Are you a data subject? If you’re a person, then you better believe you are! And, so is every person who visits your website. And, if you are in the EU, or you have visitors from the EU, then May 25th, 2018, is a day you should be keeping a close eye on and preparing for now! On this episode, Jodi Daniels of Red Clover Advisors joins Moe and Tim to talk all things General Data Privacy Regulation (aka, GDPR). Give it a listen and pick up delightful cocktail party openers like, “Hey, do you know how to tell someone isn’t from the EU? They reference PII.” That’s not just a delightful witticism — it’s actually important to understand the distinction between PII and personal data!
Referenced on the Show…
- The World is Flat: A Brief History of the Twenty-First Century (booky by Thomas L. Friedman)
- General Data Protection Regulation (GDPR)
- Digital Advertising Alliance (the other DAA)
- AdChoices (the little blue icon)
- Canada’s Anti-Spam Legislation (CASL)
- Telephone Consumer Protection Act (TCPA)
- Health Information Portability and Accountability Act (HIPAA)
- Aurelie Pols
- Personally Identifiable Information (PII)
- ePrivacy Directive
- Edward Snowden
- Sarbanes-Oxley Act
- “What if I fall? Oh, but my darling,what if you fly?” – Erin Hanson
- Boruta feature importance explained
- A practical Boruta example by Jim Thompson
- Attribution Theory: The Two Best Models for Algorithmic Marketing Attribution – Implemented in Apache Spark and R
- Startup Podcast – Season 6, Episode 7 – The Grand Challenge
- Startup Podcast – Season 6, Episode 8 – The Race for the Driverless Future
00:00 Tim Wilson: Hi, everyone. Welcome to the Digital Analytics Power Hour. This is episode 77 and I’m Tim Wilson, not Michael Helbling. Regular listeners know that Michael normally takes on moderator duties for this show but for some logistical reasons I’ve assumed that chair for this episode. It’s a nice chair and Michael will be back sitting in it next episode. I’ll try to remember to return it to its original height after the show. But I also realize without Michael to keep me in check, this may be a three-hour episode. So hopefully here to keep that from happening is, as always, Moe Kiss from THE ICONIC. How’s your chair today, Moe?
00:37 Moe Kiss: Yeah, my chair’s not too bad, but probably not as good as yours.
00:41 TW: So Moe, I consider you to be a person. But I’m also starting to think of you as a data subject. That’s because I’ve been doing a little light reading about the General Data Protection Regulation, or GDPR, which goes into full effect on, I think, May 25th 2018. If you’re thinking, “GDPR? Isn’t that just some European thing?” Then you’d be thinking right. But the world is flat, as Thomas Friedman has taught us. Globalization, baby, which means regardless of where you live and where your organization is based, it’s quite possible that GDPR can or should impact the way you capture and store data. That’s the topic of today’s show. GDPR. What is it? Who needs to worry about it? Is it acceptable to pronounce it “goodpra”? And if not, then why not? Okay, maybe not that last one. But GDPR is a pretty complicated topic and we knew we weren’t equipped to cover it exhaustively and accurately on our own. So we brought in a ringer on the topic.
01:41 TW: Jodi Daniels is the founder of Red Clover Advisors, which is a consultancy that advises companies during all phases of their development cycle with respect to their online and data strategy and data privacy needs. Sound exciting? Well, prior to moving into consulting full time, Jodi was a senior vice president in charge of enterprise privacy compliance at Bank of America, which I’m pretty sure made her really popular with certain groups inside the organization. She also held roles before that at Cox Automotive, AutoTrader, Cox Enterprises and the Home Depot among others. Welcome to the show, Jodi.
02:15 Jodi Daniels: Thank you. Glad to be here.
02:16 TW: Awesome. Representing Atlanta in Michael’s absence, so no pressure.
02:21 JD: Nope. No pressure at all. [chuckle]
02:23 TW: So we were talking a little bit before the show, because I think it was like your role at Home Depot maybe was actually targeting personalization type work.
02:33 JD: At AutoTrader.
02:34 TW: At AutoTrader?
02:35 JD: Yes.
02:35 TW: Which seems like it’s kind of the antithesis of anonymity and privacy. So maybe this is one of those shows where it would be pretty interesting to hear how you got from tracking people obsessively and providing them relevant content by creeping them out to the world of privacy.
02:52 JD: Sure. So I built a online targeted advertising network at AutoTrader and Kelley Blue Book where we basically stalked you for cars. So if you came to our sites, we knew that you were a Honda shopper or a Toyota shopper and followed you along in the ecosystem and served you a relevant ad and hoped that you buy that car. Around 2009, with implementation in 2011, all the online advertising associations banded together to form this concept called the Digital Advertising Alliance, which is basically to give consumers the chance to know and be informed about the online advertising targeted market and give them some choices. I was responsible for our compliance with the Digital Advertising Alliance, or the DAA, or what’s known as ad choices, the little blue icon.
03:41 TW: Oh, my God. There’s another DAA. No!
03:46 JD: But this DAA is all about the little blue icon. And so I was responsible for our compliance and I realized that there was an opportunity to really expand the privacy work that we were doing at AutoTrader and so I basically carved out a role and I was focused on privacy full time. Because some people think tracking is kinda creepy and the DAA and ad choices is really all about giving consumers intel and choice around the targeted advertising. And it’s global. There’s a Canadian version, a European version, an Australian version, probably some more.
04:21 TW: Was that a tough sell to carve out? ‘Cause that always seemed like that sort of a detention for marketers and we’re gonna get to GDPR. But now I’m kind of intrigued. Were you carving out a role for yourself where you were basically telling your coworkers that they needed to respect privacy which would give them potentially less ability to do micro-targeting type stuff?
04:45 JD: Yes. [chuckle] I did. I created a role for myself. But I come from a business background. I am a firm believer of trying to strike the right balance between reaching the right customer and protecting their privacy. I feel like there’s a balance and to me you wanna reach a customer where they don’t scratch their head and wonder, “Hmm, how did you get that information about me?” and it’s something that’s valuable and useful to them.
05:13 MK: It’s actually really funny because I kind of did the opposite. I used to work in privacy and compliance when I worked in government and then I’ve gone into digital analytics. It’s been really an interesting journey for me about how my own personal views have changed. But I think we can completely agree, I do think that balance is right and the thing that I’m probably learning, I love talking about this topic. People think I’m weird but I find it such a fascinating topic.
05:38 TW: That’s not the only reason.
05:40 MK: And…
05:41 JD: This is a rough group.
05:42 TW: I’m sorry. Was I not muted?
05:49 MK: Yeah, but I do think it’s about the balance but it’s also about what is the customer getting out of this. I don’t know. I feel like there’s gotta be something for their benefit as well when you start talking about privacy and what data that they share with the company. What are your thoughts on that?
06:07 JD: I completely agree. I think it needs to be something that they’re willing to give up and that they receive something of value. Think about direct mail, right? Let’s go back to snail mail, if you can believe it. And you get a catalog in the mail and some of them are really interesting and they go, “Wow, someone must have sold my data, but they really know that I love natural living and healthy products. Or my husband loves biking.” So when we get biking catalogs, we feel like that’s valuable and they’ve targeted us. And it’s the same concept if you were to bring that into the online world, compared to random catalogs of hunting stuff that I’m never gonna ever use and why are you sending me that. I don’t want my information associated with that company, same with the online, where is my information going and how is it being used. And that wouldn’t be valuable to me. So I would be less interested in that.
07:00 TW: So that’s all well and good that we have two, three, sort of right thinking, let’s find the balance. But I sense that the European Union was like, “We can’t really trust all marketers and companies to act that way, so we’re gonna put in the privacy directive first and then now GDPR.” That was me trying to get back to the topic of the show [laughter] which is, let’s enforce that, let’s enforce that right thinking way in a Draconian way. I don’t know. Is that a…
07:32 MK: You’re taking your moderator jobs very responsibly, Tim.
07:35 TW: Well, yeah, which I think maybe that’s… We’re a little ways into the show already and kind of just like the definition of GDPR. So I think that’s, Jodi, you seem ell-suited to be somebody who is an expert on this ’cause I sense you’re like, “I know sort of why they did it, but then there’s the reality of how it’s been done.” What drove it? What’s the basic idea behind it?
08:00 JD: Sure. In Europe, privacy is a fundamental right. The way they view your data is I, company collect it and I need to inform you what I’m doing with it and you have to consent. You have to opt in for how I’m gonna use it, compared to the way we think about things here in the US, with the exception of a couple areas like finance and healthcare, we take a sectoral approach, which means we’ll protect your healthcare data in a certain way and your financial data in a certain way. But everyone else, especially in the online world, you should have a notice and then you should give some people some choices kind of after the fact.
08:38 TW: You said a sectoral, like different sectors?
08:42 JD: Sectoral approach.
08:43 TW: Right, like the healthcare HIPAA sector finance. Okay.
08:47 JD: So think email marketing. So there’s the CAN-SPAM Act here in the US, there’s CASL in Canada. So different rules about how you can manage your email marketing. Think Telephone Consumer Protection Act. How can I make direct phone calls or text messages? So that’s one piece. And financial services, if you think about that privacy notice that looks pretty standard across each credit card or bank statement that you’ve gotten or anytime you’ve dealt with any financial organization, there’s a bunch of rules for that. Or think HIPAA for healthcare. Each vertical has its own set of privacy rules. We don’t have a national over-arching privacy regulation. In Europe, GDPR is the over-arching privacy regulation and they put privacy first as a literal fundamental right. I should ensure that my data is well protected, that it can’t, if it got out into the wrong hands, that it can’t harm me in any way that would take away my rights and freedoms. That’s actually literally written into GDPR in some of the articles where we’ll talk about could I be harmed. Could my rights and freedoms literally be harmed.
09:56 TW: So is GDPR codifying what is, and I remember seeing a presentation a few years ago that was talking about the history of Europe and tracing back to the Holocaust and World War II being a large driver of where information about people drove, and the presenter was making the case that it’s deeply, deeply rooted. But does that mean GDPR is kind of the EU saying we need to codify that, because we can treat that, we can see that culturally is a fundamental right, but unless we have something with teeth to enforce it, then in a sense we’re potentially giving nefarious players an opportunity to gain an advantage in the market ’cause they don’t respect that fundamental right. Is that where it came from?
10:40 MK: The way that I actually… I really liked the way that Aurélie Pols explains that, and she is someone that I really, really admire in this space, who talks so passionately about it. When she came out to Australia, we had a really lengthy conversation, because in Australia, just for context, people, I think it’s even behind the US. It’s like people are just like, “Oh, well, whatever,” and they’re like, “Oh, I’ll just say yes to anything because I wanna use Facebook, so I don’t care.” I don’t know. Australians just don’t seem concerned about privacy as much as Americans or even less so than Europeans. And the way that she described it to me, which I really just solidified it, she was like, “You never know, like you think about World War II, you never know who’s gonna be in power. You never know what organization’s gonna do what. So we put this in place as our fundamental right to protect people. And then you might say that you have full confidence now in corporations or government or whoever, but you never know what’s gonna be the case in five or 10 years and who then might be able to use that data in the future.” And that for me was, “Okay, I really get the European perspective now.” Jodi, do you think that’s accurate?
11:50 JD: I think it’s a really interesting view. And actually I was just reading today, Australia might not be so behind for so long. They are looking at some regulations that would potentially be equal to GDPR coming up in the next year or so. So be on the lookout.
12:05 MK: That’s fantastic.
12:06 JD: I think the other way to look at GDPR is each individual member state had its own data protection authority and data protection rules so it was a patchwork system. And now GDPR, each member state has this, I say the word global, but global for those member states. And then it still will have the local data protection authority that is the one responsible for reviewing the compliance with it. But you have, I think, a big part of it is trying to standardize all of the data rules for all EU residents across all EU member states. I think it’s also trying to raise the bar of where we are in modern times and the increase in cyber security concerns, ’cause if you think about it, it’s General Data Protection Regulation. So we’re talking about privacy but we’re also significantly talking about the protection of that, which has a use component but really ensuring that it’s staying where it’s supposed to be and bad actors aren’t getting to it, which is actually a big impetus behind the new Australian piece that they’re looking at around cyber security concerns.
13:14 TW: So talk about the data protection, is that… There is kind of some component of it, you need to have a chief data officer, you need to have or maybe, I don’t know, what’s the best way to… How do you go about describing the scope or the dimensions of GDPR?
13:29 JD: Yes. It’s a big regulation. I think the very first place is to figure out does a company need to adhere to it? Who has to pay attention? I like how you opened. A company that is doing business and is holding data on EU residents needs to comply. It doesn’t have to have a physical location. And I think a lot of people think, “Oh, I’m not over there, I don’t have an office over there so it doesn’t matter to me,” but that’s not true. It’s about the company and where you’re doing business, we’re a global flat world, thank you, Thomas Friedman, and so it really matters. It matters that you have data that you’re holding of these EU residents, it does not matter if you’re just sitting with a SaaS provider based in any part of the world. So that’s to me the very first piece, is to figure out do I have to adhere to it?
14:22 TW: So let me ask on that one, ’cause we have a great example. We’ve got Moe works at a e-retailer that only… You guys only sell within Australia but that doesn’t prevent…
14:34 MK: Australia and New Zealand.
14:35 TW: Australia and New Zealand.
14:36 MK: Yeah.
14:37 TW: But that doesn’t mean that somebody from the UK can’t go to the site, create an account, register, so does… Right? … So they cant ship, they can’t get stuff shipped to them. So what does that mean? Does that mean a company like THE ICONIC does fall under GDPR?
14:57 MK: You start getting into some really interesting nuances. There’s some provisions for are you knowingly targeting people? How much do you have? How many employees? But if you were to go to the heart of GDPR, it is around every single resident. You also have to think about who is gonna be at most risk. You have to start thinking about your risk profile and if you have two people that came to your sites from France or Brussels or wherever and they complained, yes, you could be. But if you just have a handful of people and the likelihood of a regulator coming after you and you aren’t targeting them and no one’s complaining, then your risk profile’s probably a lot smaller. But in theory if you go to the essence of it, every website in the world would have to comply. The other way to think about it is if you are attracting a base of people from the EU, they’re now going to be very informed and asking good questions about where is their data going. They may be more careful about the sites and companies that they’re interacting with.
16:11 JD: I think it actually is gonna start raising the bar for everybody to start increasing their standards and how they operate and how they communicate. There are, like I said at the beginning, to answer this question, there are some places where a company wouldn’t have to adhere to it, but at the same time you just have to look at that risk profile and figure out are you actively targeting people, where are they coming from, are you knowingly sharing that data with a service provider that might be based in a EU member state? It’s like a yes and a no, it’s the perfect legal answer of “it depends.”
16:47 MK: Jodi, I’m just thinking it might be really useful for some of our listeners. We keep talking about data and there is regulations and protections, but are you able to spell out a little bit more? When we’re talking about GDPR and data, what specifically is it about people’s data that’s “protected”?
17:06 JD: Great question. GDPR also expands the types of data that is included. You hear a couple different terms. First you hear what’s called a data controller, which is kind of what it sounds like, they control the data. But basically it’s a company that almost all the employees of a company, a company is gonna control the data on its employees. It basically is the one making all the decisions. A data processor is kind of what it also sounds, it’s a processor, but it’s basically been hired from a controller. It’s a service provider that’s processing data, think a payroll provider. A payroll provider is a processor of data, of someone’s really sensitive data and they were hired by a data controller. That’s sort of the first piece. And then the types of data that we’re talking about and, Tim, you mentioned a data subject, so people, users, customers, they’re called “data subjects.” And personal data, so they use the words “personal data,” they don’t use the words, “personal identifiable information,” but they just use the phrase, “personal data.” And that can mean the basics, like name, address, email, phone, date of birth, national identifier, driver’s license, account numbers.
18:19 JD: It can also mean what they term “sensitive data,” like biometric data, your geolocation data. It can mean racial, ethnic, political views, sexual orientation, and a variety of other, sort of similar, like, demographic, psychographic kind of data. So, all of that is considered sensitive data. And in the digital world, online identifiers are another piece of personal data. Because if I can connect an IP address to me, Jodi Daniels, they put them together, ultimately, all this digital data can generally be tied back, if you have enough different parts to piece it all back together. So, personal data, the definition is expanded, which is also a big part of this, because what we might have considered personal data as just your sort of typical, name, address, email, it’s not just that anymore. It’s much more. Genetic data is another really big one too.
19:18 TW: That seems like that it is a fundamental, because I feel like when we talk PII, when Google says, “You can’t collect PII in Google Analytics,” there is this sort of a wink-wink nod-nod, like, “Oh, you can collect an ID, because on its own, or in this little one universe that we’re collecting it in, we can’t tie that back to a person,” but it’s perfectly okay to say, “Oh, yeah, but if you take the data out of this system and combine it with another system now you’ve got it to a person.” And I think that is often, there’s that little dance done, whereas it sounds like personal information means, no. If it is a tool to actually get to that linkage regardless of whether it’s planned or exists right now, that falls under the umbrella of personal information?
20:10 JD: Yes. Yep. And an interesting tip, I was at a training, and they said, “Definitely use the phrase “personal data.” If you use the words “PII,” they know you’re not from Europe.
20:24 JD: We won’t give ourselves away. [laughter] Good tip for the day. I thought it was very interesting.
20:29 TW: So how, with that personal information for a user, let’s focus on the digital world, for them to interact with me through a digital channel, there’s gonna be an inherent exchange of that personal data, or in Australia, the personal data.
20:48 MK: Yes, the data.
20:50 TW: So what are, sort of the, it doesn’t say you can’t have that, it just says, what? It doesn’t say you can’t exchange personal data. Data. Whatever. Information.
21:02 JD: We’ve confused you! We’ve confused you. You need consent. You need consent. If you’ve ever gone to a site today, you’ve seen, likely, a cookie banner that kind of appears, that says, “We’re going to collect your cookies,” and “click here,” and you kind of go on your merry way. So, those cookie consent banners are getting enhanced. Either people who create them on their own, or there’s a variety of vendors that can help create and manage that for you. But, it needs to be, not the implicit consent like we have with the cookie banners, but something that’s more actionable, and before the cookies drop. Now, I always like to say, I think for most of our listeners, we’re trying to collect data to actually action upon and use it, but I used to always tell people, “If you’re just collecting data to count, you just wanna count.” You have a right to be able to know, “Five people came to my page,” or, “A million people came to my page,” or, “Three people looked at this.” So, kind of basic counting is considered an essential part of business, and that’s okay.
22:00 JD: When you start getting into the world of, “Well, I want to collect all this interesting information, and I want to use it so I can target them, I can create new products, I’m gonna do something more interesting than just counting,” then you fall into this consent piece. So, those cookie consent banners need to be more explicit, and they also have to break out the types of cookies. So, you’ll start seeing advertising cookies, and analytics cookies, and whatever other flavor kind of cookies that we’re gonna have. But you’ll see those banners and the type of cookies start being broken out, and a user would be able to say, “Yes, you can collect the advertising ones,” and, “Yes, you can collect the analytics ones,” and you’ll have an opportunity to explain a little bit about what these types of things are. You also have to make sure that when the user hits Okay, which needs to happen when they get to the site, and before you drop the cookies, you store that consent. So that, if Jodi Daniels ever comes back and says, “When did I give you consent?” you’d be able to prove that on November 6 at 8:22 PM, that that’s what you did.
23:01 MK: I’m just trying to think about this in real practical terms. It’s not like THE ICONIC, and I like using it as an example, because I feel like it’s an easy… Or, an Amazon, or whatever you want to call it. Most of these… Well, as far as I know, I don’t know any sites that don’t already have like a Terms and Conditions, the difference that when you land on the site, rather than, say, when you create an account, or is it that the consent is not implicit, that you need to actually get someone to hit a button before they do anything… Is that the major difference?
23:36 JD: Today, if you’re operating an EU site, you should already have a cookie banner, and that’s an implicit… That’s implicit consent, because basically, the banner says, “By using this site, you agree that there’s being cookies placed, if you’d like more information, click here,” and it links to your privacy notice, and then they click, and then you’re on your merry way. That consent generally stays until the person clears their cookies. It’s sort of a one-and-done until you clear them and then it gets reset. The same concept will need to exist, except that it can’t quite be that implicit, of basically by saying by using this site, you can go on your merry way. It needs to happen A, before the cookie drops. The consent needs to be categorized by the types of cookies, so today, it’s all cookies under this one banner, just click here keep going. Now, it needs to be more granular and to break out those types of cookies, and the user will be able to say, no, that they don’t want those cookies. You should be able to use the site without the analytics cookie, potentially.
24:36 MK: That was gonna be one of my questions. Firstly, how do you collect… You can collect that Mary Smith consented, but only if she consents. If Mary Smith says no, you can’t collect that Mary Smith said no. Because if you collect that Mary Smith said no, then it’s in breach. That’s the first bit. The second bit is how does this play out where companies basically then go, “Okay, well, if you don’t hit consent, no go. Okay. If you don’t hit consent, you can’t use Twitter, if you don’t hit consent, you can’t use Facebook.” How is that balance gonna work? That’s what lots of companies use now as they’re like… Well, you have to hit consent or you don’t get the service.
25:16 JD: The consent to use your site or the consent for cookies and collecting data cannot be a condition of using the service. Of course we know that our Facebooks and Googles and Twitters and all of them are having daily conversations, and I’m a couple of degrees away from people who I know are having these conversations with regulators to try and figure out, how do we make all of our properties compliance, think about Google who has Google Suite, which has numerous companies around the world, all leveraging their services and I’ll need to make sure that they’re compliant.
25:49 JD: The letter of the regulation would say, everyone needs to update their cookie consent banners to be in this fashion and analytic cookies that are used for purposes beyond just counting and are gonna actually be used for the purpose of understanding our users and bucketing them and profiling and aggregating, that you would have this more specific consent. And so, I think you’ll see more of these consent banners. Now, what’s kind of complicated is that’s what GDPR says and we also have the ePrivacy Directive. And the ePrivacy Directive is also in the process of getting updated. It is not quite there, it’s just almost there, and so, it will be interesting to see how the two of them co-exist.
26:32 TW: Is that also an EU or is that… What’s ePrivacy?
26:35 JD: EPrivacy is the EU cookie… Basically today’s cookie directive, that is an EU piece, it’s now ePrivacy Directive and it’s also getting updated at this same time and its original plan was to be released at the same time as GDPR, so they would go hand in hand. It’s not quite there, but it’s pretty close. And so, there’s some technology vendors that are out there that are helping companies be able to manage these types of cookies or these types of consensus.
27:04 TW: Which does seem like that’s where the tag management vendors have sort of actually in my mind… When the ePrivacy or the earlier names of it and I felt like the analytics vendors sort of stuck their heads in the sand and said, “It’s on you the company to figure out whether or not you use us.” GDPR seems to have brought tag management systems out, saying, “We can help you with this, because we are the gateway for everything that might set or read a cookie, so therefore we’re a reasonable place for you to actually manage that.”
27:41 JD: Yeah. It would make a lot of sense for those folks to do it, and I would advise all companies to just make sure you build a process around the tag managers, sort of my pet little peeve in digital governance. So, we have our tech manager, we put all our tags in it, and then we’re good, we’ve locked the controls down, but it still means we need to have an internal process of how does the tag get in there in first place. Do we have a contract in place that reviews what data we’re collecting or who it’s going to? Is there any piggybacking or daisy chain or anything else like that? It’s always important to have the process, not just the technology.
28:19 TW: Yeah. The daisy chaining… I only put one tag on my site, but Ghostery says you have 27, because…
28:25 JD: Exactly. Exactly.
28:27 TW: That was not the case.
28:28 JD: And that’s a really big part. It’s tied to GDPR, because a company needs to know all of the places its data is going. If I put a tag on my site, and I have a contract in place with that first party, and then that first party shares it with party two, and that person shares it with party three, the company needs to be aware of where its data is going. It’s responsible for that. Digital governance will be really important for a company to make sure it has a handle on it.
29:00 TW: So, you, if you’re working, let’s say it’s like a new client or somebody’s asking you a question, do you go to their site and just fire up the console and say, “Oh, my God, you have 127 cookies being sent.”
29:10 JD: I do. You know what’s funny? I love looking at recipes and healthy recipes and things like that, so when I go to… Or actually a lot of online marketing sites, when I go to these sites and my browser takes forever to load, because they have 150 cookies on it and you could just see them all coming, it kills me, because…
29:33 TW: You’re putting in a quarter cup of double quick, and then a half a cup of the trade desk…
29:39 JD: Sometimes it takes so long, I leave and I don’t even get the recipe, because it takes so long to load the site.
29:45 TW: What is the process or the approach? And I know there’s talk of the chief data officer, which I think, is there not some actual kind of staffing requirements for GDPR that you have a role defined and what’s the scope of that role and how do they work?
30:01 MK: That’s what I’m thinking.
30:05 JD: Yeah. So there’s supposed to be something called a data protection officer. And the data protection officer is supposed to be an independent person that is helping advise the company and review the company’s data protection activities and plans. It shouldn’t be the same person coming up with all the policies and all the controls and intimately involved in decisions about the data flow. That person wouldn’t be very independent.
30:31 MK: I just wanna make sure I’ve got this clearly. So every company who has anything to do with European people’s data would have to have this advisory role in some capacity.
30:43 JD: In theory, mostly, yes. There’s also some capabilities for some smaller companies, depending on the types of data that they’re processing or how big they are, it kinda depends on the view. Some people have said, “Companies with 250 employees or less that are not processing data that would jeopardize the rights and freedoms of European residents would not need to comply.” It really all goes down to if you look at what data you’re processing and what data you’re holding and if that data got out and something happened to it could that data subject’s rights and freedoms be harmed? If you are a company of 10 people and you were in the technology field or you’re in whatever field and you’re a really small company but you process really confidential data or you have significant amounts of personal data, maybe I’m a new company collecting online data, and I’m a third party data broker, and I’m gonna sell it, and I’m brand new, I would say, you need to have a data protection officer because if that data got out, someone’s rights might be harmed. So it’s not a hard and fast rule, generally speaking, yes.
31:57 JD: Tim, you were asking, does it need to be independent to the company? It just needs to be independent of the person or people making the decisions about how data is processed. You can appoint someone internally to say, “Jimmy, you’re gonna be the data protection officer.” Jimmy just can’t also be the same person that’s deciding, “Okay, every contract, my data’s gonna go to company A and it’s gonna go to company B and this is how we’re gonna process all this great information and create these profiles.” I can’t be that same person. It has to be independent. And it can be an outside contractor. So a lot of companies are hiring outside contractors on a part-time basis. The big piece is right now data protection officers should have… They’re basically the go between, between the company and the local protection authority. Let’s say, you’re doing business in France, you really wanna have someone who is familiar with the French local data protection authorities or how they do it in France, because it’s gonna be that locale who’s going to be reviewing your compliance.
33:03 TW: So we’ve done phenomenally with having guests who just don’t plug themselves, but is that a role that you play? I’ll just flat out then ask you, is that the sort of thing you will do or can do? Or…
33:16 JD: Today I’m not a data protection officer. Today my specialty would be more on helping companies get prepared for GDPR. Think an assessment, I’m helping a variety of companies right now figure out, “Okay, here’s all the different requirements and where are we in relation to those requirements and helping identify where are the gaps and what we might need to do to move forward or close them.”
33:40 TW: Okay.
33:41 JD: Or like my favorite topic around digital governance and helping around tags and understanding what tags do we have on this site, and what data are we collecting, and where is it going, and what do we need to be doing around that? Think about all the contracts in place. With GDPR you need to make sure that all your vendors are protecting data as well, so you need to really review what your contracts say in regards to that data flow.
34:05 MK: I don’t wanna touch on the whole like, “Here’s the stick component of this.” But when I was reading about GDPR, I actually was completely floored and I ended up having a conversation with a bunch of the other analysts because I couldn’t believe some of the penalties. Can you talk a little bit about the consequences for companies but both based… How it would be enforced in Europe versus if you’re an American company? How would they enforce that? And what are those enforcements?
34:33 JD: The enforcements are pretty big. There’s two different levels of infractions and the biggest level, which is the one that gets the most press, is one infraction could be up to 4% of global revenue.
34:48 MK: Yeah, that’s the one that floored me.
34:51 JD: Yeah. One infraction can be up to 4% of global revenue. The other one is it’s 2% so it’s just a little bit smaller, but it’s a big deal. And that’s why companies really need to be paying attention to it and ensure… You also have a lot of people doing what they call substantial compliance. They’re gonna be doing the very best that they can and knowingly put themselves in a good position. It’s very hard to protect against everything. Think about the world of cyber security, they’re always a step ahead of us and we have to be able to make sure that we’re doing the very best that we possibly can. And that’s the notion behind GDPR is, are you taking privacy and security seriously? Have you thought about it in every single step along the way in your business? And if you are, then you generally should be in good shape, if you’re not, then we’re going to penalize you pretty substantially.
35:42 MK: But how does that get enforced? That’s what I don’t get. If you are an American company or an Australian company and you were found to be in violation, how does…
35:53 JD: It would be the local… So it’d have to be the residence of where you were. So if you were in violation and you’re, let’s just say I had someone complain and I did something terrible with their data or they don’t like what I did or they asked me, ’cause there’s a part of GDPR which is around data portability. I need to be able to… Or the right to be forgotten. I need to be able to have my data deleted. I need to be able to have my data moved. And if I went to a company and they can’t do that, I could go to my local data protection authority and I’ll just keeping picking on France ’cause it’s consistent.
36:25 JD: Nothing against the French, they’re lovely. But that’s where that local data protection officer is gonna be really valuable. Because now my company would be brought into that local, wherever I am. And that locale would now be trying to enforce GDPR against me.
36:43 TW: Which seems that they could shut… They could shut down your ability to do business there until you, I would think, that would be part of it.
36:51 JD: I don’t know. I don’t wanna speculate on that quite yet, ’cause it hasn’t quite been enforced. You’ll definitely see some people… I think for sure they’ll probably make an example, this is total speculation, that they would make an example of, especially US companies who think that they don’t have to comply. And some insiders, I’ve been told, also kinda liken this to, I don’t wanna get political, but whatever you believe about Snowden and government interference with data, there is a lot of Europeans who don’t like what has happened with how data has gotten out. And they’re very concerned and they want to ensure that their residence data are well protected.
37:32 TW: It seems like you’ve got an entire continent that when this rolls out there will be enough people who are interested and unemployed or under-employed to say, “That’s what I’m gonna do. I’m gonna go around and find violations.” I guess, if you get fined, like say you get hit with the 4%, who does that go to? Does that go to the harmed party or does that go to…
37:58 JD: No. I don’t think so. I think it goes to the government.
38:02 TW: Okay.
38:02 JD: It’s like any other governmental fine.
38:04 TW: And maybe there’s some other damages. I could just see…
38:07 JD: Right. There very well might be a civil piece versus a government regulatory piece. But this is a piece of regulation.
38:15 TW: Okay.
38:16 JD: I imagine how often they have theirs.
38:18 MK: I’ve got an interesting conundrum, then. Perhaps it’s unfair to put you in this position. But we started off the show talking a little bit about the balance. In your view, do you think that this is the right balance? Or do you think it’s going too heavy one way? Do you think that this is setting a world precedent? I’m just interested when it comes from the digital analyst perspective, where do you think this piece of regulation stands?
38:44 JD: Yeah. It’s a great question. Let me talk about where I think GDPR will help companies and do really well. And then I’ll kinda share my personal views on the level of compliance. I think this can actually really help companies. It can help companies understand where their data is. A lot of companies today collect data in all different parts of the company and have no clue where it is. To be forced to understand where it is and to be forced to make sure that you have contracts in place that protect you and your data subjects or really your customers, that’s a good thing. You might even be able to be more efficient because you’ll have more information and might be able to make decisions more quickly. Making sure that you have your customers’ interest at the best heart. What we are thinking about is it valuable to the customer, that’s a good thing. To be able to make sure that you’re… So GDPR requires you in certain situations to have what they call e-privacy impact assessment, which is, think about privacy and security, go through a very formalized assessment before you kick off a project when you’re going to be using data, to ensure that it’s gonna be well protected, does it meet the definitions of personal data, how are you treating that personal data, do you have the users’ consent and things like that.
40:00 JD: From that standpoint with putting the customer first, or the user and the data subject first, that’s a good thing. From a compliance person, and I wear a business hat, it’s a regulation. I think regulations are expensive and regulations can sometimes slow a company down. I’m hopeful that once you kinda get over the initial hurdle of getting everything you need in check, that will be in good stead. That beginning exercise of understanding what you have and getting yourself in a good position is always a little bit of effort. Then from there it should just be business as usual. From what I’ve understood from people who have been talking with those directly involved in the regulation over in Europe, they aren’t looking to abolish the ad tech industry. That’s not their goal. You will see some impacts. Maybe we will see some of the nefarious actors that we all know about who are trying to do things that they shouldn’t be doing. We’ll see those probably not be able to operate in the same way. But I think you’ll also see some really creative and innovative solutions that will ultimately be able to deliver really awesome value to the end customer. I am hopeful we’ll have good innovation while still protecting the data subject.
41:20 TW: For US people of a certain age, you just sounded, it just brought back visions of Sarbanes-Oxley and the…
41:29 JD: I did that implementation at the Home Depot, so I’m very familiar with that whole concept of trying to get it through. Yup.
41:36 JD: And some people have, like in GDPR to Y2K, it’s no Y2K. It’s not gonna end the day after.
41:46 TW: But it does seem for me, we’ve got a hard deadline. It’s gotta be figured out. The vision is actually absolutely fine. There are some political leanings if you think the mechanism is through regulation or not is the right way to go, but it’ll be interesting. Did I get my date right, by the way? It was May…
42:09 JD: Yes, you did.
42:10 TW: Okay, May 25th. Okay. I did sufficient research. So…
42:10 JD: I saw it. I was quite impressed.
42:13 JD: I was quite impressed, yes.
42:15 TW: So Moe has done her job, which is normally my job, of prompting Michael to say, “Hey, keep an eye on the clock there, buddy.” So I think I am not gonna find myself saying what Michael says every time, which is, “We could talk for three hours on this.”
42:34 TW: So this has been a fascinating discussion and I’ve got 27 more questions that I wanna ask. Once we’re done recording, Jodi, I hope you don’t have anything else to do for the rest of the day ’cause we’ll just keep grilling you. But before we wrap the topic and move to last call, do you have, I’ll put you on the spot, specific resources or tips for someone who’s probably, frankly, if their company’s not thinking about it they may already be screwed, do you have some go-to resources that you recommend or exercises?
43:08 JD: Sure, so it’s not to late, never too late to get started. And I think I said it somewhere along the way, the best place to start is by doing an assessment and getting a sense of what data do you have. Some companies start with a data inventory and some companies do an assessment against the GDPR requirements. There’s no shortage. I don’t know if I have a favorite website, if you just Google “GDPR assessment,” you’ll probably find a variety of them. You can start and I’m happy to help anyone who is listening on this show, but it’s just starting. Just, first, identify someone in the company who is gonna be paying attention to it. That’s probably the very first piece. And then get a sense of all the different places where you’re collecting and storing and using personal data, and then start getting familiar with the different requirements and you can start mapping against all of those. That’s really the best place to start and it’s definitely not too late.
44:07 TW: Wow! That’s encouraging. But this episode doesn’t come out until April 13th, do you…
44:12 TW: Would you like to change your… No, it comes out before that.
44:13 JD: It’s still not too late, you’ve got six weeks to go. You’ve got six weeks.
44:16 TW: It’s still not too late. We can do it.
44:19 JD: It’s like an Agile sprint, “C’mon, you can do it.”
44:21 TW: It’s fantastic.
44:23 TW: And again, Jodi is not… We reached out to Jodi, so she is not showing her services, but I’m pretty sure she is available to chat with you at least, I’ll put you on the spot. They could reach out to you and you can have that 30-minute conversation and potentially could help them out.
44:37 JD: Absolutely, absolutely.
44:39 TW: I assume.
44:39 JD: Yep, absolutely.
44:40 TW: Okay. Alright. So we will shift gears on the show. We like to do a little thing we call Last Call. It’s like the bar is closing down and the last call, what’s your one parting chat, a tip, a quote, a link, a something that you think our audience might be amused or entertained or intrigued or enthralled by? So, Jodi? Do you have a last call for us?
45:04 JD: I do. I was talking with someone earlier today and it’s in the quotes category and they shared it with me and I just thought, I just loved it. I think it’s applicable to anyone who’s trying to start something new, who has kids, who just, I think, I love it, so it is, “What if I fail?” “Oh, my darling, what if you fly?”
45:27 MK: I really like that.
45:28 TW: Hmm. That’s like the… That’s deep.
45:31 JD: I love it, though. It’s my new favorite of the day.
45:35 MK: I think it’s great.
45:36 TW: What was the quote? Did somebody just like rattle that off or had they heard it somewhere? Is this like…
45:41 JD: We were talking about failures and risks and starting new things and so they had this favorite quote, and they pulled out their phone and shared their favorite quote, which was this and they said, “You know, I have pictures and quotes all the time and I delete them, but this one always stays on my phone.” And I understand why, because if you ever have a bad day or something just doesn’t go the way you want it to go, or you’ve worked on a project, or you’re dealing with… If you’re a parent or you’re a coach, or you’re trying to run the New York City Marathon, there’s a gazillion different ways I think this applies, but I think all of us, we don’t wanna fail as adults, a lot of us, we’re kind of risk averse. And we watch a kid, they fall down and they just literally get right back up, and I think it’s great to remind all of us that we should take that risk because you might fall or you just might soar up into the sky.
46:34 MK: I really like it. I think a lot of the time, particularly in our industry, there’s a lot of change and you have to put yourself out there and try new things, so I think it’s super appropriate.
46:45 TW: Occasionally, you get asked to co-host a podcast and you’re like, “But what if I fail?” And you’re like instead, “What if I fly?” Oh, my God, if Tim had to fly solo on this it would’ve been a disaster, but thank… Fly, Moe, fly.
47:00 TW: Moe, do you have a last call for us that soars?
47:03 MK: Okay, I have one big one and then one mini one. My big one, and I try so hard not to pick our packages because I feel like it’s kind of lame, so instead, what I’m sharing, there is an article by Jim Thompson on Kaggle, he talks through how he used Boruta to understand the different importance of features in house sales. And I’ve actually used this model recently for something at work and there is actually a package called Boruta in R, but you could do this same piece of work in Python or anything, so I’m being language agnostic, but actually the way he talks through it is super, super cool and I’d never actually done feature importance analysis before so it was something new that I tried that I wanted to share. The other one, which I just had a complete brain meltdown when someone showed me this.
48:00 MK: Everyone’s been kind of following along as I’ve been playing around with BigQuery, and I don’t know, I think you can do this on other SQL tools too, but I never knew and I had to share this, because it’s gonna change someone’s life. When you have 10 or 20 lines of code and they all start with the same thing and instead of going through and changing every single, line let’s say you wanna change it from medium to max or whatever it is, instead of going through every single line of code and changing it, you can actually press Alt on your keyboard and then drag it over all of the lines and then change them in one hit, and I literally had like a, “Whoa, this is gonna change my life,” moment when someone showed me and then they also told me I was stupid for not already knowing it…
48:43 TW: With what tool? That was in the BigQuery…
48:46 MK: This is in BigQuery you press Alt on your keyboard…
48:50 TW: But in their web query explorer thing.
48:52 MK: Yeah, and you press Alt and then highlight whatever the metric is and then you can change them all in one hit. It’s very cool. Anyway, I’ll figure out a way to share it with people and I’m sure someone’s written about how awesome it is.
49:05 TW: It’s not often that I personally find myself in a situation where I can look at somebody and say, “You are such a nerd,” but Moe, you did it for me. I feel like that’s cool, that’s awesome, yeah, that’s cool. [chuckle]
49:22 TW: Well, mine is going to be a well, shit… So I think it was the last episode that Michael and I had the same last call miraculously and I’m gonna shockingly actually wind up doing a quick one to say the latest post from when we’re recording this on the datafeedtoolbox.com, but Trevor Paulsen took in his latest post, actually goes through doing multichannel attribution with Apache Spark and R but he runs through how to do… He’s already done all the heuristic techniques, picking last touch, first touch, etcetera, but then he runs through using Shapley value and using Markov chain to do multichannel attribution, and at the end he lines them all up next to each other in his example data. I’m like, “Oh, they’re all about the same,” which makes me think, “You know what? Last Touch might just be fine,” but it’s kind of awesome and it’s a total R homer post, but that’s not actually my last call, my last call is gonna be a podcast, ’cause that’s my nerd thing, which it’s two episodes from the start-up podcast which are added from Game On Media, season six episode seven and episode eight.
50:32 TW: Episode seven was the Grand Challenge and that was kind of the first competition for self-driving cars, which was back in 2004. None of the teams won, no team made it more than a mile and a half over super challenging terrain in Nevada, but a lot of people who came out of that wound up going into Google and other places that are driving the self-driving cars, so the episode eight is really all about the driverless future of cars, and it’s just cool to hear a somewhat mainstream podcast talk about AI and machine learning and all of the challenges with image recognition and decision-making and all that sort of stuff. It was a pair of episodes that were pretty damn cool to listen to.
51:15 TW: We’ve not gone to three hours, which is a miracle, we fought through our technical challenges… Well, I guess we haven’t recorded three hours, we spent two and a half hours trying to get everybody’s mics working, but that’s just normal. If Michael had been here it would have been four and a half hours, so that’s all good. But Jodi, thank you so much for coming on, representing Atlanta and by the way, that’s why you’re getting the honey magazines, ’cause you are in the state of Georgia, there’s broad base targeting, but thanks so much for coming on and that was super informative. Thank you for that.
51:53 MK: Thank you very much.
51:54 JD: Thank you for the opportunity. It’s my pleasure.
51:56 TW: And we always like to hear from people. If there are things we didn’t ask or things that we totally missed we’d love to hear from you on our Facebook page, comments on the show page on Twitter, on Measure Slack, you name it, we’re accessible and it’s always fun to interact with listeners, so reach out to us. For myself, for Michael Helbling who was here in spirit and will be back on the next episode, and for Moe Kiss, keep analyzing.