GDPR and Data Subject Rights Enablement Overview

The Customer Data Model (CDM) supports GDPR compliance through a combination of source-system-driven governance, consent management, data retention policies, and controlled data purging processes. The CDM is not intended to be the system of record for customer privacy preferences or regulatory requests. Instead, GDPR-related requests are expected to originate and be governed by upstream systems such as CRM platforms, customer service applications, digital channels, or other authorized systems of record.

When GDPR-related events are received by CDM, the corresponding customer profile, consent, preference, and processing indicators are updated and propagated throughout the platform to ensure downstream activation and analytical processes operate in accordance with the latest customer instructions.

Consent and Preference Management

CDM maintains customer consent and preference information as received from upstream systems. Any changes to customer permissions, including marketing consent, communication preferences, profiling consent, or similar regulatory permissions, must be captured and managed within the source application and subsequently synchronized to CDM.

CDM leverages these consent indicators to control customer eligibility for marketing, personalization, segmentation, activation, analytics, and other downstream business processes. As customer preferences change, the corresponding consent state is reflected within CDM and applied consistently across supported use cases.

Right to Object and Processing Restrictions

Where a customer exercises the right to object to processing, profiling, marketing communications, AI-driven decisioning, machine learning activities, or similar forms of data processing, CDM supports the storage and propagation of appropriate exclusion indicators. These indicators can be used to prevent customer records from being included in audience generation, campaign execution, predictive modeling, machine learning training datasets, analytical processing, or other regulated activities.

Additional exclusion flags for AI and machine learning processing will be delivered as part of a future product release.

Right to Erasure (Right to be Forgotten)

CDM maintains historical customer and transactional data to support analytical, operational, audit, and regulatory requirements. As a result, physical deletion of customer records is managed through governed data retention and purging processes rather than immediate record removal.

Current releases support customer data deletion through enterprise-specific purging scripts and retention policies. When a valid deletion request is received and approved by the source system, the request can be executed through the organization's configured purging process to remove customer-related data from CDM in accordance with applicable legal and business retention requirements.

An out-of-the-box purging framework and configurable retention policies are planned for a future release. This framework will support automated execution of customer deletion requests as well as broader enterprise retention requirements.

Data Retention and Purging

CDM supports enterprise-defined data retention policies that align with legal, regulatory, and business obligations. For example, organizations may retain customer information for a defined period after account closure to satisfy regulatory, audit, risk, or operational requirements.

The same retention and purging framework can be leveraged to:

  • Purge customer records following approved GDPR deletion requests.
  • Purge records after the expiration of regulatory retention periods.
  • Remove inactive or obsolete customer information in accordance with organizational policies.
  • Enforce enterprise-wide data lifecycle management standards.

Organizations remain responsible for defining retention periods and ensuring they comply with applicable regulations in their operating jurisdictions.

Other Data Subject Rights

The CDM architecture supports GDPR compliance through source-system-driven governance and can accommodate additional data subject rights, including:

  • Right to access customer data.
  • Right to rectification of inaccurate data.
  • Right to restriction of processing.
  • Right to object to profiling and automated processing.
  • Right to withdraw consent.
  • Right to data portability (where supported by source systems).
  • Right to exclude data from AI, machine learning, and advanced analytical processing.

In all cases, the authoritative action is expected to be initiated and governed by the appropriate system of record, with CDM reflecting and enforcing the resulting state across customer data and downstream processes.

Roadmap

Future releases will introduce:

  • Configurable out-of-the-box data retention policies.
  • Automated purging and deletion workflows.
  • Enhanced support for AI and machine learning processing exclusions.
  • Expanded governance controls for privacy and regulatory compliance use cases.

These enhancements will further simplify operational management of GDPR-related obligations while maintaining enterprise-level flexibility and regulatory alignment.