October 7, 2015
Yesterday morning, many of us in the United States awoke to some troubling news: the European Court of Justice (ECJ) had ruled that the Safe Harbor agreement is no longer valid. Security & risk (S&R) and data management folks kicked into high gear. Customer insights and digital marketing teams…? Well, the news slipped past mostly unnoticed. That's a mistake.
Let's start with a primer on Safe Harbor. If you're a multinational company doing business in Europe, Safe Harbor is the agreement under which you've been allowed to bring European customers' data back into your servers in the US for purposes of targeting, analytics, campaign management, etc. If you work with a US-based database MSP, digital or CRM agency to manage customer data, they've likely been relying on the same agreement. It's a nearly 20-year old agreement that was put in place to bridge the gap between Europe's strict data protection laws and America's relative dearth of them.
Now, that agreement has been deemed invalid, which means that every company serving European customers needs to reexamine its data practices. Of course, this is primarily the purview of our technology management peers. But customer insights professionals need to partner closely with them on two fronts:
- Speak up about your third-party data sharing practices. This includes sharing between business partners (for example, passing customer data to a firm that administers your loyalty program or manages warranties), sharing CRM data with digital marketing vendors, and even using third-party tracker on your website that collect IP addresses. Any third party data sharing could come under scrutiny from the European Data Protection Authority, so you'll want to have a consent-based model for collecting and sharing that data soon.
- Identify all marketing vendors that touch European customer data. Work with S&R colleagues to evaluate your current vendors' practices and ability to respond to the ruling. In particular, pay close attention to database marketing services providers (MSPs), customer engagement/relationship agencies, data management platforms, and customer analytics vendors. Most of these vendors are already triaging to ensure they can react appropriately given the types of personal data they handle, so they should be able to provide you with their own findings and plans soon.
My S&R peers have published a timely report on the ECJ ruling, and what it means for their clients. I encourage you to share the report with your own peers, then work with them on the steps above.
As always, don't hesitate to reach out to us with questions you may have about this important ruling.