Many brands with large customer bases are facing a similar question when it comes to storing data—is it time to bring all data processing in-house?
Whether this is prompted by a data security audit, a data breach, or a desire to be more agile with data analysis, it’s an important question that thankfully doesn’t have a complicated answer.
In this article, I’ll explore whether you should outsource or insource customer data processing for your brand.
Quick side note—for Littledata’s direct-to-consumer (DTC) brands, customer data is usually first-party data captured as part of the ecommerce checkout process, including post-purchase interactions with the customers and web browsing information such as IP addresses.
Why you need first-party data to be secure
First-party customer data is data the customer shares with you directly through the server connecting them to your website. By its very nature, first-party data is created by a contract—and more importantly, a bond of trust—between your brand and the end customer.
Accidentally leaking that data is brand-damaging: 46% of organizations surveyed by Forbes suffered reputational damage after a data breach.
In addition, GDPR and similar regulations impose large fines (up to 4% of global revenue) for data breaches—specifically, lax processes leading to a data breach.
You might also be concerned about commercial espionage—how valuable could your customer purchase history be in the hands of a competitor or a fraudster?
Or maybe your company has been burned by third-party data processors in the past whose security standards did not meet your own.
Taking these concerns together, you may be thinking the only way to be truly data secure is to process and store first-party customer data on your own infrastructure. But there are downsides to this.
Do you want to own your own data infrastructure?
By data infrastructure, I don’t mean owning bare-metal servers that sit in the broom cupboard behind your office. I’ll assume you are comfortable with the concept of hosting data in a public or private cloud environment.
However, even maintaining that cloud computing infrastructure brings costs and risks. Your company will be responsible for software patches, updates to use the latest API versions, monitoring for suspicious activity, and handling outages.
Data engineering is complex, and great data engineers are in short supply. So, I suggest you are better off licensing a secure data pipeline than building it all yourself.
Does your company control the data end-to-end?
Frankly, processing company data in-house may be missing the point if you do not control the data processing end-to-end.
Many of Littledata’s customers have made a deliberate choice by working with Shopify or BigCommerce to leave purchase and transaction processing to a cloud provider—signing data processing agreements (see DPAs for Shopify and BigCommerce) to store customer data on US cloud servers.
Many brands also make a choice to share customer data with Google (pseudo-anonymized) or with Facebook (not anonymized) to improve their customer acquisition and Return on Advertising Spend (ROAS).
In effect, these brands are outsourcing the data processing that happens between the ecommerce cloud and the marketing cloud to Littledata. Trying to do this processing in-house makes little sense when the start and end of the data processing chain are third parties.
Does EU customer data need to stay in the EU to be secure?
You may have read about regional courts in France and Austria ruling against sending EU customer data to Google Analytics—or indeed sending data to any US server. I think these rulings are extreme and will eventually be struck down. There is no practical or legal reason why data processing on servers within the EU is somehow more GDPR compliant than hosting on the cloud in the US.
That said, data nationalism as a trend is here to stay, so there may be a future need to keep EU data siloed. All cloud computing networks have EU servers, and tools like Segment make it possible to split EU customer data processing onto EU servers.
The limitation is that right now, none of our other partners (especially Shopify, Google, and Facebook) have the same ability to process in the EU. This makes regionalizing only one part of the data processing chain pointless.
Is outsourced data GDPR compliant?
Yes, you can subcontract data processing to a third party. But to be GDPR compliant, your data processors need to enable the right to rectification, the right to erasure, and the right to restrict processing.
All the main partners that Littledata works with (Shopify, Google Analytics, Facebook Ads, etc.) have API endpoints by which your customer can request their data to be updated or erased, and this request can be passed on to the downstream processors.
If the customer requests to restrict processing (e.g. opting out of advertising retargeting using a cookie consent banner) your company needs to also pass along that choice to the downstream processors. Littledata’s tracking script makes that easy to do via integration with Shopify’s consent management, and plugins for OneTrust and TrustArc.
Can you control outsourced data processing?
Yes. Doing so is just a matter of working with a processing partner that a) is transparent on how they process the data, b) follows good practices in data security, and c) provides Service Level Agreements (SLAs) for the processing.
At Littledata, we are clear about how we process customer data (and exactly what data points are stored where), have a public data security policy, and provide tight processing SLAs for Plus customers.
Tip: Learn more about how Littledata protects your data while giving you 100% accurate analytics by booking a demo with one of our experts.
Conclusion
I believe you can outsource data processing and still be truly data secure. In fact, I believe trying to bring data fully in-house is costly and pointless for most cloud ecommerce brands.
Pick trusted partners to ensure your customer data processing is both super reliable and super secure, and get on with scaling your business!
