency and client-side. In 2020 Guido won the individual Experimentation Culture Award.
Guido X JansenGuido X Jansen


Book(s) recommended in this episode


Please note that the transcript below is generated automatically and isn't checked on accuracy. As a result, the transcript might not reflect the exact words spoken by the people in the interview.

audience A: [00:00:00] Privacy and analytics and CRO, I think our Audi session, hopefully everyone is aware of why this is important and is important for everyone. Maybe not as everyone wants to do. Talk about the, this, I think internally, I don't know. It depends on the company, but definitely an important one. So for this topic, first off we have ugly bulls data governance and privacy engineer, and we have, Dunkers.

Independent consultant in marketing analytics. And as we all already heard from, from Aria, I suggested Rick, what do you, have to say about this topic in general? why are you here? Why are you a panelist?

Rick Dronkers: [00:00:37] I guess why I'm a panelist is, I've been forced to, Handle this topic a lot in my profession.

Yeah. But, yeah, actually grew to like it, or at least, it grew an interest in why it's important and especially like how can we help clients make sense of, actually implementing all these things or making sure that what they are doing is actually somewhat compliant to what the law suggests you should be doing.

And also, how can you still get the best out of the tools we all love in our, in our industry. And that has helped have helped us a lot, but not all of them are, as privacy friendly as, we might want, so yeah. Or shoot him. Yeah,

Aurelie Pols: [00:01:19] perhaps.

audience A: [00:01:20] Yeah. and we had a couple of questions already in the app, so I think it would make sense to go through a couple of those first, during your sessions.

one of them is, so what will be more valuable? Is it setting rules for companies or should we actually be creating more awareness by the customers? Would that have a well, will be more valuable? What would have a larger

Aurelie Pols: [00:01:40] effect? It depends who, for who? It's more valuable. Are we talking about society in general or our industry?

For the greater grids. let's see. I think, parts of awareness have been done by certain supervisory authorities. because part of the GDPR is really reinforcing these rights of the data subjects. And so where I come from, they have really pushed, like crazy to say, please complain about your data processing operation.

So I have templates if you want in Spanish, for everything, which is. I'll tell you amazing.

audience A: [00:02:18] So incentivizing people to complain.

Aurelie Pols: [00:02:21] Yeah. Yeah. Use their rights to privacy and to ask questions to companies to say, I want to understand what you're doing with my data, which is one of the objectives of the GDPR.

So education of users of data subject is I think first society certainly very important. I talked to my sister a lot. She lives in Amsterdam. She has an Android phone. She uses apps. I would never tell, not anywhere that's okay. and we have conversations and she realized, Oh my God, Google is reading my emails.

And you're like, yeah, of course it's an OTT. And over the top service, it's not the telco and it has no confidentiality obligations whatsoever. So what else is new? My dear sister. And she was like, she doesn't know what I'm talking about. so clearly, yeah, education and for people to understand what the consequences are of how they use technology.

because it's a bit like I compare it to cereals boxes of cereals. I didn't know if you have children ghetto, but,

audience A: [00:03:22] but he's one year old,

Aurelie Pols: [00:03:23] so it's fine. Yeah. So yeah, it's that out, but if they watch advertising, I will bet you anything that one of your kids will come and say, I want Cheerios. I own this.

I want that. And as a mother, you're like, No, and you're not eating that drawer once a week, maybe, but this is not going to be your regular breakfast and the same should happen with data. do you want a Amazon ring in front of your doorbell? Yes. No, it's your choice, but if you don't understand what it means or what the consequences are about, Oh, it would be a good idea to start doing.

audience A: [00:04:01] And maybe you wanted to, with your neighbors.

Aurelie Pols: [00:04:05] Yeah. Yeah, maybe you do well, maybe there are different things we can deliver you

audience A: [00:04:09] guys.

Aurelie Pols: [00:04:10] yeah. Yeah. so yeah, education of, of the public, but also understanding by companies who want to use data for their growth, because data is the new oil or whatever you want to call it.

is also understanding the risk of fines, the risk of having their data flows, being cut by supervisor authorities, or certainly the risk of losing the trust of their customers. So recently I bought water bottles and Amazon because it's called in Sarah and Madrid, and I'm very happy to have emails from Amazon to tell me, buy new water bottles.

I have three. Thank you very much. I don't need more. And so this issue of advertising in digital. It's not new. This has been going on for 15 years now. Sarah just need to come through better. Are you kidding me? It should be better.

Rick Dronkers: [00:04:58] But I think it's also a little bit of a complacency of it has been easy to just implement decks and not maintain them and just accept the fact that you place this Facebook deck or Google tech and they take care of the rest.

And that's how it has been. And there's a big gap between marketers operating. Advertising technology. And the people implement that technology and people implement it. Don't care about it. They just got an assignment to implement that tech once 15 years ago or something, that's exaggerating, but that's what I see at companies.

And there's a big gap of. The people using the advertising technology or the CRO technology or whatever, and not understanding the technology, like what they are implementing, like the text they're implementing and what those texts are potentially also harvesting besides what they are using it for.

Aurelie Pols: [00:05:47] Yeah, it's still not easy because the vendors don't make it easy.

when you look at, I dunno, one of the product features, customer audiences by Facebook. So you look all this kind of selling stuff for technologists and how you implement it. Take a look at the terms and conditions and how it's written. They don't do UX on terms and conditions. That's care.

Rick Dronkers: [00:06:12] Even if they did people would still, most people would still not read them. So that's also a big problem.

Aurelie Pols: [00:06:17] It's difficult to find. So we're having like discussions increasingly, about what is the responsibility of digital analysts, CRO specialists and things like that. I think if you recommend a tool, you should at least know where the terms and conditions are.

Yeah, I think they should go together because it means that if you recommend a tool to a company, you say from a technology and analytic standpoint, it does this is how you implement it. And then for the privacy officer, the DPO or whatever you have the other bit, which is, and this is what it means from a legal stuff

audience A: [00:06:49] who here knows where to find all the privacy statements from the tools they use.

Aurelie Pols: [00:06:56] Two hands really difficult to find, and they change all sites. It's something that you talked about, the dynamism of it and how things are evolving and changing. It's like you implemented your Q and a tested. You have a beta version or whatever, or you have a test versions, but then how do you make sure that's moving forward?

The trial has not changed. They don't, integrate pixels with one another. That was, yeah.

Rick Dronkers: [00:07:23] Even like the same pixel that you have implemented two years ago, it can contain new functionality today without you changing the code because they're loading a script from their end of the website, not from your end, so you're not in full control.

So that makes it really hard.

audience A: [00:07:37] Did we have any audience questions then?

Aurelie Pols: [00:07:42] It's okay.

audience A: [00:07:45] I'm a curious, You work at a tech company as well. That's sales, I think analytics kind of software. I work at one as well. And the experience is that the market is not asking for it yet. And yet there's a tech company you'd like to explain it.

And the opposite response usually is, but I lose 90% of what I used to have in our own experience. For example, to retargeting snippet. Now it's behind consent for us on Facebook. My marketing team lost basically 90% of that returning audience.

Rick Dronkers: [00:08:23] Yeah.

audience A: [00:08:24] We accepted it, but how difficult it is as a tool to balance the loss of potential revenue yet explaining a feature.

Privacy, which you hope eventually will be part of your core business, but yet not is not there yet. I think that balance is really difficult as a smaller company. It's easier to make those decisions out of like principle. and that we don't do this. We're focused on privacy. So I scraped as a larger company.

Yeah, nothing that you work for a company in U S, which is more a collect, more collect more, and now only the CCPA.

Aurelie Pols: [00:08:57] So hold on. So let's step, a bit back because there are different positions here and different challenges. First of all. So I'm a DPO, a data protection officer for CDP, a customer data platform, called mParticle out of New York, as a product.

We onboard first party data, and also anything you guys collect, so Google, whatever. And we allow our customers to link this to our partner data. So it's a Facebook, Google, or whatever who we work with. we act as a data processor in the sense that. We act on their behalf. We don't decide they used the data and it means we don't have these discussions about consent.

It's up to our customers to decide with the tools downstream that they use. They are going to ask for consent, whether they're going to use other lawful basis of, to them. But it's clear in our contracts. We say, it's your responsibility. Now, if you want us to help you with consent or things like that, we integrate it with IAB consent framework because I asked or not super partisans of it, but okay.

It's there. we integrated with one trust because it was part of it as well. And we have our own consent management. So it means that. When it comes to, for example, to consent, we support, but go out and in saying it's a product feature or things like that. We did choose to do something else. And it's called open GDPR.

It's a framework it's open source. You can find it on GitHub, which basically takes in data, subject requests from our customers in digital and passes it on through the pipelines, towards our partners. They reception that and work on it and they, we get it back and we serve that back to our customers. this is where we positioned ourselves.

We said we don't decide about consents. We don't decide the lawful for basis. We onboard first party data. So it means that personal data, or do you want to call it PII? If you prefer it's there. We did push for certain limits. We had conversations about this because I worked for DMPs before and was like, no PII.

I said, Oh, so we take personal data because we're a CDP. Where is the limit, what don't we want? And this is where it gets interesting because you're an American company. And so the lawyers in America write rules. And so the law is we don't want senses active data. Okay. So sensitive data under us law is social security numbers, financial data and health data.

It is not union membership, racial discrimination, religious preferences or things like that. It's not the same definition as the GDPR. So we have processes in place to say off of our platform, the sense of data us, and we trained our teams, our onboarding teams to say, this is sensitive data in G in the GDPR, in Europe.

Anything that touches from far or close on this, you escalate. So I have an open door policy. I get questions from yes, CSMs and things like that. And we make decisions based on what type of client it is, what the contracts say, how they've been red line. We sometimes send emails back to say, could you please confirm that this is what you want?

We escalated towards certain apps to say, We think you're not as compliant. Could you please make sure. And where they writes back by saying we are compliant. So I have that written. If somebody says that company is not doing what it should said, I know, but they told me they would and it's inside our contracts.

So from a technology perspective, it's a balance between. What kind of features do I develop? Do I decide to work on open GDPR? And this is where mParticle worse in 2016. And how do I hedge in terms of contracts? What's interesting now, for example, is open GDPR. Wasn't used by our European customers and is now being opened for CCPA because it's not very different.

It's just notion of sale and things like that. But we are using the GDPR as a baseline to upgrade with potential other legislations that are coming. So we're, we're very heavy on mobile. and so we get questions like, is there any privacy legislation in Africa? You bet your ass. There is privacy legislation.

I forgot there we'll have little details that we'll have to append onto the platform. And then it's a cost benefit discussion, but we realize that everything we built in 2016 now in 2019, makes total sense for CCPA. So I'd say it's betting on the future to see, okay. How far does it go? Obviously, if I asked for features that are extremely expensive, the CTO is going to smile and say, I love you very much already, but no.

audience A: [00:14:20] And also had another question. I think you might be able to answer it. if you're a CRO specialist working in a company and you've been deep diving in this a bit more, but. If my boss doesn't really care about privacy, if my clients don't really care,

Aurelie Pols: [00:14:37] why should I care?

Rick Dronkers: [00:14:39] Yeah. Besides

audience A: [00:14:40] incentivize to do this,

Rick Dronkers: [00:14:42] I think, besides you, besides your own like moral compass, like as long as you're good with what you're doing, you, yeah, you could do whatever and you can bypass all current technologies, ITP ad blockers.

Like for everything, there is a potential solution to track. Anyway. and then I think like she already mentioned, then it becomes a risk reward kind of thing. if, if you are comfortable with the risk you're taking of not complying with a law potentially, then for sure you can bypass ad blockers.

You can extend cookie lifetime best what ITP is doing. You can buy, I passed what Firefox is trying to do for sure. There are solutions to all of those.

audience A: [00:15:23] I think the question was partially. I think that's how I read it. okay. if no one, if my boss doesn't care, my client doesn't care.

Would I be personally responsible for this? Is this,

Rick Dronkers: [00:15:34] the lawyer don't play one on the internet. So I have no idea. if you, perhaps, if you, as a consultant do that, but probably the company is still at fault. Like the company who hires you to do it, they make the decision to do it. Yeah. But for future reference, if you do that and they get caught and.

they get to find because of you then maybe your future consulting services might get some damage from that. Yeah.

Aurelie Pols: [00:15:57] So it's interesting because it, it touches upon, criminal liability. Basically you as an individual, which is where we're not, we're talking yeah. About liability of a company and they could get finance, things like that.

The only person I hear about where there's a discussion around normal criminal liability is Alexander nix. And seriously, these discussions are not going away. so he might be a pretender to put potential legislation coming up. Yeah. Which, but it's not there and it won't be for the next year or yeah.

audience A: [00:16:30] Depends on your level of influence in the company and the decisions?

Aurelie Pols: [00:16:34] No, it's never, for the moment these fines are company related. They will not never be about an individual. So the

Rick Dronkers: [00:16:41] answer is you're safe. Go ahead.

Aurelie Pols: [00:16:44] Brand reputation as you highlighted brand reputation.

Rick Dronkers: [00:16:48] Yeah. Yeah, for sure. Yeah. I do think that's something to think about, right?

Aurelie Pols: [00:16:51] if you

Rick Dronkers: [00:16:51] go full blackout, like in the SEO world, they're also. Black hat people are well. Yeah. They have a certain reputation. And if that's how you want to make your money, then that's up to you. But

Aurelie Pols: [00:17:02] yeah. Yeah. The interesting thing is also, I didn't know what your background is, but I'm not a lawyer now.

And it's, it means that we're less. I think we're less skitty about giving advice and putting ourselves out there. The lawyers are very much, and here's a disclaimer. I work with a lot of American lawyers, but you're like, come on guys, can we please move forward? And I do understand their liability, we need to have straightforward.

Rick Dronkers: [00:17:30] Yeah. I do think that's an important point that like, I hope a lot of companies who try to become like, Compliance. So a lot of things have to do with the cookie banner. And then the first question you ask me is, what, how should we configure it? And then I'm also hesitant to give like a definitive advice.

I'm like, okay, these are websites that are comparable to you that have it. Configured in this, how they configured it. Yep. But yeah, I'm not a lawyer. I'm not going to say you have to have the marketing thing on or out, or, think about it, decide for yourself. I can help you configure it and make it all work and actually make all your scripts.

Listen to the cookie banner, which most websites don't do. They just put up a cookie vendor and they just fire all cookies without you giving consent. But yet what the choice that you're going to make in that. And that's, I think in the end of companies should. Invest in that and make that decision.

Aurelie Pols: [00:18:17] Yeah, it does. This is where my position has DPO facing the CML was pretty easy and was like, the conversation started very simple as I'm your DPO. I do not want any tracking tools, I suppose you want everything. So now let's have a conversation and find the middle ground in terms of risk. but I started there.

It's I want anything on the website.

audience A: [00:18:39] That's what we want to hear. So you're a specialist, right? Any questions

Aurelie Pols: [00:18:45] we have this legislation in place quite some time now. but we don't really see effects of it in the sense that if you look at the top 20 of Dutch websites, Everywhere. cookie better switch are not compliant.

Clearly, do you know why no action is taken? I do know. Do you want the answer? Yeah. the GDPR came into force, in May, 2018. but there's another piece of legislation you might have heard about it's called IPR privacy, which is currently a directive and is. Continuously in discussions to be a regulation.

the finished presence in C talked about it yesterday again. so we'll have to see when this comes out. the specific city of privacy is that it touches upon any kind of inference. There would be with a device that you own. So placing a cookie, a pixel or a tracker or whatever on your mobile phone, your desktop, your nest, your whatever you want when I'm currently also seeing is that's.

hello, I, of these technologies that used to be cookie based or less cookie based there's lot server to server connections. Go ahead. And so one of the questions is also would that mean that if I do that server to server woods, you privacy apply. Or awards the GDPR apply. And as long as we're not out of the woods of a privacy, I think there won't be a lot of enforcement when it comes to digital.

For the moment. There have just been two fines in Spain, like four or five years ago. Not much. And to be honest, as Rick said as well, the technology is not really ready yet. the links between yeah. Far from the links between the consent and management tools and then That these trackers are triggered and things like that also worries me as this entire discussion about consent is driving me nuts.

And I suppose you guys as well. So I'm not the only one because when you think about it, it's just the start of the journey of a prospect customer. Then what happens? It becomes part of. CRM type of system. It enters something else. So now we're just focusing on that little bit in the beginning and we're not even looking at the data flows afterwards.

And it's also about the data flows afterwards, but once you privacy becomes a regulation where we will have ideally confidentiality of communications and possibly just consent something on the device, then we'll. So I have to tackle not only the interoperability between those little. Bits and pieces, but everything that goes behind.

So there's lots of work to be done.

audience A: [00:21:32] And there's a nice website, actually, a it's a enforcement tracker.com. you can see the fines that are, being handled us, and they definitely get higher and more and more specifically for Spain. I was just looking that we now have 16 fines in Spain.

ranging from 900 euros, to 50,000 euros. So there's quite some. so you might use it as a resource saying, okay, what are my competitors or someone being, finding my industry, if not, then I can just go.

Aurelie Pols: [00:22:03] Yeah. Yeah. Then, another, interesting, sources also, for example, the European data protection board.

they publish their plenary sessions and what they're going to talk about, every month or something like that. So they focus on kids or there's a focus on dating apps or things like that. For us, it drives also, awareness within the company to say, let's take a look at our client list and make sure that we're on the right track.

Rick Dronkers: [00:22:27] But to your point, there has been some activity in the Netherlands, I think three months ago or something, a lot of the Dutch bakery. Publishing houses. I've got letters from a doubter type person, skaters about cookie was being not sufficient, not working at all or implemented. So there is, at least there is some activity, but, yeah, that seems to be it so far.

audience A: [00:22:54] Do we have a final question from the audience?

Aurelie Pols: [00:22:56] Yeah, I do have one question. How do you guys personally feel about, data collection? So I can imagine on the one hand we have marketers who are very enthusiastic about all the innovative stuff that we can do. On the other hand, we have for simple amnesty who this week released a report saying, Facebook and Google are far leading or human rights, but how do you guys personally feel about that?

Okay. I have a straightforward answer, so I love data by default. and I read this article, and I would call it potty data in the guardian about the fact that as women, we cue in toilets a lot. and so I don't have a Fitbit or a fitness tracker, but I would love to have a way to tell Apple, for example, that once again, I'm queuing in the toilets because I am at the sea or terror or things like that.

So I think data is interesting. To optimize our life. I don't have a lot of choices about this and this drives me nuts. so there's a lot of stuff I don't do. They won't be Alexa in my home. Yeah. yeah. Yeah. Amazon ring or things like that. But if I see the use of it, I will, I think you also can get addicted to data.

And I think that's dangerous. So we should also educate people about that.

audience A: [00:24:11] Maybe I'm not getting this because I'm a man, but you want to tell Apple that you're cuing for starlets

Aurelie Pols: [00:24:16] us women. We spend a lot of time queuing in the toilets because we spend a lot more time in the toilets. And usually there's the same amount of toilets for men and women at any kind of event.

audience A: [00:24:27] Oh, that's why you want to use the data for us.

Aurelie Pols: [00:24:29] Yeah. Yes. So I want to surface that problem. This kind of discrimination against women when you have a very busy life between your kids, your work. And

audience A: [00:24:40] I don't think they need data for that. They can just look at the lines and then. They don't need to. It's also data.

Fair enough. Fair enough. But you don't need your phone. You don't need personal. You can just have a, footfall Mader. I don't know what the word is.

Aurelie Pols: [00:24:53] The interesting thing is there are standards in the UK, so there was an article about potty data. Seriously. It exists. There are standards in the UK that actually push architects to think about more cubicles for women, but nobody follows the standards.

Can you mention that? Yeah. Be a woman for two weeks and we'll have a conversation. They don't follow the standards

audience A: [00:25:17] for the body standards,

Aurelie Pols: [00:25:19] the architectural standards

audience A: [00:25:21] that's shitty. thank you so much. We're out of time. We're gonna go to the next session, in 10 minutes, which will be, get you all seen, already a cofounder CEO.

and telomeres and we'll have Neil's hammer, go owner and data consultant at the data story. we're going to talk about personalization and as hope to see you there. And, again, prepare your questions. .

View complete transcript

Here, help yourself to a cup of CROppuccino

Join our mailinglist to find out when special episodes go live, what awesome industry events are coming up and to get exclusive offers from our partners.
You'll get an e-mail roughly once a month and of course, you can unsubscribe at any time
(but like coffee, this newsletter is addicting, so you probably won't want to...)

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.