The materials are provided AS IS without any warranty and InfoTrust, LLC disclaims all warranties, express and implied, regarding these materials. The information contained in these materials was prepared for general informational purposes and it is not intended to provide legal advice. Before applying any of the information to your situation, you should consult your legal advisors.
Tag Audit and Inventory
The first step to ensuring all of the digital marketing and advertising platforms running on your site are GDPR compliant is to understand what digital marketing and advertising platforms are actually running on your site. In the modern technology ecosystem this can be difficult due to the practice of tag piggybacking.
Tag piggybacking can pose a major problem when it comes to GDPR compliance because, for many organizations, they are not even aware of this happening in many places on their site. While ignorance can be bliss, ignorance can also mean violations within the context of GDPR.
Within the Regulation, Article 5(2) explicitly states that it is the responsibility of the Controller to demonstrate compliance with the Principles of GDPR. This means that it is your responsibility, as the owner and operator of the website, to ensure protections for your users.
To learn more about the 6 Principles of GDPR, download our eBook: Everything Marketing and Advertising Professionals Need to Know about GDPR
For this reason, it is of utmost importance to understand all of the tag behavior on your site, be that tags loading directly from your source code, tags loading through your Tag Management System, or tags piggybacking and loading through other third parties you have implemented on your site.
To start this process, use a tool like Tag Inspector to create an inventory of all the tags/pixels loading and collecting information about your users.
A Tag Inventory should include the following:
A list of all platforms loading on the site
Identification of How Platforms are Loading: From the source code, through a TMS, or piggybacking and loading through another third party
Categorization of the Tag: What the platform is and its function on your site
Identification of where these various tags are implemented across all pages of your site
The Tag Inventory provides the basis and guide for the following steps in our GDPR Compliance Audit.
Tag Ownership and General Cleanup
Step Two of our GDPR Compliance Audit will be to go through all of the tags found in the inventory and identify the internal (and external) stakeholders that are responsible for each platform. Stakeholder mapping will allow you to assign “owners” for each tag and understand the people you will need to enlist to ensure compliance.
This is also a great opportunity to identify platforms that are no longer in use on your site and do a general tag cleanup. Under GDPR, the first of the 6 Principles is that Personal Data should be collected for a specific, legitimate purpose. If a platform is no longer in use but still collecting anything that could be classified as “Personal Data” (such as a unique Cookie ID used to target a user, an assigned User ID, email, etc.) that would put you in danger of non-compliance and those hefty financial punishments that everyone is talking about.
The removal of legacy tags can also result in page load performance improvements on the site. Some clients have seen up to a 20% reduction in page load time following tag cleanup efforts.
To organize these efforts, take your Tag Inventory from Step One and add in some columns to the Spreadsheet. To start, add in the following:
- Internal Business Owner
- Agency Partner (If Applicable)
- Migrate to TMS?
Following this organization, it’s time for some leg work! Work with your internal marketing and advertising teams to understand who works with and is responsible for each of the platforms. Also identify any third party organizations that help with the management of each technology.
Use the information collected in the Tag Inventory about how tags are loading to first focus on those “under your control”. These are any tags that load either directly from your source code or through a container tag (such as your Tag Management System) that you own and operate.
Once you have worked through these, then move on to any third parties that are piggybacking. For piggybacked tags, you’ll often need to have a discussion with the team responsible for and/or the vendor of the platform through which those third parties are loading. This part of the process is the most difficult within the Stakeholder Mapping phase, so it’s best to address the easy ones first so you at least know with whom the conversations need to be had.
As you work through, notate the platforms that should be kept and removed along with any tags that are currently loading outside of your Tag Management System that should be migrated and loaded via the TMS for easier management.
An optional, but highly recommended, process is to also assign a ‘Priority’ to each technology. This should correspond to how important each platform is to the business. For GDPR specifically, this is not 100% necessary, but can go a long way when trying to optimize the tagging architecture for purposes of site performance and optimal data collection.
Congratulations! You now have a grasp on the technologies that should be loading on your site. Now we need to evaluate each for GDPR compliance.
Evaluation of Each Tag
For each platform loading on your site and collecting Personal Data, you’ll need to ensure that it is compliant with the 6 Principles of GDPR. Remember, compliance is your responsibility as the Controller. If a vendor you work with is in violation of GDPR, at the end of the day you can be liable for working with that technology. To reduce the risk to your organization, all technologies need to be fully vetted and compliance must be documented.
To work through the evaluation, ask the following questions:
1) Is this Technology processing Personal Data?
Personal Data under GDPR is defined as any information that can be used to directly or indirectly identify the identity of a Natural Person. Basically, this means any unique identifier that can be used to identify and target a specific person. Important for the scope of marketing and advertising, Personal Data can include a unique cookie ID, an email address, or a User ID assigned on the website.
If so, proceed to the following:
2) What is the Legal Basis for Processing this data?
Under GDPR there are six different lawful basis options available to you. For marketing and advertising purposes, you will be working with either Consent or Legitimate Interest.
Under GDPR, Consent is defined as “Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Evaluating your consent mechanism?
Download the Everything Marketing and Advertising Professionals Need to Know about GDPR ebook now for a helpful checklist!
Under GDPR, this is processing that is necessary for the purposes of your (or a third party partner’s) business. The stated business interest must be balanced against the rights and freedoms of the data subject’s privacy and proven to outweigh the user’s interests and risks to their privacy.
Recital 47 of the GDPR explicitly states, “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This does not mean, however, that you have carte blanche to the user’s data for marketing and advertising. It simply means that this basis of processing can be utilized, provided you can justify using a Legitimate Interest Assessment (LIA).
The Legitimate Interest Assessment is a three step assessment that can be used to evaluate and document the Controller’s interest as compared with the privacy rights of the individual. The three areas to consider and some questions to ask within each are:
Identify the Legitimate Interest(s)
Here you need to explain why the data needs to be processed and what the end result will be. A few questions to ask:
- What are you hoping to achieve by processing the data?
- Who benefits and what are the benefits that will come from the processing?
- What are the wider public benefits, if any, that will come from the processing?
- How important are the benefits to the processing?
- Are there any impacts if you don’t go ahead with the processing? If so, what would they be?
- Would the use of the data be unlawful or unethical in any way?
An important note here is that the legitimate interest for processing the data must be clearly articulated and explained to the data subject. There must be a defensible position for why the data is being processed.
Apply the Necessity Test
Ask yourself if the processing of the data is absolutely necessary to accomplish the stated interest or goal. A few questions to ask:
- Is there another way to accomplish the stated interest without the processing of personal data?
- Does the processing occurring really help in furthering the business goal? If so, how?
- Is the process used to go about the processing reasonable?
- Why is this processing important to the Controller/business?
Do a Balancing Test
This is where you balance the interest of the Controller (or business) against the privacy rights and expectations of the user. The balancing test must always be conducted fairly and without bias. If the rights of the individual outweigh the interest of the Controller, you will not have a legal basis for processing here. When conducting a balancing test, there are three main parts to consider:
- The nature of the interests (both of the Controller and Data Subject):
- Would the individual have a reasonable expectation that the processing is taking place? For example - it would likely be reasonable for a user of an ecommerce website to expect transactions to be tracked.
- The type of data that is being processed. If it is a special category of data or data related to a child then this is held to a higher standard.
- Is the interest to the Controller something that adds value to the subject? Is it something that is unwarranted or could result in harm as a result of the processing?
- Impact of the processing:
- Any impact (positive or negative) of the processing to the Controller or the subject.
- The status of the individual - is it a customer, general site user, child, etc.
- Is there any processing that involves profiling or data mining? What is the scale of the processing?
- Basically, consider the effects of the proposed processing on both the Controller as well as the data subject and what impact it has to both.
- Safeguards that are in place to protect the privacy rights of the individual:
- These are both technical as well as organizational.
- Technical safeguards are such things data minimization, de-identification, layers of encryption, anonymization, etc.
- Organizational safeguards are such things as privacy by design, extra transparency, restricted access, etc.
Some questions to ask when doing a balancing test:
Would the user reasonably expect the processing to be taking place?
Are you happy to explain to the user exactly what the processing is and the effect on them?
What value is added to the user as a result of the processing?
Are the individuals rights likely to be negatively impacted?
Would there be a negative impact to the Controller if the processing does not happen?
Is the processing in the interest of the individual whose data is being processed?
What is the connection or relationship between the organization and the data subject?
What data is being processed?
Does the processing undermine the rights of the individual?
Has the personal data been obtained directly or indirectly?
Could the processing be considered intrusive to the individual?
Are you sufficiently clear in the notice given to the individual about the processing that is occurring?
Can the user easily object to the processing?
Are any safeguards in place to minimize the risk of privacy impact to the individual?
After considering the above, it is time to make a determination on if the proposed processing is, in fact, legitimate. Once this determination is made, make sure to maintain the documentation and information used to make the decision. Again, the responsibility is on the Controller to sufficiently defend any position taken in regard to the processing of Personal Data of a user on the site.
Once you have determined that you have a legal basis for collecting and processing the data (again for each platform used on the site) it is then time to review and ensure the proper safeguards are in place and each platform is sufficiently GDPR compliant.
Processor Compliance and Data Sharing Agreement
This an evaluation of the technical and administrative data security measures offered by each platform. These types of evaluations should already be carried out as part of the procurement process when evaluating any new type of digital platform being used on the site.
Are You Using a Processor?
GDPR makes it a requirement that whenever a controller uses a processor (any of the third parties being used for digital marketing and advertising on the site) they must have a written contract relating to processing in place. Similarly, if a processor is using another processor, it also needs to have a written contract in place.
The evaluation here would be done by the company’s security and legal teams. These will vary based upon the industry and nature of the data being collected and processed and should also include considerations of any industry-specific regulations that are also in place.
At a minimum, these contracts must set out the subject matter and duration of processing, the nature and purpose of the processing, the type of personal data, and the obligations and rights of the controller.
This, again, should be led by the legal resources at your organization to ensure all of the requirements are met. The key for documentation is to make sure these contracts are in place and organized to ensure a defensible position for GDPR.
Privacy Notice and Management
Once you have gone through all of the platforms on the site to identify Personal Data being collected, established a Legal Basis for Processing, and ensured each platform has been properly vetted and signed off by Legal and Security, it is now the organization’s responsibility to properly notify users of the data processing taking place and ensuring their rights under GDPR are properly adhered to.
For this notification, a solid Privacy Notice detailing each platform used, the data collected, the processing activity, and the result to the user is required.
Under GDPR, it is required that the Privacy Notice must be concise, transparent, intelligible, and easily accessible. It must be written in clear and plain language. It must also be available free of charge.
For information collected on your website, according to the Information Commissioner’s Office of the UK, the Privacy Notice should contain the following at minimum:
Use This Checklist!
Check off the boxes as you evaluate your current Privacy Notice. When you’re done, you’ll have a good idea of where to make improvements and/or additions!
All of this information should be provided at the time the data is obtained.
Bringing It All Together
To summarize, when conducting an audit of the website in the context of GDPR it is important to go through the following steps:
1) Tag Audit
Tag Audit to understand the platforms on the site that are collecting data about users
2) Establish Ownership
Assign ownership and responsibility within the organization for each platform
3) For Each Technology Used
- Is there Personal Data being collected?
- If yes:
- What is the Legal Basis for Processing
- If Consent
- Is the consent given by users specific, explicit, and unambiguous?
- Do you have a record of consent?
- If Legitimate Interest
- What is the Legitimate Interest for processing?
- Is the processing necessary for the stated interest?
- Does it pass the Balance Test to ensure the interest outweighs the risks to the user’s privacy?
- Is all of this documented and available?
- Are the proper legal and security reviews completed? Are the required contracts and documentation in place?
- Is the Processing reflected in the Privacy Notice?
- Is the notice in clear, intelligible, and plain language?
Answer the above positively and you can sleep easy come May 25, 2018!