Title: Data, GDPR & Privacy – Doing it right without losing it all
Speaker: Amie Durr
See the table of contents for more blog posts from the conference.
Goals: send right message to right person at right time using right channel (ex: email, text, etc)
One company handles 25% of all non-spam email traffic
Confidence
- We don’t trust brands with personal information. 2/3 overall. Nobody in room.
- Employees at GDPR compliant companies also don’t believe their company is
Recent thefts
- Ticketfly – emails and hashed passwords. Shut down their website
- Panera – email, name, phone, city, last 4 digits of credit card number
- MyHeritage – email and hashed passwords
- Myfitnesspal – name, weight, etc
Need to consider
- What do you store?
- For how ong do you store it?
Data and privacy regulations
- CASL
- CAN-SPAM
- Privacy Shield – for data leaving Europe
- GDPR – EU
- Future: Germany, Australlia, South America
- Not about specific regulations. Need to care about data an privacy. Part of Brand. Customers will leave
Supply for data scientists far exceeds supply
Build trust without stiffling innovation
- accountability – what do with data, who responsible, continuing to focus on data perception, audit/clean data, make easy to see what data have and how opt out/delete
- privacy by design – innovate without doing harm, don’t want to get hacked, be user centric, move data to invididual so no storing, what is actually PII vs what feels like PII. Anonymize both
Remember user data. If the user types it in, could be anything in here
What they did
- dropped log storage to 30 days. Have 30 days to comply with requests to delete data. So handled by design for log files
- hash email recipients
- Remove unused tracking data
- Communicated with customers
- Kept anonymized PII data, support inquiries, etc
- some customers feel 30 days is too long so looking at going beyond law
Can delete parts of data vs everything (ex:: stack overflow)
brand and pr vs actually keeping user safe [like what happened with accessibility and section 508]
My take
Good talk. I liked the level of detail and concrete examples. I would have liked a refresher of GDPR. But there was enough to tell me what to google. That helped with what didn’t know (or forgot).