This infographic was first posted in Digiday on May 8, 2018.
This infographic was first posted in Digiday on May 8, 2018.
This article originally appeared in Corporate Compliance Insights on April 16, 2018.
The digital age breeds constant change – none more powerful than the availability of data and, more specifically, the ease of collecting and using personal data. For industry, this data has the power to both accelerate new opportunities for growth and act as an anchor to drag down momentum. In an era where businesses prize data and guard against its misappropriation, its troubling that this discernment doesn’t carry over to the digital environment, where countless third parties and partners on enterprise websites and mobile apps have access to personal user data, often without a company’s knowledge.
While it might be the biggest cybersecurity event of the year, RSA 2018 can be overwhelming. The crowds, lectures, sparkly gadgets, and more can confuse the senses and make you forget about your top security priorities. Don’t worry, The Media Trust is there to answer your questions about digital security and compliance. No matter what your industry (banking, ecommerce, media, government, hospitality, etc.), your corporate mobile apps and websites have the potential to be your greatest business assets or largest source of security, revenue, and reputational risks. Learn how we close the gaps in your security and compliance posture that traditional web appsec tools don’t.
Here are five reasons to swing by our booth next week:
2. GDPR Compliance – we walk the talk
Your mobile apps and websites are out of control – no, this isn’t a hyperbolic statement. With third parties contributing anywhere between 50-75% (sometimes as high as 95%) of your code base, controlling data collection activity that violates the GDPR directive isn’t straightforward. Speak to us about how to regain control of your digital assets.
Catch our session, GDPR Compliance–You forgot your digital environment, on Thursday, April 19, between 1:45 pm – 2:30 pm at Moscone West 2018. Session ID: GRC-R12.
3. Attack intel (not the just threat intel)
Our Malware Attack Data enables you to block active attacks targeting your endpoints through frequently whitelisted, premium websites – news, travel, social networks, and more. Let’s talk about how our attack data can augment your AVs, firewalls, web filters, and blocking solutions.
4. Free website audits
Want a sneak peek into your mobile app and website shadow IT? Get a free website audit and discover the surprising number of domains and cookies (including user identifying cookies) operating outside the perimeter of your IT and security tools
5. Coffee, martinis, and comfy couches
If you don’t want to talk security and compliance, and are just curious about The Media Trust or are badly in need of caffeine, drop by and say hi! Here are our Coffee and Martini Bar hours –
Coffee Bar: 10:00 am – 1:00 pm, April 17-18, 2018
Martini Bar: 4:00 pm – 6:00 pm, April 18, 2018
We’ll be there at Booth #2507, South Hall, Moscone Convention Center, San Francisco. Enter the South Hall, turn right, and follow the inquisitive masses.
This article appeared in the March 14, 2018 issue of ITBusinessEdge
With the EU’s General Data Protection Regulation (GDPR) only less than three months away from enforcement, organizations are (hopefully) pulling together their GDPR strategy. However, the nuances of GDPR are something most of us are still trying to understand – and we probably won’t grasp until the regulation is in effect and tested. In the rush to meet the compliance standards, errors will likely be made. I talked to security experts, and here are some of the more common GDPR prep mistakes.
“When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,” explained Chris Olson, CEO of The Media Trust. “This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.”
This article by Matt O’Neill, General Manager, Europe was originally published in Digital Content Next on February 6, 2018.
Yes, it is the topic du jour, but somehow many are still adrift when it comes to the European Union’s impending General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018—under 100 working days or five short months away. Countless articles summarise requirements into generalities covering organisation-wide data elements, such as customer, partner and vendor information. More often than not this approach doesn’t mean much to Ad/Revenue Operations (Ad Ops) professionals.
GDPR presents three significant hurdles to Ad Ops:
The highly-dynamic and opaque nature of the digital ecosystem often means that all three of these hurdles are difficult to clear without adversely affecting a media publisher’s strategic revenue channel. So, the key issue to resolve is this: how does a publisher go about managing data in a GDPR-compliant way but without undermining its business model(s) and therefore its commercial viability?
The answer, as usual, is Ad Ops. For this group, GDPR presents an important opportunity. As the frontline of digital operations, Ad Ops professionals are in the unique position to influence, drive, and co-create strategies to protect and optimise revenue in the changing regulatory environment. In fact, they have a powerful legitimate reason to control audience data collection activities on their digital properties and demand compliance from upstream partners.
The daily demands placed on Ad Ops can be overwhelming, with the complexities—and vagaries—of GDPR an unwelcome intrusion. But it’s a critical opportunity. Here’s a 10-step approach (with supporting GDPR references) towards GDPR compliance for media-oriented websites and mobile apps:
Every business— large and small—should have a GDPR ‘Task Force’ or something similar. This could be organised by a senior data privacy leader, such as a Data Protection Officer (DPO), which is now a requirement for many organisations. The Task Force should be staffed with key personnel across the organisation who interact with any type of personal data, i.e. operations, IT, privacy and risk, security, HR etc, and should include individuals across strategic markets as the GDPR has a global reach (see GDPR Article 3). As part of the Task Force, Ad Ops can explain the role of consumer data in the digital environment to deliver user-specific content and advertisements and how it supports the publication’s mission and contributes to revenue.
It is important to understand that the scope of personal data is broader than under existing EU data protection law. Under Article 4 of the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
To this extent, typical data collection, use and sharing activity generated from everyday access of websites and/or mobile apps for digital advertising purposes (i.e. cookie deployment or device identification) should be treated as personal data. Therefore, the term ‘non-Personally Identifiable Information’ should no longer exist as personal data under the GDPR is broader than PII, which is a significant change for digital advertising.
The Task Force will probably be responsible for developing a centralised roadmap for the organisation’s digital data and designing the plans to implement necessary processes and changes (including budgetary considerations) required to comply with the new law. Many organisations will need to conduct a Data Protection Impact Assessment (DPIA–a valuable exercise for good data hygiene), mapping the kind of data collected and processed. Here’s a good template to follow[i].
The DPIA should enable revenue and Ad Ops teams to get up close and personal with all data collection and processing activities, and knowing with whom data is being shared. There are many companies that can assist with DPIAs to develop a point-in-time data picture, which is a critical start to identifying data in the publisher ecosystem. However, the ever-changing digital environment requires continuous monitoring for compliance in order to provide an audit trail or truly demonstrate ongoing compliance. The bottom line is that the GDPR seeks to introduce a ‘Privacy by Design’ approach: removing or minimising data or ‘pseudonymising’ it (e.g. hashing) to minimise the privacy risks.
Accountability is a central theme within the GDPR: you are required to record and account for all data processing activities. Ultimately, publishers will need to know and understand what data is being collected and processed, and who it is shared with—a serious challenge for the dynamic digital environment.
This means Ad Ops needs to develop a list of all parties that execute on the website (including contracted second parties and any subsequent parties called during the rendering of the visitor experience), analyse digital behaviour to understand data collection or targeting needs, and block those that exhibit anomalous or unapproved activity.
Conducting a data audit, compiling inventory and documenting authorized partners is a good first step; however, these will have to be continuously evaluated with an eye towards changing partner activity, new digital supply chain partners, international data transfers and consumer understanding of tracking/identification and its value to the digital experience.
It may seem strange for Ad Ops teams to concern themselves with too many legalities, but with the GDPR it is imperative that those involved in data collection activities understand the consequences of their actions. The regulation outlines six legal bases to justify the processing of personal data:
Digital advertising will require the user’s consent, not least because it is required for the storing of information or gaining access to information already stored on a device—whether personal or not—(i.e. via a cookie) under the existing ePrivacy Directive (See Step 6.) This is where Ad Ops needs to work closely with the compliance teams: an innovative consent mechanism will be required for digital advertising activities. But, keep in mind that some data processing activities (e.g. for network security or when tackling fraud) may warrant different legal bases.
The GDPR introduces obligations (and liability) for all organisations, whether a ‘data controller’ or ‘data processor’. Find out how data partners are preparing for the GDPR and establish a working group with key partners to discuss compliance strategies. This requires first knowing your upstream partners from SSPs and exchanges through to DMP and DSPs. Some data partners are likely to have to conduct a DPIA as well—guide the process for them. In time, revisit, review and adapt contracts or agreements with existing partners to ensure that shared obligations and responsibilities under the GDPR are accounted for and that partners are complying with digital asset policies for your company. If a partner chooses to not comply with your policies reconsider your relationship with them.
Consent is the new king in digital advertising, so review where and how you obtain it. Under the GDPR, consent must be given freely, specifically, and unambiguously, and it requires affirmative user action. Some pre-GDPR consent mechanisms (i.e. so-called ‘implied’ consent) may not be valid when the GDPR applies. And it remains to be seen if existing consent management platforms can properly handle authorized cookies delivered by third-party partners in addition to a publisher’s first-party cookies. It’s important that practical and user-friendly consent mechanisms are adopted. Where appropriate, review existing consent mechanisms and explore evolving market solutions to suit your business. EU regulators have provided some draft guidance on consent[ii].
Revisit and restructure your Privacy Notice to ensure that it meets the requirements of GDPR. It is likely it will need to include more information than your existing one (such as all the technologies used to process data, including by third-party solution providers). Ad Ops teams will be directly responsible for any data collection activities. The UK Information Commissioner’s Office (ICO) Code of Practice[iii] provides a good template to follow, including what information to include, how the Privacy Notice should be written, and how to test, review and roll it out. But don’t stop there. Consider enhancing transparency by deploying additional measures including ‘Just-in Time’ mechanisms, video messages or the EU AdChoices programme[iv].
The GDPR seeks to give people greater control over their data and therefore includes many rights for individuals, such as the Right to Erasure and the Right to Data Portability. Media publishers will need to put in place processes to achieve these for their customers. Beyond consent, publishers need to provide mechanisms for consumers to solicit information collected and used by the publisher and absolutely honour requests for data removal. The ability to offer this functionality and test its reliability are further proof points to demonstrate compliance. Where appropriate, point to existing controls such as unsubscribe mechanisms and opt-out points, and consider other innovative data control solutions.
Choose who your ‘Lead Supervisory Authority’ (i.e. regulator) will be when the GDPR becomes effective. This regulator will act as a single point of contact for the enterprise’s data activities throughout the EU. Documenting and opening up communication channels with the Lead Supervisory Authority now is critical to understanding how future enforcement will be carried out. Keep an eye on Brexit: if you are hoping to designate the UK ICO you may have to think again.
Implement (and test) procedures to detect, report, investigate and resolve a personal data breach (e.g. data loss or hack). Keep in mind that the reporting of high-risk breaches to the relevant Supervisory Authority (regulator) needs to happen within 72 hours of discovery—a timeline publishers are not positioned to meet. As Data Controllers, Publishers are ultimately responsible for breach notifications and, therefore, they need to be aware of any breach that occurs throughout the digital supply chain including upstream partners.
All experts agree: GDPR will be a watershed moment for digital publishers. The next several months (let alone years) will be tumultuous as stragglers try to catch up and the more-prepared publishers await the success of their compliance programmes.
On a positive note, the winds are favourable for digital publishers to take back control over their audience data. Direct access to the consumer relationship and the control of consumer consent puts publishers at the helm. However, it is up to the unlikely heroes—Ad Ops teams—to ensure smooth sailing when it comes to digital data compliance and risk management.
This article originally appeared in AdMonsters on December 19, 2017.
Data privacy and legal compliance experts agree: GDPR is too big to ignore. As an ad/revenue operations (ops), you should already know the E.U.’s General Data Protection Regulation (GDPR) comes into effect in May, 2018. What’s actually new in this story? Valid point. Despite months—possibly years—of preparation, publishers still have questions about GDPR’s implications, some of them pretty basic: Will this apply to our business? What do we need to do to become compliant? What kind of enforcement is expected? Can we just cross our fingers and ignore it?
The answers to these questions lie in every digital publisher’s ecosystem. GDPR affects any entity worldwide that digitally targets or monitors people in the E.U. This means knowing what’s happening in your digital environment, from vendors executing to data tracking. If knowing your digital partners doesn’t appeal as a basic business practice, then maybe the fines for violating GDPR will (maxing out at 20 million euro or 4% of the company’s global revenue, whichever is higher).
This article first appeared in Corporate Compliance Insights on December 18, 2017
In a precedent-setting move, the High Court in the United Kingdom (U.K.) ruled that a company is liable for data breaches caused by employees, shedding insight into the future of data privacy regulatory enforcement. The speed and flexibility of today’s digital world require the adoption of risk strategies that address not only employee behavior but also the vendors executing on enterprise websites and mobile apps. The changing regulatory environment mandates better control of these digital assets and the role they play in collecting, storing and sharing consumer data.
Watch today: https://www.admonsters.com/gdpr-webinar-recording/
Understanding and complying with the EU’s General Data Protection Regulation is a challenge for any enterprise with consumer-facing websites and apps, especially Media publishers.
In this AdMonsters webinar, public policy consultant Nick Stringer details steps Ad/Revenue Operations teams should take to comply with GDPR and presents other looming regulatory issues
Your customer’s digital experience is powered by a range of third-party services not controlled by enterprise IT–ad blocker, advertising, analytics, content recommendation, data management, payments, social widgets, video players, and so much more. Increasingly, these services are proving to be a source of regulatory violations.
Authored by Chris Olson, CEO & Co-Founder, The Media Trust
This article originally appeared in Website Magazine in September 2017
Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union’s General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements–customer, partner and employee–held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora’s box, there’s a slew of GDPR-driven evil emitting from your digital properties.
The internet is a highly-dynamic environment and most websites require a host of third-party providers to render content on a consumer’s browser. In fact, enterprises tend to find two to three times more external code on their websites than expected. The purpose of this code is to provide or enable services–data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, etc.–required to deliver the website experience. However, most enterprises are not aware of the full depth of their reliance on these vendors and therefore do not fully examine the code executing in their own digital environment. This results in “Digital Shadow IT”, which is rampant on most enterprise digital properties since a majority of third-party contributed code executing on the consumer browser operates outside IT infrastructure.
True, third-party digital vendors power today’s robust and feature-rich websites and apps; the downside, however, is that their code execution goes largely unchecked, enabling unauthorized and unmonitored data tracking. This applies to not only known third-party vendors, but also other vendors with whom they are associated—frequently an external provider needs to call a fourth, fifth and sixth party to help execute its requested service. This essentially means that not only do organizations need to get their own house in order, they need to ensure their digital vendors do so as well.
Reliance on web application security tools (appsec) to holistically monitor website and app code is misguided since current web appsec tools are inadequate in capturing third-party code execution. Additionally, security and compliance professionals aren’t fully aware of the amount of consumer data collection activity that takes place–such as cookie drops, pixel fires, device ID fingerprint collection, and more. When GDPR goes live in May 2018, Ignorantia juris non excusat (ignorance of the law excuses not) will not be a valid defense when confronted with a data privacy violation. It comes as little surprise that around 86% of organizations worldwide are concerned about GDPR noncompliance.
One of GDPR’s key requirements centers around personal online behavior data—specifically information collected from an individual’s digital activity, i.e., websites visited, links clicked, forms submitted, etc.–and imposes restrictions on its safe transfer outside the European Union to other businesses or legal entities. Organizations will need a clear understanding of whose data is being collected, what data is being collected, what it is used for, and, if the data subject resides within the EU, where this information is being transferred and confidence that it is adequately protected!
Thanks to the density of code executing behind today’s websites and mobile apps this data inventory task is easier said than done.
Data documentation is much harder than companies anticipate, particularly for media and ecommerce websites offering digital display advertising space. Ultimately companies will need to ensure each of their advertising partners do not engage in activity which could put their organization or customer data in violation of GDPR.
Let’s not forget that recent website security breaches also demonstrate that third-parties are often the weakest link in the security chain. While an organization may employ rigorous security controls around physical vendors and contracted partners, they fail to extend the same rigor to their digital counterparts. Gartner predicts that by 2020, 33% of attacks experienced by enterprises will be as a result of shadow IT resources. Based on this evidence it is no wonder the GDPR focuses so heavily on third-party relationships. Clearly, when it comes to unchecked third-party code on websites and mobile apps, it isn’t just compliance risks but significant security risks that enterprises need to consider. How do firms control something they enable but don’t see and can ill-afford to ignore?
The odds are stacked against enterprise website operators, but creating a holistic digital vendor risk management program is a step in the right direction. The first step is documenting a few basic facts about your specific digital environment by asking website teams the following:
1. How many third-party vendors execute on websites and mobile apps?
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also any additional, out-of-scope activity?
4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website and mobile app performance?
6. What are the risks to data privacy?
7. What is my business’s exposure to regulatory risk via vendor behavior?
8. Is my organization maintaining encryption throughout the code execution chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. Have Data Compliance policies been communicated to digital vendors?
Once these questions are successfully (or satisfactorily) answered, they should be revisited on a regular basis. Continuous monitoring of the digital environment helps create a compliance mechanism that alerts you to violations.
Organizations must then, of course, strive to document how their third-party partners handle this same data—another GDPR requirement. This information is critical to ensuring customer data is not being put at risk at any time regardless of data holder. In effect, both your organization and your third parties need to develop, communicate and enforce the policies, processes and technologies necessary to support all digital-related aspects of GDPR, from consumer online behavior data collection, use, storage and transfer.
When the regulation comes into force, enterprises that look at this as a key opportunity to protect user/ consumer data, and their own brand, could establish a competitive advantage. The end result should also translate to fewer breaches, less opportunities for cybercriminals, and a much safer cyberspace. The internet’s Pandora’s box may have been opened, but it doesn’t have to spread evil into the world.