Adobe Summit Business success today is about "data required to understand each person's context in every moment", with the intelligence to take the right action, said Adobe CEO Shantanu Narayen in the opening keynote of the company's EMEA Summit in London.

"People are buying experiences, not products."

Bow to your Sensei! Adobe adds machine learning and design tool to Creative Cloud READ MORE

Adobe Summit, held last week, is primarily aimed at marketers, focusing on the Adobe Experience Cloud, a suite of products for running marketing campaigns (Adobe Campaign), performing data analytics (Adobe Analytics), delivering targeted offers (Adobe Target), analysing your customer data (Adobe Analytics) and more.

Adobe will store your customer data in its cloud and use AI and machine learning – branded Sensei – to analyse that data and automate recommendations or actions.

"We're investing in Adobe Sensei," said Narayen. "It leverages the hundreds of trillions that we process every year. We will understand through Sensei how [to do] smarter searches, better recommendations, and the holy grail for all of us as marketers, hyper-personalisation at scale."

Adobe CEO Shantanu Narayen at Adobe Summit in London

During the keynote, Adobe's Steve Martin, a solutions consultant, presented a "Vision Demo" of how this kind of personalisation might work in the context of Shell, an Adobe customer. "Shell want to personalise across all 30 million people they're interacting with," he explained.

Meet "Tom", a loyal Shell customer with a connected car and a smart home. Pressed for time before a dinner date he asks Amazon Alexa to find him a Shell garage en route to the restaurant. One comes up on his route planner; but does it do car wash as well? Apparently not; but another one does. When he gets there, the personalisation system has good news, the car wash will be free as a loyalty reward. He need do nothing as the assistant there has already been informed.

Great, a free car wash, but what are the privacy implications for Tom as he hands over his personal information to Amazon and Shell? Could this kind of data, in other circumstances, be used in less pleasant ways?

Back in March, ahead of Adobe's US summit event, I asked the company at a press briefing how an individual (like Tom) could control the use of his information on Adobe's platform. "We'll follow up with you later," was the response. That follow-up became an offer of a privacy briefing, which after some to and fro was planned for the London Summit. Then came the bad news. No briefing available, but only a statement:

For our Digital Experience business, our customers are in control of the data they bring to the platform and can determine which third parties, if any, they want to work with to support their digital strategies and use our services.

The GDPR cometh

That said, here at the London summit these issues are top of mind for many attendees, conscious that the EU's General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Adobe laid on six sessions on GDPR, with titles like "Adobe is GDPR ready. Are you?"

At one such session, Adobe's chief privacy officer Alisa Bergman spoke about the challenge. With regard to personal data, "there is a very broad scope of covered information … all kinds of things like cookie IDs and IP addresses are more formally personal data, things previously regarded as non-personally identifiable may no longer be so."

In addition, "there are strengthened rights when it comes to consent. Europe has always had some level of opt-in or enhanced consent, but GDPR takes that to a whole new level. It's an area that's particularly unsettled, it makes folks very nervous."

"It's no longer possible to bury consent in privacy policies and not put them in a meaningful way where consumers have a lot of choices."

GDPR also gives individuals the right to know what data is held about them.

Adobe has provided a new GDPR API to enable its customers – that is, not individuals, but the businesses using its platform – to retrieve and modify or delete personal data. The decision on what constitutes personal data, though, is not taken by Adobe, but by its customers, who are provided with a tool that enables data in the system to be labelled. There might be hundreds of fields to label, so this is not trivial.

In GDPR terms, Adobe is the data processor but not the controller. This means that it is Adobe's customers, such as Shell, who are primarily responsible, and it is to them that individuals must go to exercise their GDPR rights.

I nabbed a couple of minutes with Bergman after the session. Was I right in understanding that it is Adobe’s customers, not Adobe, who are responsible for implementing GDPR compliance, though Adobe’s job to provide the API and the tools?

“Exactly,” she said.

How does that apply if Adobe holds personal information across several customers? An example is Device Co-op, which pools data to enable the system to link devices with individuals?

"Device Co-op is not on personal identifiers. It is hashed," she said. "I haven't thought through all of the access and deletion requirements for that but that's something that we’re working on."

Some people will love hyper-personalisation, I suggested, but others will find it creepy.

"I agree."

What responsibility does Adobe have to people who don't like that approach?

"We don't do anything for the people themselves, what we do is we build with a privacy by design philosophy. We have a bunch of privacy enhancing technologies, and we're also really focused on data governance. Our customers come to us and say, solve GDPR for us. How can we provide them privacy-enhancing technologies, do IP obfuscation or hashing, or label their data such that if they've got contractual, legal requirements, or internal policy requirements, that those requirements can stay with the data and then they can pull things together. That's really what we're doing with all our products and services."

At this point we are being shunted out of the room to make way for the next session. I would like more time to discuss this, I said.

"I can put you in touch with my PR person?"

Late in the day

It is a shame that it has not proved easier to talk to Adobe about this as it is working hard to meet its obligations. That said, it is late in the day. Many of these tools are only just coming out of beta, with just a few weeks to go before GDPR comes into force.

Another issue is the mixed messaging from Adobe and other companies in this space. Can you reconcile "privacy by design" with the headlong rush towards hyper personalisation, described as the holy grail by Adobe's CEO?

You can be sure the big vendors will try. ®