How looking after your marketing data can help protect Privacy, and deliver ads people actually want to see.
GDPR (General Data Protection Regulation) means that as a marketer, we're required to implement policies, procedures and tools to help protect privacy of our customers and leads. The same goes for your Facebook, Facebook Messenger and Instagram ads. In this article we share some thoughts on how to deliver great marketing, whilst staying compliant.
Remember, these are just some best practice ideas, and you should always seek advice from your legal counsel on the correct approach for your business.
In the majority of cases, as a brand you will be deemed a Data Controller. This means, under GDPR Regulations, you will have to demonstrate:
how the data is collected
what exactly you are using the data for
that people have explicitly agreed to you holding and using their data
you can show how long it will be held on record for
you give people the ability to easily opt-out
that people have the right to access the data that you hold on them
While Facebook provides you with the tools to reach your audiences on the platform, generally it is you, the advertiser that has responsibility as the Data Controller.
Conversely, a Data Processor handles personal data on behalf of a data controller, in the majority of cases, this will be Facebook, or tools like Driftrock if you use them.
You are the Data Controller for your Facebook Custom Audiences, therefore you have responsibility for it's collection and use. Facebook in turn, are the data processor, in that they provide the tools to enable you to process these audiences on their platform.
Facebook Audiences and GDPR
With a wealth of targeting available, each different Facebook audience type is classified differently under GDPR.
There are audiences that are reliant on your using first party data, pulled from your CRM. Then there is audience data that Facebook make available to advertisers 'out of the box'.
Below are various Facebook, Facebook Messenger and Instagram targeting methods, and how we believe they currently relate to GDPR.
Solution ideas: Automatically sync custom audiences from CRM, using a tool like Driftrock Audiences. Opt-outs from your CRM are automatically removed from Facebook custom audiences.
Facebook Lookalike Audiences
Data Controller: YOU
Data Processor: Facebook
Responsibility for the seed audience data and consent: YOU
Solution: Automatically sync custom audiences from CRM, using a tool like Driftrock Audiences. Opt-outs from your CRM are automatically removed from Facebook Custom Audiences, that are used to build your Lookalike.
Facebook Detailed Targeting
Data Controller: Facebook
Data Processor: Facebook
Responsibility for Data: Facebook
Solution: No action required
Instagram
Data Controller: YOU (unless you are using detailed targeting)
Data Processor: Facebook
Responsibility for Data: YOU
Solution: Automatically sync custom audiences from CRM, using a tool like Driftrock Audiences. Opt-outs from your CRM are automatically removed from Facebook custom audiences.
Facebook Analytics
Data Controller: YOU
Data Processor: Facebook
Responsibility for Data: YOU
Solution: Facebook Analytics allows you to use User IDs to identify users, and therefore remove them also. It's worth taking a look to see how you can use these features.
Facebook Lead Ads
Data Controller: YOU
Data Processor: YOU
Responsibility for Data: YOU
Solution: You are responsible for the lead data you collect, and ensuring you have the adequate consent. Makes sure you store the exact consent that people opt-in with in your CRM or other systems.
Its a good idea to study the GDPR guidelines by the ICO here.
Every business is different, so seek legal advice to make sure you are compliant.
Ensure you have the right tools in place for Custom Audiences and Lead Ads to help stay compliant. Driftrock Audiences and Lead Sync can help with this.
