/ An inside look at the business of digital content
What the EU’s General Data Protection Regulation means for website compliance
June 23, 2017 | By Matt O'Neill, General Manager, Europe – The Media Trust@TheMediaTrustToday’s websites and apps are powered by sophisticated technology. After all, to meet consumer expectations—for search, content consumption, social networking, shopping, travel booking, news, banking, gaming, and so much more—websites (from ecommerce and entertainment to corporate) must incorporate robust solutions on the backend.
The workings of these sorts of solutions aren’t news to Revenue and Ad Operations professionals. But for everyone else: They are where security problems start.
Think about it. Companies generally outsource 80% of a typical website’s functionality to vendors providing specialized services like data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, and more. This third-party code operates outside the purview of your IT and security infrastructure, which means that you control less than 25% of the code executing on your website.
As the website operator, you have no insight into when this code is compromised to act as a conduit for malware propagation and unauthorized audience data collection. Considering the current regulatory environment around data compliance, the above statistics should make you nervous.
The Cookie Crumbles
To put it bluntly: You can’t control what you don’t see. Your digital properties have more third-party code than you realize. And this code is compromised more often than you think.
As the digital risk management provider for many of the world’s largest digital properties, The Media Trust scans websites for security and policy violations and actively manages more than 600 incidents at any one time. We’ve found that some of the simplest websites average 10 third-party vendors. But most have dozens. These vendors continuously change and so do their actions.
The Media Trust team often detects unauthorized or persistent cookies with a lifespan of 30 years or more. One brand-name ecommerce website recently dropped a 7,000+ year cookie. This raises a huge issue with the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018. GDPR is the first EU-wide regulation addressing personal data protection rights of residents. In essence, GDPR harmonizes and strengthens the individual national laws to give consumers enhanced rights over the information that is collected, used, and stored about them. It also codifies a penalty structure for violations (up to 4% of annual revenue/turnover). As a result, companies will need to dramatically change their approach to managing consumer data including online behavior.
Compliance to GDPR requires detailed, real-time, knowledge of executing digital partners and their activity. This includes the type of data collected and how long the partner remains on the user’s device, i.e., browser, phone, tablet, etc.
If you are wondering how GDPR affects media publishers and their ad tech partners, then you’ve got a lot of catching up to do. GDPR supports the data protection rights of every EU residents. Therefore, every business with EU interests—in the form of customers, legal entities, business infrastructure, etc.—needs to comply. And the global nature of the internet means any business with EU website traffic or app users need to comply as well.
Evaluate—and Modify—Operations
Clearly, to reduce exposure to GDPR violations enterprises should make some changes to digital operations. At a minimum, execute the following for all your digital properties—websites (desktop & mobile) and mobile apps:
-
Communicate your privacy policy
- Write a clear privacy policy explaining use of third-party code and data collection activity.
- Post policy banner on homepage.
- Deliver internal training.
-
Provide easy-to-use opt in/ opt out mechanism
- Explain the need for tracking and how cookies drive digital operations.
- Share links to individual privacy policies of all in-scope vendors on your site.
- Allow individuals to explicitly agree and/or refuse tracking.
-
Understand how website/ app-generated data is acquired, used & stored
- Identify data: Registration, Cookies, IP address, and device ID.
- Assess the legal basis to collect data and determine if consent is necessary, e.g., Personally Identifiable Information (PII) vs. transaction functionality, etc.
- Evaluate the need for a specific policy regarding data of minor activity (16 years old in GDPR; under 13 years old in U.K. and U.S.)
-
Support data portability
- Provide a mechanism to easily satisfy a data subject’s request for personal data in a commonly used format.
-
Incorporate website intrusion to data breach reporting process
- While the GDPR mandate for websites has been clearly laid out, meeting it is easier said than done. With fines for noncompliance enumerated in the regulation (between 4% of global revenues or €20 Million), Revenue and Ad Operations are under pressure from internal risk and compliance professionals to ensure all data elements are documented, assessed, and controlled.
Ignorance is real. So is anarchy.
With such a tall order, it is disturbing that so many overlook the perils of third-party vendor code going unchecked. Publishers desperately need to incorporate digital vendors into their vendor risk management program. Most website/app operators are in the dark about how many direct and indirect vendors contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors.
Digital vendor risk management will highlight the security and compliance gaps inherent in the digital environment. For example, there really isn’t a clear chain of command when it comes to authorizing the presence of third-party vendors executing on a website. The process is fairly decentralized. Departments like marketing, sales/revenue operations, IT, risk and legal all make decisions regarding the vendors they would like to use for various website functionalities. This makes creating accountability challenging, with most issues relegated to the IT and security departments to solve.
Put the “Digital” in Vendor Risk Management
Yes, the odds are stacked against website operators, but creating a holistic digital vendor risk management program isn’t impossible. To create a risk management and GDPR compliance program for your digital properties, you should be able to answer the following:
Within 2 weeks:
- How many third-party vendors execute in websites/ mobile apps?
- What are the names of these vendors?
- What exactly are they doing, i.e., intended purpose and any out-of-scope activity?
Within 1 month:
- Do I have contracts to authorize vendor scope?
- How does third-party vendor activity affect overall website/ app performance?
- What are the risks to data privacy?
- What is my exposure to regulatory risk via vendor behavior?
Within 3 months:
- Am I maintaining encryption throughout the call chain?
- As these vendors change over time, what is the process to identify new vendors and their activity on websites/ apps?
- If the corporate website isn’t fully secure, is the enterprise network at risk when employees visit the site?
Answering these questions set the stage for creating a comprehensive digital vendor risk process. This can serve as your GDPR compliance mechanism for your digital assets. This doesn’t just make sense for your customers, it will be an essential part of being part of the global digital economy.
Matt O’Neill has been working on the front line of digital advertising in an industry-facing capacity since 1999. Most recently, he has taken on the role of European General Manager for The Media Trust, a US-based digital security and advertising quality assurance company. Matt strives to generate industry consensus from senior leaders and drive innovation through collaboration. He is a frequent speaker, panelist, and chair at industry conferences including Digiday, IAB, dmexco, The Guardian, AOP (UK), Admangerforum, and corporate-operated events. He is an active advisor and investor for advertising and marketing technology start-up enterprises and a senior partner at AtlanticLeap.