GDPR Compliance within SAP Hybris Marketing Cloud

11th April 2018 Written By Andrew Griffin

Effective from May 25th, 2018, the Data Protection Act 1998 and the 1995 Data Protection Directive (95/46/EC) will be replaced by EU regulation 2016/679; known as the General Data Protection Regulation (GDPR).

The aim of the GDPR is to strengthen data subjects’ rights in the following ways:

  • the need for the individual's clear consent to the processing of personal data
  • easier access by the subject to his or her personal data
  • the rights to rectification, to erasure and 'to be forgotten'
  • the right to object, including to the use of personal data for the purposes of 'profiling'
  • the right to data portability from one service provider to another

This new regulation will have a dramatic impact on the marketing functions within all organisations that operate within the European Union, and those that hold or process personal data about EU residents, or monitor an EU data subject’s behaviours.

This blog explores the data that is affected by the regulation, as well as the functionality within SAP Hybris Marketing Cloud that contributes to GDPR compliance.

GDPR infographic Source: Council of the European Union

Who are Data Subjects?

A “Data Subject” is a natural person whose personal data is processed by a controller or processor.

This includes individual customers (such as a Business-to-Consumer [B2C] relationship to the organisation), corporate account contacts (such as a Business-to-Business [B2B] relationship to the organisation), and employees (natural persons that are internal to the organisation).

What Data is Covered?

Personal data is covered under GDPR, which is any information that relates to an identified or an identifiable natural person.

Special Category Data provides additional protection for data deemed to be more sensitive, which is broadly similar to the concept of Sensitive Personal Data under the Data Protection Act 1998, although this was extended to include genetic data and some biometric data, whilst safeguards for criminal offences and convictions data were moved to a separate Article 10 of the regulation.

Hybris marketing Cloud infographic

How is SAP Hybris Marketing Cloud Affected?

To determine how SAP Hybris Marketing Cloud is impacted by GDPR, and how it can ensure compliance, first, we need to consider its role in an organisations landscape.

SAP Hybris Marketing Cloud receives input from a variety of disparate data sources such as back-office systems, cloud systems and social media. That data is merged and matched to create a “golden record” of the customer contact or consumer using the highest data quality available, and the record can also be enriched.

Fundamentally, SAP Hybris Marketing Cloud collects data from multiple source systems, but it is not a master data management solution and it does not update the data on source systems. Therefore, when handling requests under the rights to rectification, to erasure, 'to be forgotten', to object, or to data portability from one service provider to another; these requests should be handled by the integrated data source solution, rather than SAP Hybris Marketing Cloud. For example, SAP customers integrating SAP Hybris Marketing Cloud with SAP Hybris Cloud for Customer should look to the Data Privacy Management and associated functionality within SAP Hybris Cloud for Customer to affect the necessary GDPR data management compliance.

To reiterate the point, as it is crucial; the data within SAP Hybris Marketing Cloud can be updated directly, for example, to correct the telephone number against a customer contact, but this will not update the system that is the source of the record.  This scenario is only sensible where customer contact or consumer data has been loaded directly into SAP Hybris Marketing Cloud, such as leads from a 3rd party data vendor.

SAP Hybris Marketing Cloud’s primary functionality for compliance of GDPR is:

  • Gathering and storing clear consent to the processing of personal data, such as:
    • Consent for contact, also known as marketing permissions
    • Subscription data
  • Providing the ability to export customer contact or consumer data, providing easier access by the subject to his or her personal data
  • The right to object to the use of personal data for the purposes of 'profiling'

Consent to the Processing of Personal Data

Within SAP Hybris Marketing Cloud, a landing page is created to capture contact preferences, which is exported as HTML source code to be hosted on the relevant web server. Javascript and Cascading Style Sheet source code may optionally be downloaded as required, to accompany the HTML code and provide further context.

Details can be pre-populated from the customer contact or consumer details held in SAP Hybris Marketing Cloud, which enables the right to rectification if the natural person’s contact preferences or attributes change.

When consent is given, it enables the marketing team to contact the customer contact or consumer on the channels stated. This is explicit consent, in contrast to implied or implicit consent which is less favourably viewed.

As part of the campaign process, SAP Hybris Marketing checks the contact preferences prior to including a customer contact or consumer in any marketing campaign activity. Additional checks are also made during this process, to ensure that a customer contact or consumer has not been contacted too frequently in the recent past according to business rules, and to make sure that suppression rules are observed.

Similarly to marketing contact permissions, subscription data is collected in the same way by using the Content Studio in SAP Hybris Marketing Cloud to create a landing page where this data can be maintained.

Visibility of Customer Contact or Consumer Data and Exporting

SAP Hybris Marketing Cloud offers clear visibility of data in a number of ways; clear permission marketing, exporting customer contact and consumer data via target group export, viewing the data sources used to build the “golden record”, and the profile factsheet available for integration with systems like SAP Hybris Cloud for Customer.

Permission marketing displays both positive (opt-in) and negative (opt-out) permissions, as well as listing any subscriptions.

Using Segmentation and the Profile Dashboard it is possible to create target groups of any size based on shared characteristics, which can then be exported in a standardised format to meet data portability requirements.

Both segmentation and the Profile Dashboard enable the selection of a subset of customer contacts or consumers, which in turn can be used to create a target group for export.

The Origin Data tab of the contact profile graphically represents the disparate data sources which have been merged and enriched within SAP Hybris Marketing Cloud to present the “golden record” single version of the contact.

The Right to Object to the Use of Personal Data for the Purposes of 'Profiling'

SAP Hybris Marketing Cloud enables the processing of customer contact and consumer profiles at all stages of qualification.  For example, data can be recorded of “anonymous” website users who have not been identified in any way other than by their event activity.  Previously this information may have been used to target marketing efforts to certain demographics, but under GDPR data subjects may now object to use of their personal data for profiling.

To ensure compliance, the qualification level of the customer contact or consumer can be used to filter out anonymous data subjects from marketing campaigns, and can also inform rigorous data hygiene routines.

Conclusion

GDPR compliance cannot be achieved through one application, it requires process and attitude changes throughout the organisation in the way that customer contact and consumer data is acquired and collected, processed, stored and retained.

SAP Hybris Marketing Cloud provides functionality to handle contact preferences and subscriptions, with integration to the organisation’s website server, as well as providing greater visibility of the holistic customer contact or consumer record.  Data sources and merging techniques are transparent and can be used to identify those data sources which require updating.

Crucially, SAP Hybris Marketing Cloud collects data from multiple source systems, but it is not a master data management solution, so it does not update the data on source systems.  Therefore, when handling requests under the rights to rectification, to erasure, 'to be forgotten', to object, or to data portability from one service provider to another; these requests should ideally be handled by the integrated data source solution, rather than SAP Hybris Marketing Cloud.  Such changes will replicate back to SAP Hybris Marketing Cloud and provide data consistency across the organisation’s landscape.

 

 

DISCOVER MORE