The Global Data Protection Regulation (GDPR) went into effect on May 25, 2018. In the digital marketing and advertising industry, the preceding weeks and months can be remembered fondly for the rush to audit websites, inventory data collection, and ensure compliance. While the preparation for compliance was extremely important and necessary, it is equally imperative to ensure continued adherence to the law in the post-GDPR world.
As most of you are probably well aware, with respect to data collection via tags on a website, there is a series of questions to work through for GDPR compliance:
- What platforms (tags) are executing on my site and collecting data from users?
- Of the platforms executing, which are collecting Personal Data and thus relevant under GDPR?
- What is the Legal Basis of Processing used and stated for each of the platforms? In the context of Marketing and Advertising this will either be Consent or Legitimate Interest.
- Are each of the platforms running on the site compliant in their own right and are the proper Data Sharing Agreements in place between our organizations?
- Is the processing of Personal Data properly reflected in the Privacy Notice on the site giving users full transparency to the data processed and its effect on them?
Here at Tag Inspector, the first 5 months of 2018 were focused on helping clients identify the different marketing and advertising platforms on their site collecting Personal Data. From there it was a race to work through the five questions above and ensure the proper documentation was all in place at each stage. If you still need help with this process, check out our article for Auditing Your Site for GDPR.
The question today being asked is “what now?” Luckily for you, we are here to help!
To ensure ongoing compliance with GDPR we still need to keep the main questions and audit workflow in mind. As we all know, the goals and initiatives for a website are constantly changing. With this change in focus and in efforts to always improve, the technology stack being used on the site is constantly in flux as well. For any and all new platforms added to the website the same process for GDPR assessment must be followed. To be proactive and ensure the different teams within our organization are following these guidelines, a process of ongoing monitoring becomes extremely important.
The process for ongoing monitoring should be divided into two initiatives:
- Proper process in place to vet any new technology being added to the site. This can be done as part of the procurement process and evaluation of any new vendor.
- Monitoring the data collection on the website against the Privacy Notice and internal policies for what can and should be happening.
Let’s explore each of these two parts to the process in further depth.
Evaluation of New Technologies
Prior to adding any new technology (and their tag) to your website there should be a thorough analysis in light of GDPR. Here we’ll want to follow the same workflow as the Audit conducted for initial GDPR compliance. Ask the following questions:
- What data will be collected and processed by this platform? Does any of this fall under the definition of Personal Data in the context of GDPR?
As you should be aware, Personal Data is defined as any information that can be used to directly or indirectly identify the identity of a natural person. Basically this means any unique identifier that is attached to a living, breathing human. If the tag you are using sets a unique ID for a user, even if it’s a random string of numbers, that qualifies as Personal Data.
- What is the Legal Basis of Processing we will be using for this platform?
In the context of Marketing and Advertising this will either be Consent or Legitimate Interest. If Consent is the method being used we need to make sure that the platform is not executing and processing Personal Data until the user has given explicit and unambiguous consent. This consent must be properly recorded and maintained.
If Legitimate Interest is being used, it must be clearly stated within the Privacy Notice that this is the case, the Personal Data processed, how it is used, and the effect on the user.
In both of these scenarios the user must also have the easy ability to withdraw their consent and opt-out of any of the processing occurring at any time.
- Is this platform compliant in its own right? Are the proper Data Sharing Agreements in place between our organizations?
Assessing a platform’s compliance with GDPR should be done as a part of the procurement process. All technology vendors at this point should be able to provide documentation of their organizational and technical safeguards around the protection and processing of Personal Data. Make sure to get this documentation and have it properly vetted by the internal information security and legal groups. Also ensure that any and all Data Sharing Agreements are in place, which should be provided by your internal legal teams.
- Is the processing of Personal Data properly reflected in the Privacy Notice on the site giving users full transparency to the data processed and its effect on them?
This is the last stage and necessary for all technologies on the site. The user must have clear and explicit notification of the Personal Data being collected by each technology, the Legal Basis for Processing the data, how it is used, and the ability to opt-out of the processing for any and all platforms.
When adding any new technology to the site, make sure that this is updated and published prior to deploying the tag on your site.
Walking through all of the above steps as a part of the initial tag implementation and vendor onboarding process will ensure all new technologies are properly vetted and the necessary documentation and notifications are in place to legally process the user’s personal data under GDPR.
Now that you can be sure all the proper paperwork and vetting are in line, how can you make sure nothing nefarious is happening with any of the vendors currently live and nothing has fallen through the cracks? It only takes one mistake in the vetting and implementation process to run afoul of the GDPR and find yourself open to a violation.
Ongoing Monitoring of Technologies
One common theme in both the audit process as well as the new vendor vetting process is that the documentation and evaluation culminates in the addition of the technology (along with the context) to the Privacy Notice. This document on your site is required to provide full transparency to users. As such, if a technology is processing Personal Data and is not listed in the Privacy Notice, it’s not compliant on your site. We can use this as the foundation for our ongoing monitoring process.
Within Tag Inspector there is the functionality to build Tag Policies and Rules. These are meant to be a translation of your Tag Governance Policy to monitor and ensure no unauthorized third parties are loading on your site and collecting data without you knowing. With GDPR, this Tag Governance Policy is represented by your Privacy Notice.
As established, the only tags allowed to be loading and collecting data on your site are those that are either a) not collecting and processing any Personal Data or b) are reflected in the Privacy Notice on your site. Define the compliant behavior in a Whitelist Policy within Tag Inspector. Here’s an example:
Using the Whitelist Rule you can go through and directly reflect the tags/platforms stated within the Privacy Notice and only set those to being “allowed” on your site. Add in also the platforms that are “allowed” because they have been evaluated and are not processing Personal Data.
You now have a full Compliance List to test and monitor GDPR compliance!
Once you have the Rule created, you can apply it to any Scan ran across your websites.
Tag Inspector will then Scan the site and compare the resulting tags found to the Whitelist policy that has been applied, highlighting any tags found to be executing that are not set to “Allowed” within your definitions.
The above will highlight any violations on your site where an unauthorized tag that has not been vetted by your organization and included in the Privacy Notice on your site(s) is in fact executing and collecting data about your users.
May 25, 2018 ushered in a new era of the internet, one in which the Privacy Rights of users are not to be taken lightly. Keep your organization safe from GDPR violations by implementing ongoing processes to evaluate new marketing/advertising technologies and monitor for compliance regularly.
Try a Free Scan to get the process rolling today and as always, Happy Scanning!