To comply with GDPR, BlueVenn is having to reimagine itself
The UK-based firm is figuring out how consumer-facing companies in the EU will comply, although it isn’t consumer-facing, and soon, it won’t be in the EU.
It must think like a company that interacts with consumers, since it provides a golden master of customer data records for its hundreds of client companies. That data is then employed to set up campaigns on its platform, which are then implemented through connections with external platforms like email service providers or ad networks.
But it doesn’t interact directly with consumers. If a client is a large insurance company, for instance, that insurance company is consumer-facing and has to obtain consumer consent for specific data uses, as required by GDPR. Since BlueVenn now needs to support those actions on the back end, it must think about how the insurance company goes about its daily business.
Generally speaking, that means its platform now needs to support outright deletions of customer data, VP of Professional Services Justin Morris told me, replacing the previous practice of just adding a “data suppression” flag.
The deletion-on-command functions apply to all of BlueVenn’s clients, but the insurance company has specific requirements — such as deletions of some data but not others — which BlueVenn needs to handle on a custom basis.
As the back end provider of master customer records, BlueVenn needs to work through the process of each client company so it understands the particulars as well as the general capabilities.
It’s not just tracking data or permissions for all its clients, but also making sure the front end — the insurance company — tracks where the data came from, how it was collected and how consent was granted.
And the UK-based BlueVenn is acting as if it’s a European Union-based company, where a national information controller in each EU country can directly enforce GDPR. But the UK, of course, is in the process of exiting from the European Union.
Morris said that his company, which also has a substantial number of client companies in the US and elsewhere outside Europe, is acting as if it is in the EU because the UK still is.
That means not only complying with GDPR, as many non-EU companies are, but relying on the national information controller for guidance.
BlueVenn doesn’t have any special challenges because its platform is all about customer data, he said. But it is now examining its custody chain of consumer data from the points of view of all the participants.
In fact, GDPR-complying companies are looking to make sure everyone in its data supply is making a good faith effort.
“There are a lot of contractual changes [happening],” Morris said. Its client companies need to indemnify BlueVenn against problems with obtaining consumer consent, he said, and the client companies are looking for guarantees from BlueVenn.
Regardless of how well GDPR will protect consumer data, it is already having the effect of making companies understand what everyone else in its data chain is doing.