Wait and See is Never a Good Approach
Ignorance is never bliss: Examining why companies choose to deliberately postpone GDPR compliance initiatives and how they can instead adopt a no-nonsense approach to achieving GDPR compliance for their digital assets.
Everyone knows the three wise monkeys that embody the proverbial principle of see no evil, hear no evil and speak no evil. Imagine a world where executives adopted this principle and turned a blind eye, deaf ear and silent tongue to significant data compliance and security issues: Unfathomable. However, this exact scenario is playing out regarding data tracking activity, executing on enterprise websites and mobile apps. The risks of such an approach are many and grave, especially with the impending EU General Data Protection Regulation (GDPR) coming into effect in a little more than six months.
This is the digital age. Executives and privacy officers are finally beginning to realize that the enterprise is a digital business, yet are woefully unprepared for how GDPR will affect the operation and management of their websites and mobile apps.
Ignorance: Who is at Fault?
Various surveys highlight a general state of enterprise un-readiness for GDPR: 37 percent don’t know if it applies (Watchguard, September 2017), 42 percent of organizations are not fully aware of the regulation’s impact (SAS, September 2017) and only 39 percent believe they have the right security policies and procedures in place (Experian and Ponemon, June 2017). Yet, 54 percent claim GDPR readiness as the highest priority on their data-privacy and security agenda (PwC, 2017).
Clearly, there is some basic confusion, which turns into full-blown schizophrenia when executives realize GDPR broadens the definition of data privacy to include online behavior data. What does GDPR mean for enterprise websites and mobile apps? A lot.
Sticking Your Digital Head in the (GDPR) Quicksand
GDPR’s extraterritoriality is hard to grasp. Executives outside the EU do not fully comprehend GDPR, let alone think about how their digital assets can land them in hot water. True, there is a general compliance malaise, primarily due to lack of clarity and guidance around enforcement, but from talking to media publisher and enterprise clients, there are several other reasons why companies are treading lightly on compliance initiatives for their digital assets:
- General confusion: For a U.S.-based business with national customers and marketing efforts, it’s difficult to understand that an EU website visitor’s data can’t be collected without permission. While GDPR may not be a significant issue for a small business with no EU interests, its reach takes on a new meaning for an organization with any EU business relationships (developers, contractors, vendors, etc.) regardless of their involvement in data collection, processing, storage or sharing.
- Digital ignorance: The internet is a dynamic environment that relies on a host of third parties to render final, consumer-facing content via websites and mobile apps. The problem is the functionality provided by third-parties that operate outside the purview of enterprise IT and security infrastructures and are therefore not part of any security or risk governance framework.
- Misaligned responsibility and/or budgets: The groups that create policies and assess the risk are not responsible for operationalizing it. For the most part, privacy and risk officers dictate the policy, marketing and sales generate the consumer data and it’s up to IT teams to automate, document and/or demonstrate compliance. There’s not much collaboration among these disparate groups to mitigate risk exposure via the digital environment.
- Mistaken belief that existing data and security policies are sufficient: Over the past few years, extensive strides have been made to secure and protect general company data (i.e., customer, partner, product/IP, employee) and the systems that use it. However, little effort has been made to truly understand the data that is regularly collected, processed, stored or transferred within the website/mobile app environment.
Risk Management: Getting Back to Digital Basics
It’s obvious that U.S. enterprises are still coming to grips with the new regulation and haven’t made much progress in applying it to the opaque and dynamic nature of their digital assets. In fact, it’s reported that 70 percent of brand owners don’t feel marketers are fully aware of GDPR (World Federation of Advertisers, Sept 2017). This is a big problem when trying to address and control the risks present in the everyday website and mobile app operations.
Somewhere along the way, enterprises seem to have forgotten just how complex the internet has become. To fuel the increasingly rich and personalized user experience, today’s websites and mobile apps rely upon externally sourced solutions such as data management, content delivery, video hosting, social media widgets, marketing analytics and so much more. Surprisingly, these third-party vendors are not typically included in the vendor risk management and/or data compliance processes.
Consumer Data is the Price You Pay
This robust and user-friendly third-party functionality comes at a cost: loss of control. Unbeknownst to many IT departments, these third parties operate outside their purview; they are not part of the IT infrastructure and only appear in response to a browser request (i.e., website visitor or app user). This inability to identify their presence or actions is compounded by the fact that third parties frequently collect consumer data while rendering digital content. Considering the predominance of third-party code executing on the average website, enterprise digital assets are significant points of risk when it comes to GDPR.
Reliance on these complex and uncontrolled third-party services opens the door to unauthorized data collection and leakage. When was the last time a compliance officer checked digital assets for cookie drops, pixel fires, beacons, web storage or device identification collection? These happen more often than you think, and consumer online behavior data is more valuable than you realize.
Path to Digital Compliance
Regulations are difficult to enforce in the digital economy due to the ever-changing nature of web-delivered information and commerce. But it’s not impossible.
- Know Your (digital ecosystem) Partner: A tenant of any compliance program, knowing who executes in your digital environment (your digital vendors) is critical to everyday risk management processes.
- Analyze vendor activity: The highly-dynamic digital environment requires documenting authorized vendor activity.
- Compare activity to policies: A digital asset policy outlining acceptable vendor behavior concerning regulation and industry best practices can be used to evaluate vendor compliance.
- Resolve noncompliant activity: Communicate policy violations to upstream vendors and demand compliance, a fruitful endeavor to generating an audit trail, too.
These tactical steps aren’t difficult to take. Remember, authorities have indicated that they will look favorably upon those that demonstrate an understanding of GDPR and make attempts to comply. What’s for certain: a “see no GDPR, hear no GDPR, speak no GDPR” approach will not be a viable defense when faced with a multimillion-dollar penalty.