No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Advantageous Compliance Strategies in the Digital Economy

by Chris Olson
October 27, 2017
in Compliance, Featured
hands typing on laptop

Wait and See is Never a Good Approach

Ignorance is never bliss: Examining why companies choose to deliberately postpone GDPR compliance initiatives and how they can instead adopt a no-nonsense approach to achieving GDPR compliance for their digital assets.

Everyone knows the three wise monkeys that embody the proverbial principle of see no evil, hear no evil and speak no evil. Imagine a world where executives adopted this principle and turned a blind eye, deaf ear and silent tongue to significant data compliance and security issues: Unfathomable. However, this exact scenario is playing out regarding data tracking activity, executing on enterprise websites and mobile apps. The risks of such an approach are many and grave, especially with the impending EU General Data Protection Regulation (GDPR) coming into effect in a little more than six months.

This is the digital age. Executives and privacy officers are finally beginning to realize that the enterprise is a digital business, yet are woefully unprepared for how GDPR will affect the operation and management of their websites and mobile apps.

Ignorance: Who is at Fault?

Various surveys highlight a general state of enterprise un-readiness for GDPR: 37 percent don’t know if it applies (Watchguard, September 2017), 42 percent of organizations are not fully aware of the regulation’s impact (SAS, September 2017) and only 39 percent believe they have the right security policies and procedures in place (Experian and Ponemon, June 2017). Yet, 54 percent claim GDPR readiness as the highest priority on their data-privacy and security agenda (PwC, 2017).

Clearly, there is some basic confusion, which turns into full-blown schizophrenia when executives realize GDPR broadens the definition of data privacy to include online behavior data. What does GDPR mean for enterprise websites and mobile apps? A lot.

Sticking Your Digital Head in the (GDPR) Quicksand

GDPR’s extraterritoriality is hard to grasp. Executives outside the EU do not fully comprehend GDPR, let alone think about how their digital assets can land them in hot water. True, there is a general compliance malaise, primarily due to lack of clarity and guidance around enforcement, but from talking to media publisher and enterprise clients, there are several other reasons why companies are treading lightly on compliance initiatives for their digital assets:

  • General confusion: For a U.S.-based business with national customers and marketing efforts, it’s difficult to understand that an EU website visitor’s data can’t be collected without permission. While GDPR may not be a significant issue for a small business with no EU interests, its reach takes on a new meaning for an organization with any EU business relationships (developers, contractors, vendors, etc.) regardless of their involvement in data collection, processing, storage or sharing.
  • Digital ignorance: The internet is a dynamic environment that relies on a host of third parties to render final, consumer-facing content via websites and mobile apps. The problem is the functionality provided by third-parties that operate outside the purview of enterprise IT and security infrastructures and are therefore not part of any security or risk governance framework.
  • Misaligned responsibility and/or budgets: The groups that create policies and assess the risk are not responsible for operationalizing it. For the most part, privacy and risk officers dictate the policy, marketing and sales generate the consumer data and it’s up to IT teams to automate, document and/or demonstrate compliance. There’s not much collaboration among these disparate groups to mitigate risk exposure via the digital environment.
  • Mistaken belief that existing data and security policies are sufficient: Over the past few years, extensive strides have been made to secure and protect general company data (i.e., customer, partner, product/IP, employee) and the systems that use it. However, little effort has been made to truly understand the data that is regularly collected, processed, stored or transferred within the website/mobile app environment.

Risk Management: Getting Back to Digital Basics

It’s obvious that U.S. enterprises are still coming to grips with the new regulation and haven’t made much progress in applying it to the opaque and dynamic nature of their digital assets. In fact, it’s reported that 70 percent of brand owners don’t feel marketers are fully aware of GDPR (World Federation of Advertisers, Sept 2017). This is a big problem when trying to address and control the risks present in the everyday website and mobile app operations.

Somewhere along the way, enterprises seem to have forgotten just how complex the internet has become. To fuel the increasingly rich and personalized user experience, today’s websites and mobile apps rely upon externally sourced solutions such as data management, content delivery, video hosting, social media widgets, marketing analytics and so much more. Surprisingly, these third-party vendors are not typically included in the vendor risk management and/or data compliance processes.

Consumer Data is the Price You Pay

This robust and user-friendly third-party functionality comes at a cost: loss of control. Unbeknownst to many IT departments, these third parties operate outside their purview; they are not part of the IT infrastructure and only appear in response to a browser request (i.e., website visitor or app user). This inability to identify their presence or actions is compounded by the fact that third parties frequently collect consumer data while rendering digital content. Considering the predominance of third-party code executing on the average website, enterprise digital assets are significant points of risk when it comes to GDPR.

Reliance on these complex and uncontrolled third-party services opens the door to unauthorized data collection and leakage. When was the last time a compliance officer checked digital assets for cookie drops, pixel fires, beacons, web storage or device identification collection? These happen more often than you think, and consumer online behavior data is more valuable than you realize.

Path to Digital Compliance

Regulations are difficult to enforce in the digital economy due to the ever-changing nature of web-delivered information and commerce. But it’s not impossible.

  1. Know Your (digital ecosystem) Partner: A tenant of any compliance program, knowing who executes in your digital environment (your digital vendors) is critical to everyday risk management processes.
  2. Analyze vendor activity: The highly-dynamic digital environment requires documenting authorized vendor activity.
  3. Compare activity to policies: A digital asset policy outlining acceptable vendor behavior concerning regulation and industry best practices can be used to evaluate vendor compliance.
  4. Resolve noncompliant activity: Communicate policy violations to upstream vendors and demand compliance, a fruitful endeavor to generating an audit trail, too.

These tactical steps aren’t difficult to take. Remember, authorities have indicated that they will look favorably upon those that demonstrate an understanding of GDPR and make attempts to comply. What’s for certain: a “see no GDPR, hear no GDPR, speak no GDPR” approach will not be a viable defense when faced with a multimillion-dollar penalty.


Tags: GDPR
Previous Post

Research Billing: The Current State of Affairs

Next Post

“Civil” War in the Workplace

Chris Olson

Chris Olson

Chris Olson is CEO and Co-founder of The Media Trust, the global leader in continuously monitoring and protecting the online and mobile ecosystem. The Media Trust works with the world’s largest, most-heavily trafficked digital properties to provide real-time security, first-party data protection, performance management and quality assurance solutions that help protect, monetize and optimize the user experience across desktop, smartphone, tablet and gaming devices.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
clenched fist at computer desk

"Civil" War in the Workplace

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT