Home News Opinion: First Party Data and GDPR

Opinion: First Party Data and GDPR

With third party cookies on the way out, marketers contemplating the use of first party data strategies will still need to keep data protection top of mind if they are to build trusted relationships with their customers, writes Steven Roberts.

Marketers have relied on third party cookie data for many years as a core part of their digital activity, enabling their brands to deliver targeted, personalised communications. Google’s announcement that it will block these cookies from its Chrome browser by 2023 therefore carries significant implications. Other browsers, such as Firefox and Safari, have already implemented similar moves, prompted by data privacy and regulatory concerns. Chrome however, is the dominant player globally, with approximately 65% market share worldwide and over 53% of the market in Ireland. As marketers re-evaluate their strategies, many are turning toward first party data as a possible panacea. In this article, we will look at some of the data protection issues marketers must be mindful of when considering such a move.

Build a strong privacy culture

Before developing your strategy, ensure you have the right foundation in place. Data privacy policies and procedures are only as strong as the culture within which they operate. Regular training for new and existing staff is crucial to keep privacy foremost in the minds of marketing teams, along with buy-in from top management. For example, while GDPR’s ninety-nine articles cover many areas of data privacy, all team members should be familiar with the seven core data protection principles and the six lawful bases for processing personal data.

Audit your current data

A key step is to audit your company’s data. Identify where you are currently using first party and third party data. This serves three purposes. Firstly, you now have a detailed understanding of personal data within your organisation. Secondly, you can ascertain the aspects of your marketing activity that are reliant on third party cookies, and can explore where and how this reliance can be replaced with first party data. Thirdly, you are meeting the GDPR’s requirement to document your processing activity. Marketers should note that the Regulation places a higher compliance bar on processing what is termed special category data (for example, health, genetic and biometric personal data).

Be Transparent

Many criticisms were levelled at third party cookies. For example, the potential for fraud in a complex, multi-actor ecosystem. However, I would argue that a fundamental issue was lack of transparency. Individuals could not easily identify how their data was being processed or who it was shared with.

Marketers should be mindful of this when establishing first party data strategies. Avoid jargon or overly legalistic definitions. Let your customers know, in clear and simple terms what data is being captured and how it is being used. This is the basis for establishing a trusted relationship. It is especially important when relying on consent as your legal basis. The GDPR requires consent to be freely given, unambiguous, specific and informed. It cannot meet this threshold if consumers are unclear on how their data is processed.


Data protection by design and default

Under GDPR, any new projects using personal data must embed data protection considerations into their design, whilst default settings aim to maximise individuals’ privacy. A key element is undertaking a Data Protection Impact Assessment or DPIA. Whilst mandatory for high risk processing, marketers should consider a DPIA for all new processing projects.

The team initially undertakes what’s known as a pre-DPIA. This is a set of questions to identify, at a top-line level, whether the processing could be considered high risk. Typically, if two or more questions indicate such risk then a full impact assessment is required. The process is extremely helpful in fine-tuning a project and enables the organisation to consider potential mitigating actions.

Global privacy environment

Companies that market outside the EU must be mindful of local data protection legislation. The global privacy ecosystem has become more complex, with many countries adopting new laws since the introduction of the GDPR. Businesses seeking to process first party data from the UK will need to monitor developments within UK GDPR. In the US, the California Consumer Privacy Act (CCPA) is just one of a number of new laws. It is likely the international environment will become more rather than less complex in the coming years.

As the clock winds down on third party cookies, improved use of first party data offers at least a partial solution for marketers. When considering possible options, it is important to ensure that GDPR principles are complied with and that a clear legal basis exists for processing first party data. Transparency is key, underpinned by a healthy privacy culture across the organisation. Tools such as DPIAs can be extremely helpful in assessing the potential privacy risks of a new project and identifying possible mitigating actions. Firms that keep data protection top of mind, that provide value to their customers, and use personal data in an ethical manner will be well placed to thrive in the coming years.

Steven Roberts is head of marketing at Griffith College. He is a Fellow of the Chartered Institute of Marketing and a certified data protection officer. His book ‘Data Protection for Marketers: A Practical Guide’ is available from Orpen Press, Amazon and all good bookstores. To purchase a copy click HERE