The GDPR requires that business processes feature data protection in front of mind. Privacy as a concept is part of the first step in any design of functionality at Apteco.
Most data that is processed in the Apteco Marketing Suite is created and managed externally. This data is loaded through FastStats Designer into a FastStats database. The source systems are responsible for the management of Personal Data and whether it is included in the data processed by FastStats. If a person requests their information is removed and the organisation removes the data from these source systems, that person will effectively be removed from FastStats the next time the FastStats system is reloaded (typically daily).
However, there is some information that is created within the Apteco Marketing Suite and which is attached to an identifiable person. This information includes, for example, the campaigning activity in PeopleStage and the responses gathered from email broadcasters. This is Personal Data and needs to be managed within the new regulations. The new GDPR admin functions in PeopleStage enable an organisation to manage this data, the following diagram shows an overview of the how data flows through the Apteco Marketing Suite.
GDPR Administration Tool
The new functions enable you to count, anonymise or remove all instances of Personal Data related to a specified individual where the master copy is held by PeopleStage or the response databases.
The GDPR Admin functions apply to the master data stored in the PeopleStage and Email, Facebook or Twitter Response databases.
These functions do not apply to copies of output data delivered by PeopleStage. This data will normally be managed by our client or partner organisation to remove these files from the server after a sensible period. These functions also do not apply to the copies of data uploaded to the downstream channels (email broadcasters, social networks, messaging systems, web content management systems, contact centres, lettershops, etc.). In each case, functions offered by the channel provider will need to be used to remove Personal Data from the channel systems.
The new GDPR Admin functions do not apply to the PeopleStage Archive database (on the basis that the archived information is not operational and will be removed anyway). Neither do the new functions apply to the forthcoming PeopleStage Staging database or the Pull Marketing database, neither of which is in production use with any client yet. We plan to extend the GDPR Admin functions to support the PeopleStage staging database when this mechanism is released.
The GDPR Admin functions do not provide mechanisms for anonymising or removing records from the Cascade campaign management database. Please see the Apteco Marketing Suite GDPR Compliance Guide for information the Anonymise and Remove scripts to use with Cascade.
Login required - Click here to download the Apteco Marketing Suite GDPR Compliance Guide
Access the new GDPR Administration Function
The GDPR Administration functions are available from the Administration menu once the user has been granted the GDPR Administration role.
- Select - File > Administration > GDPR Administration
The resulting dialogue includes all the GDPR Administration functions.
The dialogue has sections for handling URN, Email, Facebook and Twitter data. In each case you can enter identifying data and choose whether to apply the functions in that area. The dialogue has three methods of operation. You can count the records that will be affected, anonymise records by overwriting Personal Data and remove records completely.
GDPR Anonymise vs Remove
Anonymise records by replacing the personally identifiable information with blanks
Remove all records from the database, including reference numbers
This option overwrites Personal Data with blanks and replaces the email address with <a-random-string>@example.com, but leaves the URNs in place in the database. Attribute data attached to the communication history will all be overwritten with blanks to remove any data regarding the data subject stored with the communications history.
|This option deletes all of the records that have been identified as containing Personal Data.|
This approach is intended to retain data for statistical analysis while fully complying with the request to be removed. It protects you from accidentally re-processing the data subject record through existing campaigns if you have communication constraints or rely on the default constraint of each person only being in each campaign once
This approach is intended to provide a complete removal of all data associated with the data subject and includes removal of all unique reference number data as well as all data fields.
|Apteco warrant that no connection is retained between the data subject and the random string used for the email address. The example.com domain is an industry-wide standard that discards all email received, so no person can receive the dummy email address generated.||
This process is not reversible.
Data rows will be deleted from the PeopleStage, Email Response, Facebook response and Twitter Response databases (depending on the options chosen). Once the data is deleted, it cannot be retrieved from the Apteco Marketing Suite databases or the Apteco log files.
This mechanism relies on you removing the connection between the URN and the data subject in the source systems. If you retain any connection between the URN and the data subject, the URN is still Personal Data and retaining it means you have not fully complied with the data subject’s unconditional right to have their data removed.
This mechanism should only be used once the data subject record has been removed from source systems. If you remove all records from the PeopleStage database and still include the data subject record in the data loaded into FastStats, you risk re-selecting that record for existing campaigns and accidentally sending marketing communications, the exact opposite of what was intended!
The GDPR Admin function keeps a record of the identifiers used and the date that the Remove function was applied. This log is not subject to the GDPR Administration data removal processing! We believe that this is appropriate to show compliance with the removal request made by the data subject.
The GDPR Administration tools need to be used in conjunction with a wider view of GDPR obligations and the management of data in your source systems. We provide software for great analytics and marketing automation, but this is just one part of the end-to-end data processing of your customer and marketing data. Whether you are the data controller or the data processor, please ensure you have considered the whole data processing requirement before using the GDPR Admin functions.
Provide Identifying Information
To operate the GDPR Administration functions, you must provide identifying information for the data subject making the removal request.
For records in the PeopleStage database, the data subject is identified by Unique Reference Number. Type a reference into the URN field and select the check boxes on the areas that you wish to process:
- The state history and pools option handles the records within PeopleStage’s journey history. This is the data that tracks where an individual has passed through a campaign and what point they are now at within that campaign if they are retained in a pool.
- The communications and content option processes the instances of data in the PeopleStage communication history. PeopleStage stores a record for each communication with an individual and the content variations used in that communication. PeopleStage can also store and/or output attribute values with the communication. For example, you could store the total spend made by a customer prior to your communication. This attribute data is included in the GDPR Administration processing as part of the communications and content.
- The Live Data function checks the data retained by PeopleStage as a result of processing live data from external sources. It does not count or cleanse data from the external live data sources, but does cleanse the internal copy of this data used for processing the data subject.
The data subject can be identified in the Email response database by URN or by email address. Which identifier applies depends on the method that your ESP uses to return response data. Some ESPs can return data by the URN you uploaded. Others return data only by email address. If you provide a URN and an Email address, both will be used and data will be processed if matched by either identifier.
- The Email Responses check box indicates that you wish to remove data from the Email response database. As described above the email address may be made anonymous or may be removed
The data subject can only be identified in the Facebook response database by the combination of First name and Last name.
- The Facebook function will operate if you provide both a first name and a last name. Beware that if you have multiple Facebook users with the same name, applying the Facebook GDPR Admin process will affect the Persomal Data collected from all of those users. Note that the GDPR Admin process does not attempt to match with the Facebook response database if you only provide a first name or a last name.
The data subject can be identified in the Twitter response database by Fullname or Twitter handle.
- The Twitter GDPR Admin function will use either or both identifiers and any data matched by either identifier will be processed according to your choice in the GDPR Admin dialogue.
You can use any subset of the identifying information and processing areas. For example, if you do not use Facebook or Twitter channels in your FastStats PeopleStage implementation, you do not need to include this data.
Check and Perform Anonymisation or Removal
Once you have provided the identifying information and chosen which areas will be processed by the GDPR Administration functions, you would typically Count the number of Items and Instances that will be affected. The results will depend on whether you choose to Anonymise or Remove records using the control at the bottom of the dialogue. Counting for the Anonymise function will show the number of records that need to have data overwritten to remove Personal Data. Counting for the Remove function will show the number of records that will be deleted in total (including those that only have the URN and no other Personal Data.
- Press the Count button to scan the areas that you have chosen. This process may take a few moments, but you can leave the dialogue to one side and continue work elsewhere in FastStats PeopleStage while it is working.
In the example below, the Remove function has been selected and so the results show the number of records that will be removed from the State history and pools (where there is no Personal Data apart from the URN).
The GDPR dialogue shows how many items (broadly data records) and instances (broadly data fields, but sometimes related records depending on the part of the data model concerned) will be affected. In this case, there are 40 records in the State History, 22 records with 39 instances of Personal Data in the Communications and Content area and 61 records that contain a total of 118 instances of Personal Data in the Email Response database. In this example there is no data found for the data subject in the Facebook or Twitter databases.
If you run the count for the Anonymise function, you will see that slightly fewer records will be affected:
In the two screenshots below, the Anonymise function has been used to overwrite the Personal Data with blanks and replace the email address with an anonymous address. Note that the dialogue shows the number of items and instances that have been affected. In the second illustration, counting again for the same function after the Anonymise function has been used, shows that no further records will be affected.
In the example below, the processing function has been changed to Remove records. The count now shows that data will be removed from the State History and Pools as well as the Communications and content. In this consecutive example, the remove function will remove the records that were previously overwritten as they still hold the URN. When the remove is performed (by pressing the Anonymise button) the report shows the number of records removed.
After the removal, if you count again in either Anonymise or Remove mode, the results will all be zero.
The new GDPR Administration dialogue in FastStats PeopleStage provides strong data subject removal functions. You may choose to anonymise the data in place or remove all data. Each approach needs use with care as part of a wider end-to-end view of your GDPR obligations and data processing.