Adobe Confidential

1

Are you prepared?

GDPR

and the

Adobe Experience Cloud

TableofContentsLab Overview .................................................................................................................................. 3

Scope ........................................................................................................................................... 3Tools ........................................................................................................................................... 3What is the GDPR API? ............................................................................................................. 3What is the AdobePrivacy.js library? ......................................................................................... 3

Lesson 1 – Creating a GDPR request ............................................................................................. 4Objective ..................................................................................................................................... 4What kind of data is required? .................................................................................................... 4

Company Context ................................................................................................................... 5

Adobe Confidential

2

Users ....................................................................................................................................... 6Namespaces ............................................................................................................................. 7

Lesson 2 – AdobePrivacy.JS Library .............................................................................................. 8Objective ..................................................................................................................................... 8

Lesson 3 – Interacting with the GDPR API through the UI ........................................................... 9Objective ..................................................................................................................................... 9GDPR API access ....................................................................................................................... 9Logging in ................................................................................................................................... 9The User Interface ..................................................................................................................... 10

Job Submission Screen ......................................................................................................... 10Status Tracker ....................................................................................................................... 12Job Details Page .................................................................................................................... 13

Lesson 4 – GDPR API .................................................................................................................. 14Objective ................................................................................................................................... 14Why an API? ............................................................................................................................. 14Headers and Authorization ....................................................................................................... 14Customer integration through Adobe IO Console .................................................................... 15Creating an integration .............................................................................................................. 15Post ............................................................................................................................................ 21Get by ID ................................................................................................................................... 23

Adobe Confidential

3

LabOverview

Learn,hands-on,howtobetteridentifyyourcustomersandenableyourdataforGeneralDataProtectionRegulation(GDPR)requestprocessing!AdobeExperienceCloud,asthedataprocessor,hascreatedasetofpowerfultoolstohelpyou,asthedatacontroller,gatherID’s,labelyoursensitivedata,thenmanageandsubmityourcustomers’GDPRrequests.Scope

Inthislab,youwillgettheopportunitytoexperimentwiththenewtoolsandfeaturesprovidedtoyouasadatacontroller.Learnhowtoextractuseridentities,customizerequestdataandinteractwiththeGDPRAPI.ExperimentwiththeAPIandtheUItoseehowthesetoolscanbeusedinyourcompanytohelpyousolveGDPRrequests.Tools

WewillbeintroducingyoutotwospecifictoolstohelpyouinyourworktoachievecompliancewiththenewGDPRlaw.Theseare:

• TheGDPRAPI• TheAdobePrivacy.jslibrary• AnalyticsDataLabelingUI

Thesethreetoolshelpyouprepareyourdataandlabelit,gatherappropriateID’sandinformation,andthensubmittheassembledrequesttoAdobeforprocessingintheAdobeExperienceCloud(ExC).WhatistheGDPRAPI?

Across the Adobe Experience Cloud there are many products that support your digital marketing needs. Each solution handles data and user identities in unique ways, according to their business goals, however they also must support to the overall ExC goals for security and compliance. The GDPR API has been developed to do exactly this: coordinate privacy and compliance requests across various solutions in the ExC, beginning with GDPR access and deletion requests. WhatistheAdobePrivacy.jslibrary?

The AdobePrivacy.JS library is a client-side library that you can choose to deploy on your page to gather the various IDs used by each Adobe Experience Cloud solution. It gathers the IDs from the user’s browser. The collected IDs are in a format that is compatible with the GDPR API for access and delete requests. For some solutions, the library may also remove cookies when the intention of gathering IDs is for delete requests.

Adobe Confidential

4

Lesson1–CreatingaGDPRrequest

Objective

Become familiar with the data format for a GDPR request, create one by hand, recognize the different context sections, and modify data to match your requirements Whatkindofdataisrequired?The GDPR API requires a collection of contexts, one set for the organization or company, and one for the user or users for which the request applies. The first context enables the ExC solutions to scope their searches and processing within the context of a single company, while the second provides the data and data qualifiers to search for and process. On your desktop, you should find a file containing a sample JSON payload that could be submitted to the GDPR API from the data controller. Feel free to open this file and examine it as we discuss each section and set of values further (file contents should look something like this):

"companyContexts": [{ "namespace": "imsOrgID", "value": "806543F451CC5FE60A490D34@AdobeOrg" }, { "namespace": "AdCloud", "value": "My Advertiser ID" } ], "users": [{ "key": "David Smith", "action": ["access"], "userIDs": [{ "namespace": "email", "value": "dsmith@acme.com", "type": "standard" }] }, { "key": "Alicia Jones", "action": ["access", "delete"], "userIDs": [{ "namespace": "email", "value": "ajones@acme.com", "type": "standard" }, { "namespace": "loyaltyAccount" "value": "2220506665" "type": "custom" }] } ]

Adobe Confidential

5

CompanyContext

The “companyContexts” section of the JSON payload is a qualifier for your organization within ExC solutions. Repeated here:

"companyContexts": [{ "namespace": "imsOrgID", "value": "806543F451CC5FE60A490D34@AdobeOrg" }, { "namespace": "AdCloud", "value": "My Advertiser ID" }

You can see that the company section is actually an array of contexts. There are two types of contexts supported:

• IMS organization ID (or ExC organization ID) o This is the organization ID that links your other solutions together in the ExC

• Product-specific company qualifier o These identifiers are used for solutions that may not be linked to an organization o Often considered “legacy”, they are the account names, such as login company,

client code, partner, tenant ID or other similar solution identifiers The GDPR API interacts with the IMS organization ID to validate permissions of the user submitting the request. It then forwards this information on to the ExC solutions to process.

Adobe Confidential

6

Users

The “users” section of the JSON payload is a collection of users being submitted by an ExC customer for GDPR request processing. It may contain more than one set of user ID’s per user in the collection. Let’s examine it more closely. Here is a single user section from the example above: "key": "Alicia Jones", "action": ["access", "delete"], "userIDs": [{ "namespace": "email", "value": "ajones@acme.com", "type": "standard" }, { "namespace": "loyaltyAccount" "value": "2220506665" "type": "custom" }]

Some notes about the format:

• The key is a user identifier to wrap the various namespace entries and is used to qualify the separate job IDs in the response data, largely used by the data controller for reference and grouping and may be any string value.

• The action field is a collection of desired actions, one or both of ["access" | "delete"] depending on the user’s request, and may be different for each user in the submission

• As mentioned above, users may have 1 or many namespaces that represent their identity in the ExC

• The namespace and type fields are detailed below

One key not detailed in the example above:

• The key isDeletedClientSide is a Boolean (true/false) value that is handed in from Adobe's Privacy JavaScript library (another tool we will explore later in this lab), indicating the client-side cookie has been deleted. This flag should not be added to the request manually as it indicates additional processing work is not needed by some solutions

Adobe Confidential

7

Namespaces

Namespaces allow the data controller to qualify the user identifiers in such a way that the GDPR API and related ExC solutions know what to do with them. Below is a table of the different kinds of namespace qualifiers and what they are used for.

Qualifier Definition

standard One of the standard namespaces defined globally (e.g. email, phone number, etc.), not tied to an individual organization data set

custom A unique namespace created in the context of an organization, may or may not be shared across the ExC. The value represents the friendly name ("name" field) to be searched for and has been registered with the namespace service

integrationCode Similar to custom but specifically defined as the integration code of a data source to be searched for

namespaceId Indicates the value is the actual ID of the namespace that was created or mapped through the namespace service

unregistered A freeform string that is not defined in the namespace service and will be taken as is. Any solution that handles these kinds of namespaces will check against them and handle if appropriate for the company context and data set

analytics A custom namespace that is mapped internally in Analytics, not in the namespace service. This will be passed in directly as specified by the original request

dpsc A custom namespace that is used for DPS mappings, which support a set of three unique namespaces (DPS-only)

target A custom namespace that is understood internally by Target, not in the namespace service. This will be passed in directly as specified by the original request

A quick note about namespaces – the Adobe Cloud Platform is providing the above-mentioned namespace service, where customers may create namespace identifiers for their organizations. The service defines a set of standard namespaces that are shared across all ExC solutions and allows for a customer to link similar custom namespaces, where applicable, across solutions as well. This lab will not go into detail on the namespace service, but documentation related to GDPR and namespaces will become available nearer to the release of these tools.

Adobe Confidential

8

Lesson2–AdobePrivacy.JSLibrary

Objective

Learn how AdobePrivacy.JS functions on a webpage to collect IDs and observe the format with the retrieveIdentities call. Notice the difference when removeIdentities is called instead. See how the format is the same as accepted by the GDPR API. You can choose to send the IDs collected from AdobePrivacy.js to the GDPR API, or you may want to add additional IDs to the IDs AdobePrivacy.js collected before passing to GDPR API. AdobePrivacy.js does not directly communicate to the GDPR API. NOTE: In this lab, AdobePrivacy.js has already been placed on the sample company's pages. When implementing AdobePrivacy.js on your own page, you should strongly consider using Adobe Launch (https://marketing.adobe.com/resources/help/en_US/dtm/faq-launch.html). Hands-On

1. Open the Chrome browser and navigate to http://idservice.io/gdpr. This simple page is instrumented with various Solutions libraries to set IDs on the browser. This demonstrates the type of tracking you may be doing on your own sites.

2. Navigate to http://idservice.io/gdpr-request. This page is where end users could start the process of submitting a GDPR request to the company. It is instrumented with AdobePrivacy.JS

3. Click on the button for "retrieveIdentities". This will collect the ids from the various Experience Cloud solutions by calling the retrieveIdentities method in AdobePrivacy.js and then display the resulting JSON.

4. This time, click on the button for "removeIdentities". This will collect the ids from the

various Experience Cloud solutions and remove cookies for Solutions that have taken this approach for removing identities.

5. Extra: Submit the JSON from #3 or #4 to the GDPR API

Adobe Confidential

9

Lesson3–InteractingwiththeGDPRAPIthroughtheUI

Objective

Become familiar with the GDPR UI and how it can help you track your GDPR work GDPRAPIaccess

The GDPR API currently supports two types of interactions: direct API, as we explored previously, and a Web UI, which helps simplify the authentication and interaction. This lab will explore the UI portion of the GDPR API service, and help you understand how to best leverage both of these access options in your environment. Loggingin

Authentication with an Adobe ID is required, and the context of that user will determine what organization the GDPR requests are being made for. The user must have some kind of administrative privilege within the organization, and we have provided such a user for the purposes of this lab.

Hands-on

Please login to the UI with the following credentials: • email: L779+[workstation ID]@adobeeventlab.com • password: Adobe2018!

Adobe Confidential

10

TheUserInterface

Currently, the user interface consists of three main screens, the job submission screen, status tracker, and job details page. We will cover each in depth here. JobSubmissionScreen

This simple UI is for uploading JSON requests to the central service. You can either drag and drop a file or click in the box to bring up a file browser window. Hands-on

1. As you can see, the UI prompts for a Ticket ID to be specified, which is primarily for

your use. Go ahead and populate this field with a ticket ID you will remember (for the purpose of this lab). If you have an internal ticketing system or other tracking code, this field allows you to link the GDPR request in the API to that specific identifier. Keep in mind that every user in the JSON file will be tagged with this ticket ID.

2. You also have the ability to specify other email addresses for notification. By default, the

person submitting the request is always included. However, you may change that as needed, and add multiple email addresses. Go ahead and add/remove a few email addresses – press <TAB> or <ENTER> after each entry to complete each email in the list. The addresses included in this list will receive a copy of any email notifications, which are sent when the job completes, finishes with errors, or times out.

Adobe Confidential

11

3. On your computer, you should have two JSON files with some sample data for submitting a request. You may also use the data from previous lab sections or modify the data as desired before submitting it.

4. Submit the request with the valid JSON and allow the UI to navigate you to our next screen.

Adobe Confidential

12

StatusTracker

After submitting the file successfully, you will be taken to the Status Tracker screen, where you will be able to view all your submitted jobs. Here, you can see a default view of information related to jobs that have been submitted for your organization. Hands-on

1. On the far right, you have the ability to customize your view by selecting columns to show or hide. Feel free to experiment and see what other information you can display in this table.

2. The UI provides the ability to filter on any of the fields by simply typing in the search field. The search is executed against all visible columns, so go ahead and test it out! Experiment with showing and hiding fields and combine it with searching.

3. Easily switch back to submit new requests by clicking on the Submit New Request button to the right, or by selecting the tab Upload Request in the top left.

4. Each unique job ID is a link to a more detailed description of the job itself, containing updated status values and responses from each ExC product orchestrated by the GDPR API. Let’s click on this and have it take us to our next section of the lab and the third UI screen, the Job Details Page.

Adobe Confidential

13

JobDetailsPage

As mentioned above, navigating from the Status Tracker by clicking on a job ID generates a popup dialog with details about an individual job. Hands-on

1. Exploration: this dialog contains status information about each ExC solution and its current state in relation to the overall job. As every GDPR job is asynchronous, you can see the latest communication date and time from each solution as well, as some will require more time than others to process the request.

2. If a solution has provided any additional data, it will be viewable in this dialog. You can expand the view by clicking on individual product rows and seeing what has been received.

3. You also have the ability to download the complete job data as viewed in this dialog as a .CSV file. Click on the download button and feel free to open the file to examine its contents.

Adobe Confidential

14

Lesson4–GDPRAPI

Objective

Become familiar with the GDPR API for submitting requests and checking job status through automation WhyanAPI?

Because you are the data controller, and Adobe partners with you as the data processor, we wanted to make the work of submitting requests easier to integrate into your processes. The GDPR API provides a set of HTTP API’s to help automate the handling of GDPR requests to the ExC. This section of the lab will explore header and authorization information, explain syntax and teach you how to access and use the API. HeadersandAuthorization

The following table gives an explanation of the expected headers, along with an explanation of what they are and how they are used: Key Value Description

Content-Type application/json The only type of content accepted through the API. The body of the request is well-formatted JSON

Authorization Bearer <token>

A user access token from an authenticated organizational admin – can be accessed through Adobe IO Console integrations through JWT exchange

x-gw-ims-org-id Experience Cloud organization ID

This ID is used to authenticate and validate your access token through the Adobe IO gateway

x-api-key [string value] A defined key to authorize your request, created by you through Adobe IO Console integration

ticketId Internal tracking ID Optional - This ID allows you to link the jobs in this request to any internal tracking ID you may have in your systems

emailToNotify Comma-separated email list

Optional – allows you to provide additional emails for people who should be notified once a job is complete

We will explore these headers with a simple GET API call in the next exercise.

Adobe Confidential

15

CustomerintegrationthroughAdobeIOConsole

By creating an integration to the GDPR API through the IO Console (console.adobe.io), you can define the necessary header values and obtain the correct user access tokens required for access to the APIs. This is a brief overview of how to do this. For the purposes of this lab, however, you will be able to use a provided x-api-key and your user access token from the GDPR UI. Creatinganintegration All instructions for creating a “service integration” with the GDPR API, or any other service, are detailed here: https://www.adobe.io/apis/cloudplatform/console/authentication/gettingstarted.html The first step is to login to the IO Console, after which you should have the ability to create a new integration. You can select the organization for which you’d like to create this integration if you have access to more than one: Next, you select what type of integration you want (in this case, “Access an API”):

Adobe Confidential

16

You should then see a list of services enabled for your organization that can be subscribed to. Select the “GDPR API” for your integration:

Once proceeding, you should be given the option to create a new integration or update an existing one. Assuming you have no previous integrations, you should simply create a new one. You will then be taken to the creation screen where you can add the details you need for your new integration, including the name, description, and the public keys you want to use for access:

Adobe Confidential

17

Once you have successfully added all the information required, you will see a confirmation screen where you can then navigate to your integration details:

This dialog gives you the information you will need for header authorization in the GDPR API process, as detailed above. Your organization ID (as shown above) is the x-gw-ims-org-id header value, the API key (Client ID) is the x-api-key header value. Finally, the “JWT” tab in this dialog will provide you with a JWT token that can be exchanged for an access token, which is used in the Authorization header, prefixed with the “Bearer” key word.

Adobe Confidential

18

As mentioned previously, the integration steps just detailed are for your integration with the GDPR API to make automation possible. For the purposes of this lab, the following hands-on section will use an HTTP utility to demonstrate how this can be done manually. Hands-on

1. Open up the Postman application on your computer, the icon looks like this:

2. On the left side of the application window, you should see a panel with Collections.

Expand the collection called Privacy Services to see the configured HTTP requests:

3. Find the one titled Get jobs by user and select it. This should open a tab in the right pane for the specific GET request which should be already configured.

Adobe Confidential

19

4. In the right pane, select the Headers tab to see the pre-configured header keys and values for this request. We will need to make some changes to these values before we can successfully complete the call.

5. Go through each header key/value pair and validate the information as we described it on the previous page. Two keys that need to be updated according to your user context will be the Authorization header and the x-gw-ims-org-id. The next steps will help you gather this information.

6. To obtain your user access token, for the purposes of this lab, we will retrieve your user access token from the GDPR UI. You should be able to login and copy your access token (button on the far right of the screen).

7. Paste your copied user token in the header section of the Postman UI. Please make sure you include the key word “Bearer” as the first part of the Authorization value.

Adobe Confidential

20

8. You should be able to populate the organization ID header using the data from your JSON payload in the file you previously submitted through the UI. Copy it and paste it in the Postman header field:

9. Now that you’ve updated all of the header information, you should be able to submit a valid request through the Adobe IO gateway and to the GDPR API’s. Click Send.

10. For this particular user, you should see a list of successful jobs you’ve submitted, or an empty JSON set (if you haven’t created any jobs) in the response, with a 200 success.

Adobe Confidential

21

Post

Now that you know how to assemble the header information, we can get into creating jobs for GDPR through the API. The POST method handles the two most common operations in the GDPR workflow – access and delete. For this part of the lab, you simply need to have the JSON files used previously in the UI. As explained in the first lab, the JSON file may contain one or many users, each with a collection of ID’s that identify them in the different solutions across Adobe’s Experience Cloud. Each user (note: not each ID) will have a unique job created for them in the GDPR API once the file is successfully submitted. Hands-on

1. Open the Postman application again and navigate to the Access/delete requests under Privacy Services in the Collections section in the left side pane.

2. Update the header information with the same values from your GET call made in the

previous section (IMS organization and access token). As an optional step, you may specify a ticketId and/or a list of email addresses in the emailToNotify field in the header.

3. Switch to the Body section of the configuration, make sure the Raw radio button is selected, and choose the content type from the dropdown.

4. Step away from the Postman application for a moment to retrieve the data for the POST body. Open the JSON file on your desktop in a text editor and make any changes you may want. You may also use the copied JSON from the second lab that was extracted from the AdobePrivacy.JS. Feel free to add additional users or modify the one already there. You can validate your JSON data using an online validator such as jsonlint.com. However, if your data isn’t structured properly or it is invalid, the API should return an error indicating such.

Adobe Confidential

22

5. Copy the JSON text from the editor and paste it into the Body window in Postman. Your final request in preparation for submission should look something like this:

6. Once you’ve looked over your data and ensured the header values are correct, click the Send button in Postman and wait for your response

7. Once completely processed and sent on to the ExC solutions, the GDPR API will respond

with a success (or failure) and provide additional information about how the data was received. In the response window below, you should see a 202 Accepted along with additional data about the job:

8. Notice that the response body contains a job ID (or multiples). This ID can now be used to help you track status through the API in the next section.

Adobe Confidential

23

GetbyID

The first part of this lab section already explored one of the supported GET calls in the GDPR API. This part of the exercise will focus on getting the status of a single job to enable better tracking through automation using the API. Hands-on

1. Open the Postman application again and navigate to the Get job by ID under Privacy Services in the Collections section in the left side pane.

2. Update the header information with the same values from your GET and POST calls

made in the previous sections (IMS organization and access token).

3. Update the URL in the top section with a job ID from your previous POST call

4. Click Send. In the response body, you should see the job details JSON returned successfully. Feel free to explore the data here, or copy/paste it into a JSON viewer for easier visibility (one such option is here: http://jsonviewer.stack.hu/ ). You will see more data than what was returned in the response to the original POST submission. Now the job data contains information related to each ExC solution and its individual status, very similar to what we saw in the UI.