What to Expect from a Data Privacy Audit

Estimated Reading Time: 6 minutes

Given the ever-changing privacy landscape and the increase specifically in U.S. state privacy regulations, our Data Governance Audit has been a popular service offering lately. Did you say, “Service offering? I thought Tag Inspector was a SAAS product I buy as a license?” This is true for the most part—we also offer Data Privacy Audits leveraging Tag Inspector and our knowledgeable team of privacy experts. Lets review the deliverables, what you can expect, and how the service can help your organization navigate the complex privacy web that digital marketing has become.

Note: The scope of our Data Governance Audit is all tags loading on your website—so think of analytics and marketing tags/pixels. Our audits do not dive into CRMs or offline processes that may also need scrutiny as they pertain to data privacy regulations.

Who on my team should be involved?

This is a common question at the beginning stages of an audit and an important one to consider. We strongly recommend representation from legal, marketing, analytics, and IT security to be involved. All of these team members will have a stake in what’s delivered, and each separately have different functions in analyzing the data, determining what’s in use, how it’s used, and if it should be restricted/disclosed. With that in mind let’s review the deliverables:

Deliverable 1 – Tag Inspector Scans

At the beginning of each audit, we will scan all websites your organization operates using the Tag Inspector scanner. These scans will be performed in light of region and scope of regulation, i.e. U.S. sites will be scanned from California, and a website serving France will be scanned from a French or EU IP address. The site scans are the basis of the Data Governance Audit. Tag Inspector provides invaluable data on what tags loaded, how they loaded, what cookies are being set, and what specific data points are being collected from users in each specific region you operate.

Deliverable 2 – Tag Coverage and Inventory Report

Upon completion of the scans, it will be time to roll up your sleeves and get to work with us! The Tag Inspector team will supply you with a list of all tags loading across all websites in scope. The report will also include the context of how these unique platforms loaded, i.e. from source code, tag management, piggybacking, etc. The primary goal of this first report is to assign “ownership” of each platform. This could be an internal stakeholder who works with the vendor, or an agency you are working with. In either case, at later stages of the audit, specific questions will be asked and we need to know who to go to for answers. More often than not, in this phase we will surface platforms that are no longer in use and have no “owner,”—the very first and easy win: remove legacy tagging and practice data minimazation!

Deliverable 3 – Data Collection & Risk Level Report

The data collection report is the unique parameters collected by all tags across all sites. This is the nitty-gritty of your overall data collection and the part with the most holes to fill and understand. All of these data points need to be considered per regulatory requirements. Can any of them fall into the category of Personal Information in California, or “Sensitive Personal Information”? Are any of these data points shared with other vendors? Is the data collection disclosed? Are these tags collecting what you expect based on contractual obligations with the vendor? Should these tags only load based on user consent? This is where having defined tag “owners” previously helps the process. Tag Inspector has a built-in unique algorithm which analyzes parameters that may be shared with other vendors; we will assign risk levels, but at the end of the day, only the tag vendor knows what each parameter is doing. Based on your use case, the tag owner will help answer the questions legal and compliance teams may have.

Deliverable 4 – Cookies Report

In this report, we will provide documentation on all cookies set across all websites, along with which tag platforms set the cookie. Based on previous scrutiny of the data collection the tag is engaged in, this report will help you ascertain which platforms need control and categorization from a Consent Management Platform. 

Optional Deliverable – Automated PII Report

It’s always important to know if any of the tag vendors you utilize collect PII—especially if it’s in plain text! This is a compliance and security risk especially if the collection is not intended. Tag Inspector has a solution via our realtime tag. For this deliverable, you will deploy our tag across your website(s) and we will evaluate and flag (client-side) if any tags are collecting plain text instances of email, Social Security numbers, addresses, phone numbers, IP addresses, or credit card numbers. This report will include the pages we see the behavior, tag name and full network request that took the PII, its value (obfuscated), and other context like date and locale in which the PII was collected. It’s nearly impossible for web development teams to check every request on every page of your site for this behavior; however, Tag Inspector can surface this for you to remedy!

BONUS Deliverable!

Along the audit journey you will be working with a privacy expert from the Tag Inspector team who has years of experience working with the world’s largest organizations and grasps all of the regional privacy regulations to consider. We will provide insight on any gaps we uncover as the audit unfolds and provide direction on best practices we see happening across the industry. 

Final Recommendation

Engaging in an audit of your tech stack is an important step in becoming compliant. The goal is to have comfort knowing that the information you collect is being used and disclosed in a privacy-safe manner. But this is just a moment in time … Your tech stack will change, mistakes can be made with triggers, and platforms can inject other platforms you may not be aware of. This is why we always recommend continual monitoring of your digital properties to maintain the compliance you worked so hard to achieve and never need another audit. Tag Inspector has a purpose-built monitoring solution which can help you maintain compliance and enforce organizational policies derived from the audit, the Governance Module.

Ready to get started with your Data Privacy Audit?

We're here to help whenever you need us!
Originally Published On June 20, 2023
June 20, 2023