Six months ago, at the AdExchanger Programmatic I/O event in New York, I asked a room filled with over 400 senior technology and marketing leaders if they felt they were on track to be ready for GDPR. Not a single hand went up. GDPR is a huge undertaking for many, including Acxiom and LiveRamp, but I’m pleased to say we are ready. Let me share with you how we reached this point, and why I believe GDPR readiness should be viewed as just one small piece of a larger journey.
I won’t take time here to detail what GDPR is – for more detailed information, I’d like to refer you to our GDPR website page. I would like to remind everyone that GDPR creates a new level of accountability, transparency and control for consumers which we believe is really important for our digital future together. It strengthens data governance practices for businesses and it raises awareness of the importance of data to the economy and society at large.
As we countdown to May 25 when GDPR comes into force, some have compared GDPR to the Y2K scenario we faced at the end of the last millennium. While it’s true they both share the sense of major consequences if requirements aren’t met by a certain date, GDPR is not a quick, one-time fix and forget. It requires companies to operate in a different way and put real governance in place to ensure new processes are followed on an ongoing basis. This is both the challenge GDPR presents and the opportunity it creates.
Being GDPR ready for Acxiom and LiveRamp has been a mammoth undertaking that began several years ago as we worked with policymakers and industry bodies to help shape GDPR rather than simply react to it. Alongside that policy engagement, our Global Data Ethics team led a program of continuous improvement – using GDPR as a catalyst to improve our global data governance program. Eight workstreams were identified:
Within each of these areas, we followed a ‘six-step plan’ for GDPR readiness:
- Analysis and Assessment – mapping existing processes against GDPR requirements, scoping the impact of changes, and identifying stakeholders
- Awareness – driving alignment in the businesses around the resources needed to address required changes
- Design Future State – creating a detailed blueprint for compliance
- Development – transforming the blueprint into actionable workstreams
- Implementation – remediating gaps and implementing new processes, policies, and tools
- Governance – ensuring compliance is monitored and enforced
This effort required hundreds of data source reviews and data protection impact assessments as well as thousands of contract amendments. As I write this post, final tasks (mainly some documentation) are being actioned, and our associates are completing their GDPR training. I’m delighted to say that in all material respects, our major initiatives are complete, and we are GDPR ready for May 25th.
GDPR is indeed a sea-change for our industry. However, it’s just one of the many pieces of data legislation that exist in our world. Achieving GDPR readiness isn’t an end in itself, it’s a step in a journey toward building greater trust with consumers through better transparency and data governance. To truly build this trust, we must embrace an ethical approach to data that goes beyond what the law requires and ensures we operate in ways that are also just and fair to individuals.
While GDPR will surely be seen as an important precedent that influences policy-making in other parts of the world, we cannot expect legislation to keep pace with the rapid innovations that take place in our industry. Instead, we must harness our newly strengthened data governance muscles to implement codes of conduct and best practices that put the consumer at the center. This is the surest way to protect our data-driven economy and pave the way for a healthy, vibrant data-everywhere future.