Subscribe

Filter

Explore by Category

    Explore by Tag

    Subtopic tags

      Customer Data Platform (CDP)

      What Rights Do Customers have When It Comes to Their Personal Data?

      By Carl Bleich

      Jan 25, 2021

      11 min read

      Customer Data Platform (CDP)

      What Rights Do Customers have When It Comes to Their Personal Data?

      Author’s note: You’ve done all of your research, spent hours going through different options, seen an amazing demo, and are finally ready to purchase your customer data platform. But one last step looms…final approval. Make sure that you are armed with information you need to prove that your CDP is safe and secure. This is the fifth article in Bloomreach’s series “Don’t panic: A marketer’s guide to customer data security”. This series will help educate marketers on why security is so important right now and give them the proper tools to help ease the nerves of risk-averse colleagues who may not fully understand the benefits of a CDP.

      If you are currently working with a customer data platform or are in the market for one, it’s important to understand your CDP will eventually be the home of a massive amount of customer data, if it is not already.

      Gartner defines a customer data platform as “a marketing system that unifies a company’s customer data from marketing and other channels to enable customer modeling and optimizing the timing and targeting of messages and offers.”

      As the cliche goes, “with great power, comes great responsibility”. It is the responsibility of marketers to care for that aforementioned unified customer data and ensure that customers are afforded all of their rights the law requires when it comes to their data.

      But what rights do customers have when it comes to their personal data? Let’s take a deep dive into answering this question so that your company can be prepared if you receive a request related to customer data. 

      Customer Data Requests: An Overview

      Before going into detail about requests, the importance of having a specific process for customers to make these requests must be discussed. 

      Companies would be best served to have a specific channel (most commonly email) where customers should send requests. This should be communicated to customers through your company’s privacy policy so there is no confusion when a customer decides to make a data request.

      Companies are responsible for responding appropriately to all requests, even if a customer does not use the correct channel to communicate the request. Requests should be archived with the date they were made. The General Data Protection Regulation (as well as other governing laws/guidelines) requires that responses are made to customers within 30 days of receipt of the request.

      What could customers actually be asking your company for?

      Right of Access

      This type of request generally involves three things: confirmation that you hold an individual’s personal data, access to all the data that you hold, and/or other questions related to the gathering and storage of this data.

      Customers making this request oftentimes just want to know what personal data your company holds that belongs to them.

      Right of Data Portability

      This right allows customers to obtain their personal data from your company and reuse it. It essentially allows customers to transfer or move data from one IT environment to another safely. The data should be provided to customers in a way that does not affect its usability.

      Right to Rectification 

      Customers have the right to request that their incorrect or incomplete data be corrected. If there is found to be incomplete or incorrect data on a customer in your system, you must meet the 30-day deadline to correct this if the customer does make this request.

      A good practice for certain companies in delicate situations would be to take an extra step to confirm the identity of the individual making the request to ensure the data isn’t being manipulated. It is important to log all communication related to requests for rectification in order to avoid potential miscommunications with customers or GDPR issues.

      Right to Erasure

      Your customers do have the right to have all of their data completely erased from your CDP in certain circumstances.

      Generally speaking, you have two options on how to move forward: anonymize the customer in your CDP or delete the individual completely. Deleting completely is the safer option in regards to GDPR.

      Unlike the previous rights, this right is not absolute, meaning it does not apply in all situations. If a customer’s data is no longer necessary for the purpose for which you collected it, you are subject to erase it if a customer makes this request. The right to erasure also applies if you are processing the data for direct marketing purposes and the individual never consented to that.

      Right to Restrict Processing

      This right essentially gives customers the right to limit the ways that companies can use their data temporarily. This is typically done in lieu of requesting a full erasure of data.

      Like erasure, this is not an absolute right and only applies in certain circumstances. When processing is restricted, companies are permitted to continue storing the data in question but cannot use it.

      Right to Object

      Finally, customers also have the right to permanently stop you from processing their data in certain circumstances.

      The absolute right in this case involves individuals’ rights to stop their personal data being used for direct marketing purposes. In other cases, customers must show they have a “compelling reason” for a company to stop processing their personal data.

      The request can be in regards to all of a customer’s data or just a certain portion of data held by your company. It can also relate to a specific purpose or reason you are processing the data. 

      Bloomreach is Here to Help with Customer Data Requests

      The different requests and your company’s required response to them can be overwhelming. It’s important to have a strong ally in your corner to help should your company ever find itself in a situation like the aforementioned ones.

      Bloomreach’s Customer Data and Experience Platform is a world-class product that provides secure data compilation and marketing automation initiatives. Our individual rights document goes into even further detail about how to address customer data requests for companies that use Bloomreach.

      Bloomreach was the world’s first GDPR certified SaaS company and holds top security certifications to help keep our customers as protected as possible.

      The Bloomreach Academy also features a “GDPR Best Practices” course that dives further into all of these rights so that your company will know immediately how to respond to all customer requests should they come. 

      Ready to see the CDXP in action? Watch our short demo video to see how you can turn customer data into marketing magic without worrying about security and data privacy. If you’re interested in learning more about data privacy and security, Bloomreach Academy’s Privacy Fundamentals course is the deep dive you need to master the topic and become an expert.

      Found this useful? Subscribe to our newsletter or share it.


      Carl Bleich

      Content Marketing Manager at Bloomreach

      Carl works with Bloomreach professionals to produce valuable, customer-centric content. A trusted expert with over 15 years of experience, Carl loves exploring unique ways to turn problems into solutions within digital commerce.

      Discover more content like this

      Ready to see Bloomreach in Action?

      Request Demo