Data is Power: Wield it Wisely

This article originally appeared in Corporate Compliance Insights on April 16, 2018.

Read article 

CCI-Data is Power

The digital age breeds constant change – none more powerful than the availability of data and, more specifically, the ease of collecting and using personal data. For industry, this data has the power to both accelerate new opportunities for growth and act as an anchor to drag down momentum. In an era where businesses prize data and guard against its misappropriation, its troubling that this discernment doesn’t carry over to the digital environment, where countless third parties and partners on enterprise websites and mobile apps have access to personal user data, often without a company’s knowledge.

Continue reading

 

5 Reasons to Swing by The Media Trust Booth at RSA 2018

RSA 2018 Booth

While it might be the biggest cybersecurity event of the year, RSA 2018 can be overwhelming. The crowds, lectures, sparkly gadgets, and more can confuse the senses and make you forget about your top security priorities. Don’t worry, The Media Trust is there to answer your questions about digital security and compliance. No matter what your industry (banking, ecommerce, media, government, hospitality, etc.), your corporate mobile apps and websites have the potential to be your greatest business assets or largest source of security, revenue, and reputational risks. Learn how we close the gaps in your security and compliance posture that traditional web appsec tools don’t.

Here are five reasons to swing by our booth next week:

  1. Identify and Remedy your Digital Shadow IT
    Many industry experts will caution you against shadow IT, only a handful will tell you where to look for it. We not only expose the shadow IT on your enterprise mobile apps and websites but also detect concealed threats like malicious code injection, unauthorized data collection, latency issues, as well as help remediate these issues via our Digital Vendor Risk Management platform.

2. GDPR Compliance – we walk the talk
Your mobile apps and websites are out of control – no, this isn’t a hyperbolic statement. With third parties contributing anywhere between 50-75% (sometimes as high as 95%) of your code base, controlling data collection activity that violates the GDPR directive isn’t straightforward. Speak to us about how to regain control of your digital assets.

Catch our session, GDPR Compliance–You forgot your digital environment, on Thursday, April 19, between 1:45 pm – 2:30 pm at Moscone West 2018. Session ID: GRC-R12.

3. Attack intel (not the just threat intel)
Our Malware Attack Data enables you to block active attacks targeting your endpoints through frequently whitelisted, premium websites – news, travel, social networks, and more. Let’s talk about how our attack data can augment your AVs, firewalls, web filters, and blocking solutions.

4. Free website audits
Want a sneak peek into your mobile app and website shadow IT? Get a free website audit and discover the surprising number of domains and cookies (including user identifying cookies) operating outside the perimeter of your IT and security tools

5. Coffee, martinis, and comfy couches
If you don’t want to talk security and compliance, and are just curious about The Media Trust or are badly in need of caffeine, drop by and say hi! Here are our Coffee and Martini Bar hours – 
Coffee Bar: 10:00 am – 1:00 pm, April 17-18, 2018
Martini Bar: 4:00 pm – 6:00 pm, April 18, 2018

We’ll be there at Booth #2507, South Hall, Moscone Convention Center, San Francisco. Enter the South Hall, turn right, and follow the inquisitive masses.

Top 10 Mistakes Companies Make in GDPR Preparation

GDPR

This article appeared in the March 14, 2018 issue of ITBusinessEdge 

Read

With the EU’s General Data Protection Regulation (GDPR) only less than three months away from enforcement, organizations are (hopefully) pulling together their GDPR strategy. However, the nuances of GDPR are something most of us are still trying to understand – and we probably won’t grasp until the regulation is in effect and tested. In the rush to meet the compliance standards, errors will likely be made. I talked to security experts, and here are some of the more common GDPR prep mistakes.

“When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,” explained Chris Olson, CEO of The Media Trust. “This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.”

Continue Reading

Ad Ops: The Unlikely GDPR Heroes

This article by Matt O’Neill, General Manager, Europe was originally published in Digital Content Next on February 6, 2018.

art abstract dark business depression background

Read article

10 actionable steps to charting a publisher’s course to digital GDPR compliance

Yes, it is the topic du jour, but somehow many are still adrift when it comes to the European Union’s impending General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018—under 100 working days or five short months away. Countless articles summarise requirements into generalities covering organisation-wide data elements, such as customer, partner and vendor information. More often than not this approach doesn’t mean much to Ad/Revenue Operations (Ad Ops) professionals.

The Ad Ops Challenge

GDPR presents three significant hurdles to Ad Ops:

  1. Identifying known data collection activity;
  2. Confirming it is legitimate under GDPR (i.e. that the rules are being met); and
  3. Detecting and remediating unauthorised data collection, which is potentially considered a data breach.

The highly-dynamic and opaque nature of the digital ecosystem often means that all three of these hurdles are difficult to clear without adversely affecting a media publisher’s strategic revenue channel. So, the key issue to resolve is this: how does a publisher go about managing data in a GDPR-compliant way but without undermining its business model(s) and therefore its commercial viability?

The answer, as usual, is Ad Ops. For this group, GDPR presents an important opportunity. As the frontline of digital operations, Ad Ops professionals are in the unique position to influence, drive, and co-create strategies to protect and optimise revenue in the changing regulatory environment. In fact, they have a powerful legitimate reason to control audience data collection activities on their digital properties and demand compliance from upstream partners.

10 Steps to GDPR Compliance

The daily demands placed on Ad Ops can be overwhelming, with the complexities—and vagaries—of GDPR an unwelcome intrusion. But it’s a critical opportunity. Here’s a 10-step approach (with supporting GDPR references) towards GDPR compliance for media-oriented websites and mobile apps:

1. Participate in an internal GDPR Task Force [GDPR Articles 37-39]

Every business— large and small—should have a GDPR ‘Task Force’ or something similar. This could be organised by a senior data privacy leader, such as a Data Protection Officer (DPO), which is now a requirement for many organisations. The Task Force should be staffed with key personnel across the organisation who interact with any type of personal data, i.e. operations, IT, privacy and risk, security, HR etc, and should include individuals across strategic markets as the GDPR has a global reach (see GDPR Article 3). As part of the Task Force, Ad Ops can explain the role of consumer data in the digital environment to deliver user-specific content and advertisements and how it supports the publication’s mission and contributes to revenue.

It is important to understand that the scope of personal data is broader than under existing EU data protection law. Under Article 4 of the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

To this extent, typical data collection, use and sharing activity generated from everyday access of websites and/or mobile apps for digital advertising purposes (i.e. cookie deployment or device identification) should be treated as personal data. Therefore, the term ‘non-Personally Identifiable Information’ should no longer exist as personal data under the GDPR is broader than PII, which is a significant change for digital advertising.

2.  Evaluate the Privacy Risks [GDPR Articles 25, 35 & 36]

The Task Force will probably be responsible for developing a centralised roadmap for the organisation’s digital data and designing the plans to implement necessary processes and changes (including budgetary considerations) required to comply with the new law. Many organisations will need to conduct a Data Protection Impact Assessment (DPIA–a valuable  exercise for good data hygiene), mapping the kind of data collected and processed. Here’s a good template to follow[i].

The DPIA should enable revenue and Ad Ops teams to get up close and personal with all data collection and processing activities, and knowing with whom data is being shared. There are many companies that can assist with DPIAs to develop a point-in-time data picture, which is a critical start to identifying data in the publisher ecosystem. However, the ever-changing digital environment requires continuous monitoring for compliance in order to provide an audit trail or truly demonstrate ongoing compliance. The bottom line is that the GDPR seeks to introduce a ‘Privacy by Design’ approach: removing or minimising data or ‘pseudonymising’ it (e.g. hashing) to minimise the privacy risks.

3.  Create an Authorised Partner List [GDPR Article 30]

Accountability is a central theme within the GDPR: you are required to record and account for all data processing activities. Ultimately, publishers will need to know and understand what data is being collected and processed, and who it is shared with—a serious challenge for the dynamic digital environment.

This means Ad Ops needs to develop a list of all parties that execute on the website (including contracted second parties and any subsequent parties called during the rendering of the visitor experience), analyse digital behaviour to understand data collection or targeting needs, and block those that exhibit anomalous or unapproved activity.

Conducting a data audit, compiling inventory and documenting authorized partners is a good first step; however, these will have to be continuously evaluated with an eye towards changing partner activity, new digital supply chain partners, international data transfers and consumer understanding of tracking/identification and its value to the digital experience.

4.  Get Legal! [GDPR Article 6]

It may seem strange for Ad Ops teams to concern themselves with too many legalities, but with the GDPR it is imperative that those involved in data collection activities understand the consequences of their actions. The regulation outlines six legal bases to justify the processing of personal data:

  • the user’s consent (which is defined more stringently than under current data protection law)
  • the use of contracts involving the user
  • legal compliance (i.e. with another law)
  • protecting the interests of an individual
  • when it is in the public interest to do so
  • when it is the organisation’s legitimate interests to do so (provided it doesn’t override the rights of the individual)

Digital advertising will require the user’s consent, not least because it is required for the storing of information or gaining access to information already stored on a device—whether personal or not—(i.e. via a cookie) under the existing ePrivacy Directive (See Step 6.) This is where Ad Ops needs to work closely with the compliance teams: an innovative consent mechanism will be required for digital advertising activities. But, keep in mind that some data processing activities (e.g. for network security or when tackling fraud) may warrant different legal bases.

5.  Enforce Digital Partner Compliance [Articles 26-30]

The GDPR introduces obligations (and liability) for all organisations, whether a ‘data controller’ or ‘data processor’. Find out how data partners are preparing for the GDPR and establish a working group with key partners to discuss compliance strategies. This requires first knowing your upstream partners from SSPs and exchanges through to DMP and DSPs. Some data partners are likely to have to conduct a DPIA as well—guide the process for them. In time, revisit, review and adapt contracts or agreements with existing partners to ensure that shared obligations and responsibilities under the GDPR are accounted for and that partners are complying with digital asset policies for your company. If a partner chooses to not comply with your policies reconsider your relationship with them.

6.  Obtain Consent [GDPR Articles 7-9]

Consent is the new king in digital advertising, so review where and how you obtain it. Under the GDPR, consent must be given freely, specifically, and unambiguously, and it requires affirmative user action. Some pre-GDPR consent mechanisms (i.e. so-called ‘implied’ consent) may not be valid when the GDPR applies. And it remains to be seen if existing consent management platforms can properly handle authorized cookies delivered by third-party partners in addition to a publisher’s first-party cookies. It’s important that practical and user-friendly consent mechanisms are adopted. Where appropriate, review existing consent mechanisms and explore evolving market solutions to suit your business. EU regulators have provided some draft guidance on consent[ii].

7.  Be Transparent [GDPR Articles 12-14]

Revisit and restructure your Privacy Notice to ensure that it meets the requirements of GDPR. It is likely it will need to include more information than your existing one (such as all the technologies used to process data, including by third-party solution providers). Ad Ops teams will be directly responsible for any data collection activities. The UK Information Commissioner’s Office (ICO) Code of Practice[iii] provides a good template to follow, including what information to include, how the Privacy Notice should be written, and how to test, review and roll it out. But don’t stop there. Consider enhancing transparency by deploying additional measures including ‘Just-in Time’ mechanisms, video messages or the EU AdChoices programme[iv].

8.  Give your Customers Greater Control over their Information [GDPR Articles 15-22]

The GDPR seeks to give people greater control over their data and therefore includes many rights for individuals, such as the Right to Erasure and the Right to Data Portability. Media publishers will need to put in place processes to achieve these for their customers. Beyond consent, publishers need to provide mechanisms for consumers to solicit information collected and used by the publisher and absolutely honour requests for data removal. The ability to offer this functionality and test its reliability are further proof points to demonstrate compliance. Where appropriate, point to existing controls such as unsubscribe mechanisms and opt-out points, and consider other innovative data control solutions.

9.  Designate a Lead Supervisory Authority [GDPR Article 56, 60-61]

Choose who your ‘Lead Supervisory Authority’ (i.e. regulator) will be when the GDPR becomes effective. This regulator will act as a single point of contact for the enterprise’s data activities throughout the EU. Documenting and opening up communication channels with the Lead Supervisory Authority now is critical to understanding how future enforcement will be carried out. Keep an eye on Brexit: if you are hoping to designate the UK ICO you may have to think again.

10.  Prepare for any Data Breaches [GDPR Articles 33-34]

Implement (and test) procedures to detect, report, investigate and resolve a personal data breach (e.g. data loss or hack). Keep in mind that the reporting of high-risk breaches to the relevant Supervisory Authority (regulator) needs to happen within 72 hours of discovery—a timeline publishers are not positioned to meet. As Data Controllers, Publishers are ultimately responsible for breach notifications and, therefore, they need to be aware of any breach that occurs throughout the digital supply chain including upstream partners.

Sailing Through the GDPR Storm

All experts agree: GDPR will be a watershed moment for digital publishers. The next several months (let alone years) will be tumultuous as stragglers try to catch up and the more-prepared publishers await the success of their compliance programmes.

On a positive note, the winds are favourable for digital publishers to take back control over their audience data. Direct access to the consumer relationship and the control of consumer consent puts publishers at the helm. However, it is up to the unlikely heroes—Ad Ops teams—to ensure smooth sailing when it comes to digital data compliance and risk management.

[i]  https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

[ii]  http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083

[iii]  https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

[iv]  http://www.edaa.eu/

The State of GDPR: Publishers’ Questions Answered

This article originally appeared in AdMonsters on December 19, 2017.

AdMonster_GDPR_660x320

Read article

Data privacy and legal compliance experts agree: GDPR is too big to ignore. As an ad/revenue operations (ops), you should already know the E.U.’s General Data Protection Regulation (GDPR) comes into effect in May, 2018. What’s actually new in this story? Valid point. Despite months—possibly years—of preparation, publishers still have questions about GDPR’s implications, some of them pretty basic: Will this apply to our business? What do we need to do to become compliant? What kind of enforcement is expected? Can we just cross our fingers and ignore it?

The answers to these questions lie in every digital publisher’s ecosystem. GDPR affects any entity worldwide that digitally targets or monitors people in the E.U. This means knowing what’s happening in your digital environment, from vendors executing to data tracking. If knowing your digital partners doesn’t appeal as a basic business practice, then maybe the fines for violating GDPR will (maxing out at 20 million euro or 4% of the company’s global revenue, whichever is higher).

Continue reading

High Court Ruling That Could Reverberate Around the World

U.K. and EU flags

This article first appeared in Corporate Compliance Insights on December 18, 2017

Read Article

In a precedent-setting move, the High Court in the United Kingdom (U.K.) ruled that a company is liable for data breaches caused by employees, shedding insight into the future of data privacy regulatory enforcement. The speed and flexibility of today’s digital world require the adoption of risk strategies that address not only employee behavior but also the vendors executing on enterprise websites and mobile apps. The changing regulatory environment mandates better control of these digital assets and the role they play in collecting, storing and sharing consumer data.