Preview Mode Links will not work in preview mode

You can also listen and subscribe to COMMERCE NOW on these channels: 

May 30, 2018

Podcast Summary:

Consumers continue to increase their digital footprints and more personalization, but at the same time less invasion into their privacy. In this podcast we will dive into how organizations can maintain the consumer's privacy while still utilizing personalization in marketing tactics.



DN website:




Amy:                                     00:16                     Hello, and welcome to Commerce Now, your source for fintech conversations, along with emerging trends in the banking and retail industries. I'm your host, Amy Lombardo.

Amy:                                     00:25                     In today's topic we'll discuss how consumers continue to increase their digital footprints, and demand more personalization, but the same time, less invasion into their privacy. In this podcast we'll dive into how organizations can maintain the consumer's privacy, while still utilizing personalization in marketing tactics.

Amy:                                     00:46                     Today, I'm joined by two members of Diebold Nixdorf's Legal and Compliance department: Lisa Radigan, Chief Ethics and Compliance Officer, and Stefan Limbacher, Global Data Privacy Officer. Each will share their input and perspective on this relevant and timely topic: Personalization Versus Privacy.

Amy:                                     01:05                     So thanks for joining me today, Lisa and Stefan.

Stefan:                                 01:09                     Thank you for having us.

Lisa:                                       01:09                     Thank you, Amy, it's great to be here.


Amy:                                     01:11                     Okay, so, let's jump into the conversation. Let's start at the highest level what GDPR stands for. There's so much buzz, whether your business is B2B or B2C around balancing that right level of data gathering with then the data privacy. So look at any recent news coverage you see, or even check your own personal email and you can't avoid all the privacy policies or opt-ins that are hitting your inbox.

Amy:                                     01:35                     So, Lisa, can you tell me what exactly is GDPR?

Lisa:                                       01:38                     So, GDPR is the General Data Protection Regulation. It's an EU law that really is designed to harmonize a number of EU laws that has existed for quite some time. And to provide a standard across, EU countries, that gives consumers and anyone who has any kind of personal data some additional protections around how that data is used. So it's really just a, a universal framework to provide some consistency. But it will of course impact all companies who end up touching personal data that goes through the EU in any way.

Amy:                                     02:22                     Okay. And we see the news, we hear the buzz that consumers are uneasy about the means that marketers are using to acquire information about them. So it's important to know what material they're willing to provide to get these personalized communications.

Amy:                                     02:38                     So with that said, why do you think consumers are more willing to share information with certain organizations over others?

Stefan:                                 02:46                     Data is being regarded as the oil of our age. So, people will become more and more aware of its value. And I think the key thing is to create an environment where people are confident that their privacy is being protected. If you create an environment like that, then, people will be more willing to share private information. And it will be easier for business to gather information required for them.

Stefan:                                 03:18                     So I think this is a target that can be achieved by these new laws, these new privacy laws which are popping up all over the globe at the moment.

Amy:                                     03:29                     Okay, thank you. So, the GDPR was effective May 25th of this year in Europe. How do you feel the GDPR is effecting the balance between personalization and privacy here in the US?

Lisa:                                       03:43                     So, it's interesting you say it was effective on May 25th, that's partially accurate, it's actually been in place since April of 2016, but it will be applicable starting on May 25th in Europe, which basically means starting on May 25th, companies really need to be fully ready for all of the different ways in which GDPR will be applicable to them.

Lisa:                                       04:08                     So at Diebold Nixdorf, we actually kicked off our program to get GDPR ready about two years ago, because there's really quite a lot of work that we've been doing and that a number of companies are doing and will continue to do to make sure that we're compliant with GDPR.

Lisa:                                       04:26                     GDPR will impact the US because lots of data from the US flows through Europe, or into Europe somehow. And so really it's becoming just the gold standard on how companies deal with and manage data that crosses their systems. You know, the world is a small place anymore, and lots and lots of other countries around the world, including, frankly, in the US, are adopting similar rules, similar regulations to what the principles of the GDPR require.

Lisa:                                       05:03                     For instance we're really taking the view that the GDPR while applicable in Europe, we really view it as the standard that we will use globally and you know, I think lots of companies will end up doing the same, because the flow of data simply is difficult to stop at the borders of Europe.

Amy:                                     05:24                     Got it. So you said that from your opinion this could become the global standard. So do you see it cascading to other areas of the world?

Stefan:                                 05:33                     Yes, actually, I think it's happening right now. So if you look into what's going on in Latin America, and in Asia Pac-Pacific, there, currently is legislation being drafted that picks up on a lot of issues that are dealt with in the GDPR. And, I think this is a process that will be even accelerated by incidents like, Cambridge Analytica. So, data privacy is on people's minds and as you said rightfully in the beginning, you know, people are bombarded with emails around this, and, yeah, I think the sensitivity is at a peak at the moment.

Stefan:                                 06:15                     Global legislation that is coming into place is picking up on GDPR and that is also one of the reasons why Diebold Nixdorf has chosen GDPR to be its gold standard for its global data privacy program.


Amy:                                     06:37                     Okay, got it. So, let's switch gears and talk a little on how GDPR effects banks and retailers. So we talked about earlier how organizations should have in effect a robust data privacy approach. So what is the policy if there is a security breach under the GDPR?

Lisa:                                       07:00                     Under the GDPR there are lots of rules around what you need to do around data breaches. There's the so-called 72-Hour Rule, which basically means you have to inform data protection authorities or potentially even some data subjects if it's a potentially relevant incident that's occurred.

Lisa:                                       07:23                     Data breach notification rules have been around for quite some time, both in Europe and in the US. Lots of US states have these obligations where companies are required to notify when a breach occurs. Lots of companies, including ours, have now established formal breach notification policies to make sure that if a breach occurs that it's escalated appropriately within the organization and is dealt with quickly so that we can adhere to these really quite stringent notification laws.

Amy:                                     08:05                     Okay. So let's talk a little bit about how businesses actually compile the data on a consumer. Are there best practices to get the most information out of a consumer but without offending them? Stefan could you comment on that?

Stefan:                                 08:23                     There are a couple of principles that you need to adhere to. So, the general principle of data privacy is that you're not allowed to process it unless you have a legal reason to do so. For example: Consent or contracts or compliance with a legal obligation or legitimate interest, so you need to be aware what is your legal basis. That is key.

Stefan:                                 08:57                     We’re analyzing every instance where we are touching personal data and we're determining what is our legal basis.  Secondly you need to consider the principle of the data privacy by design. So, that means that you may only process the data which is absolutely required for your goal, and you can't collect any useless information. So you have to focus on what you really need, and what, what fits your purpose.

Stefan:                                 09:31                     As a fair point, you need to delete data which is no longer required and you need to have in place an eraser or data erasure process that ensures that you're not accumulating data which is no longer required. So, coming back to your question, it's the wrong question, "How can I collect as much data as possible?" That is actually already not in line with the spirit of data privacy. You should ask, "What actually do I need?" And only limit yourself to that data which is actually required for your purpose.

Stefan:                                 10:10                     I think when you do that you'll have a different experience yourself processing the data. And if you convey that to your, customers and if your customers can feel that and this is your prime directive when you process data, then I think they will be more willing to give you the data that you actually require.

Lisa:                                       10:33                     And if I can just jump in quickly on, on this point, too ... I think in terms of best practices for how can companies really deal with and manage data and personal information that they're coming across? I think the key, really, to any compliance program, and certainly to anything around data privacy is to make sure that your program is not static and it needs to continue to evolve and continue to grow and change as the business changes, as the needs of particular data changes.

Lisa:                                       11:05                     And I think the GDPR is really quite focused on that, to make sure that you're collecting data for a specific purpose and you're using it for that purpose and you're really evaluating, "Okay, why do we need this? Is there a better or more efficient way to get it? Should we be deleting it at different times?" It really forces companies to think hard about their programs and not just to have it be, you know, "We've put in a policy and it sits on a shelf and nobody's touched it for years."

Lisa:                                       11:39                     You have to really engage in the topic and it has to be sort of top of mind for people as we continue to go forward. I think Stefan's absolutely right; data is (Laughs) by far going to be kind of the oil of our age. And making sure that we're taking care of it appropriately is really one of the things that GDPR is concerned with.

Amy:                                     12:04                     Okay. I actually wanted to drill into something that you had mentioned, Stefan. But is there a way you could give me an example of what a legal obligation is? So you had mentioned that you can collect the data if it's part of a legal obligation. Can you share an example of that?

Stefan:                                 12:23                     So for example, if you’re an employee of a company, the company is collecting your data that is in connection with fulfilling its contract with you. So it can make payments, for example, to you. Once you're terminated or once that labor agreement was terminated, you no longer have that, contractual obligation to have the data. Actually you would then need to delete the data.

Stefan:                                 12:50                     There is in many countries a legal obligation to keep data on your employees for a certain amount of years. So, the authorities can check that proper tax payments have been made, and Social Security payments have been made. So there are sometimes legal obligations to keep data.

Amy:                                     13:11                     Okay, that makes sense. Thank you for that.

Amy:                                     13:14                     So Lisa, as we've discussed, consumers continue to use new forms of technology, and they have this overarching expectations of organizations. So, one for the business to better understand them as individuals, but then also to protect their privacy. So can you tell us a little bit about what are some steps organizations can take in regards to the personalization aspect? Is there a way to strike that perfect balance?

Lisa:                                       13:43                     Yeah, I mean, I think when you look at kind of the goals of personalization and privacy it seems like they could be potentially contradictory, but really the key to companies managing and handling their data that they receive from their customers appropriately is to make sure that the consumer or the customer are really in the driver's seat. That the consumer knows the data that's being given to the company. That they have control over how that data is used. They give really, an informed consent around, how that data will continue to be used in the future, and that they know where that data is going.

Lisa:                                       14:29                     We really think that data privacy is going to ultimately drive quite a lot of innovation around this. I think if you go back, you know, three, four, five years ago, the goal was really just gather as much data as you possibly can about people, or gather as many people's data as you can and try to then send out marketing materials or whatever you're going to use that data for. I think going forward the focus will need to be certainly on making sure that you have the right data from the right people, which ultimately will then allow you to really target people who may want to actually use your products or purchase your products.

Lisa:                                       15:11                     So, I think it's ultimately going to drive quite a lot of innovation. Hopefully that will be innovation that's beneficial not only for the company who's collecting the data, but ultimately for the consumer as well to make the ways in which they're engaging with an organization much more, productive and meaningful to the end consumer.

Amy:                                     15:38                     Yep, and that makes total sense in this age of innovation and technology advancements and we're in a world where digital engagement is really paramount to the day-to-day operations of global organizations. So Stefan, do you see that the GDPR and any future mandates could affect the digital ecosystem?

Stefan:                                 15:59                     Let me take an example: So at the moment, you're getting all these emails from companies making you aware that you need to opt-in to receive future information from companies. The marketing guys of those companies, they will hate this, because, the information you're sending out, the newsletters you're sending out, they will lose a lot of reach when you're asking for an opt-in from consumers.

Stefan:                                 16:29                     But in the end when you do that you will focus on those consumers that are actually interested in receiving your email, because they actively said, "Yes, I want to get this information. This information is useful for me." And, I think in the end you, you might lose 80% of addressees of your newsletters, but in the end you can focus on those 20% for which the information is actually relevant and that I am actually going to use the information.

Stefan:                                 17:02                     So, I think the businesses will need to learn that data privacy is not about the amount, it's not about the size of your database, it's about the quality. And also, when you're developing products it is really focusing how can I achieve the most with the least amount of personal related data.

Amy:                                     17:27                     You're so right, Stefan, because I am one of those marketing guys or gals, I should say, that has a challenge here, and has to figure out how do we find that balance. And, you're right, the people that want to engage with you, they will be okay with selecting that opt-in, because obviously they find value in what you are providing to them.

Lisa:                                       17:50                     Its gonna be a painful process for sure, and I think we're already starting to see that. But I think ultimately at the end of the day, you're going to be connecting in much more meaningful ways. Both from a company perspective and from and end consumer perspective.

Amy:                                     18:05                     Exactly. And that touches the whole concept of connected commerce providing these personalized and meaningful touchpoints in a way that a consumer wants to engage.

Amy:                                     18:15                     Okay, so do we feel that consumers could become fearful of technology that requires personal data sharing? Lisa, what do you think on that?

Lisa:                                       18:26                     I think certainly, that's an increasing threat. I think it's something that everybody thinks about when they, you engage with companies that collect personal data. I mean, we've seen in the news, Cambridge Analytica, and similar-type, organizations that are using and leverage personal data in a way that maybe people didn't know about, didn't understand. It allows for targeting of consumers in a way that people don't understand.

Lisa:                                       18:58                     I think also, continuing to educate consumers and to make consumers feel comfortable through transparency really, on how their data is actually being used will ultimately, hopefully (Laughs) eliminate some of those fears. That’s what various privacy initiatives like GDPR, like a number of state and federal laws in the US, and a number of laws around the world are really aiming to get at.

Lisa:                                       19:32                     It’s not about, you know, sort of everybody crawling back under a rock and reverting to, (Laughs) paper. Uh, everybody understands and acknowledges that we live in a digital and a connected world, and there's a need to exchange data. But with that, there's really a need to make sure that people have knowledge and understand how that data is being used, and how that data is being shared. So, I think there's certainly fear that's out there and you can open any newspaper and see how some of that fear is manifesting itself.

Lisa:                                       20:12                     But, as we kind of continue to move forward and more of these data privacy laws are enacted around the world, I think it's driving that level of transparency that will kind of put power back in the hands of consumers and allow companies who need to use that data to use it in a much more meaningful and effective way for their own customers.

Stefan:                                 20:38                     I think that there's a basic suspicion, it's also because it shows that people are getting more aware of the importance and the incident around Cambridge Analytica clearly shows where that can go wrong, and there can be really some impact.

Stefan:                                 20:55                     There was a time, like, 10 years ago, when people said that we are actually living in a post-data privacy era, because people were publishing everything on Facebook. And were shameless with their uttermost secrets. And I'm seeing a shift now, and, and perhaps there is also a kind of overreaction there. But I totally agree with what, what Lisa said, I think education, getting an awareness, and you know, being suspicious is good. But if you have the means to reach a protection which is useful for you as a consumer then, I think there is also a benefit there.

Lisa:                                       21:39                     And you're talking to two lawyers, so we're suspicious by nature.

Amy:                                     21:42                     (Laughs) Right?

Lisa:                                       21:42                     (Laughs)

Amy:                                     21:46                     Okay, for my last question, can we close with: What are some tips you can offer organizations to help them comply with GDPR? I'd love to hear really what you both think to close out the topic.

Stefan:                                 21:59                     Of course this is very, um, highly valuable IP, which we come by (Laughs) ...

Amy:                                     21:59                     (Laughs)

Lisa:                                       22:03                     (Laughs)

Stefan:                                 22:03                     You need to be on a very high level, otherwise we would need to charge.

Amy:                                     22:08                     Right (Laughs) ...

Stefan:                                 22:09                     I think the first thing is you need to be aware of your role if you're a data controller. What this actually means for you. What that means for your organization and for the infrastructure you're using. Lisa, what would you like to add?

Lisa:                                       22:29                     Yeah, I mean, I think what's going to be key as we continue to go forward and we move beyond May 25th, you know, lots of companies have really been working towards this get compliant with GDPR by May 25th, and it's become this date that everybody kind of thinks about and knows about. Um, and as we continue to move forward, what I think is going to be important is making sure that you're staying vigilant around data privacy, and that your program continues to evolve and change and that you're kind of constantly looking at, "Okay, what is the data that we're processing? How are we processing it? How are we informing people? Do we have the right level of consent? Do we need to, to look at this again?"

Lisa:                                       23:17                     And that continuous process of risk assessment I think is going to be critical as we continue to move forward. Again we've really moved light years past the days when we can just sort of say, "Yeah, we have a privacy notice, and, um, we don't have a great handle on how we manage things. But we've got a privacy policy, so all is good." I think we have to continue to, to look at and monitor both as a company for our internal employees, as well as companies that touch consumer data in any way, or, just their basic customer data. Making sure that we're really continuing to evaluate that and how we use it is going to continue to be critical as we move forward.

Amy:                                     24:01                     Okay, great.

Stefan:                                 24:04                     Also I think it's also important to understand that data privacy has got a purpose on its own. So, if you just see it like that, and you just check boxes, then it's really just a waste of time and paper. I think data privacy is a tool to serve your customers in a better way. It’s a tool to get aligned with your suppliers for example, to serve your customers in a better way and that way, I think its teamwork.

Stefan:                                 24:33                     And, um, I think if you embrace it as a chance to create a better customer experience then there will be a real benefit.


Amy:                                     24:46                     Got it. Well on that point we can end the discussion today. Thanks to Lisa and Stefan for being here. And to our listeners for joining this episode of Commerce Now.

Amy:                                     24:57                     To find out more about Personalization Versus Privacy, go to, or click on the link in the podcast show notes. Until next time, keep checking back on iTunes for new topics on Commerce Now.