How’s Your GDPR “Game”?
May 5, 2017 – Mark Rudolph
We've observed that businesses will have to adjust their “game” tremendously, in order to be fully prepared for GDPR regulatory enforcement in May 2018.
My kids love basketball, and when they first started playing, coaching them on how to defend meant teaching them to “protect the paint.” When children are younger, and smaller, protecting the paint is the focus; it means keeping the opposition as far away from the vicinity of the basket as possible. The reason is obvious – the closer one is to the basket, the easier it is to score.
Occasionally my children’s teams ran into competing players that did their best to imitate NBA stars like Steph Curry, in an attempt to make shots from beyond the “arc,” or just past the three-point range. As the players were young, and height was not yet on their side, these were very unlikely shots to make, and therefore it made little sense to block, or defend against those efforts. Most coaches could be heard repeating to their young players that the opposition couldn’t hurt them from there, “just don’t let them drive to the basket.”
However, as players get older, stronger and taller, the playing field changes. Opponents become a threat at the arc. As a result, players are taught the defensive strategy of “closing out” on the shooter. Closing out means leveraging your body, and an outstretched hand, to block a competing player’s attempt to shoot, even if they aren’t in the paint. By now I’m sure you’re asking yourself:
What does basketball strategy have to do with GDPR?
What we at Evidon have observed over the last few months (and years, really) is that businesses will have to adjust their “game” tremendously, in order to be fully prepared for GDPR regulatory enforcement in May 2018. Currently, organizations place a tremendous amount of attention internally on the who/what/when of their data collection practices; they are scrambling to document the systems and processes that could expose them to GDPR-related risks. This entails recording what, where, and how customer and employee data is collected, as well as where it resides. This is a critical first step for an organization to prepare itself for GDPR compliance. In other words, businesses are presently working to “protect the paint.”
However, if organizations limit their preparations by only looking internally, and not more broadly, they could be opening themselves up to data collection occurring “beyond the arc.” For businesses, these outside-of-the-arc long shots are introduced through complex digital supply chains, or cloud technology partners that assist with developing and delivering online channels.
What makes digital supply chains complex?
When a brand chooses to work with a third-party partner to drive brand awareness, that partner is measured by its ability to accomplish the end goal (often, increased traffic to the brand’s site). When third-party companies think about the most efficient way to accomplish this goal, they turn to partnerships in an effort to dramatically increase their reach and improve return on investment for the brand. Armed with a network of partners, the brand is able to simply tell them: “if you see this user on a website, show them an ad, and I’ll pay you for it.” No longer is the onus to find a specific user, or set of users, to show an ad to just on one partner; instead, there is a network of partners looking for ads for this user.
This network of partners accesses a site’s audience indirectly, which means they aren’t easily visible, and often aren’t top of mind for most organizations performing digital audits. That being said, these indirect partners still have access to the organization’s user data, and therefore organizations need to be aware of them. In other words, organizations need to do more than just “protect the paint,” and instead, “close out,” by maintaining visibility into ALL of the cloud vendors being used, whether they’re placed on the website directly or indirectly.
“Closing out” is not an easy task.
Evidon works with many of the globe’s largest companies to help them to identify where they are exposed to compliance, operational, and user experience risks, related to direct and indirect technologies. Evidon is not saying that the use of vendors is bad, as they can provide tremendous value. Rather, the large majority of companies leverage so many cloud technologies that they don’t have a strong handle of who can access their audience, and where.
In our experience 20+% of the cloud technologies deployed by organizations are no longer providing value to the organization (their data isn’t being utilized), or they have no clear “owner,” meaning zero value and 100% risk. The reason this happens is largely due to improper visibility into a website’s digital supply chain.
How do value-less technologies continue to wreak havoc on organizations?
Evidon has observed three clear reasons:
1. Organizations don’t have a clear vendor selection process.
2. Lack of digital governance process and policies.
Although we’ve seen an increase in the number of businesses building out true digital governance processes, they are still the exception to the rule. Organizations without proper policies in place to govern data collection and implement vendor standards, tend to see much higher rates of abandoned technologies, wasted time spent on issue remediation, and a greater likelihood of legal action related to inadequate online disclosures.
In addition to this, the use of tag management systems has grown exponentially, and while tag managers bring tremendous value through performance benefits and ease of implementation, the latter has allowed for increased risks to websites, because scrutiny of technologies, due to the resources needed for implementations, has taken a back seat. Without a proper digital governance process in place, for every new technology you add, you’re adding incremental risk to your business. This risk can only be mitigated with a proper digital governance process.
3. Redirects, also known as “piggy-backing” or “daisy-chains”.
Redirects are the occurrence of directly-deployed partners making subsequent calls to their network of partners indirectly, as discussed earlier in the section “What makes digital supply chains complex?”.
To illustrate the complexity I’ve referenced, I will illustrate with several real-world examples, using Evidon’s Trackermap platform, which visualizes all of the tracking technologies on a given website (or page), and the relationships between them.
First, let’s look at a consumer-facing, highly-trafficked, website. This is typical of a publisher, media, travel or retail site, where millions of users traffic on a daily basis to shop, search, browse, review content, etc. This is a standard client of Evidon’s, seeking to develop a proper digital governance process to protect themselves from the risks of a complex digital supply chain:
Using Evidon’s Trackermap® to illustrate complexity.
Chaotic, isn’t it? It’s easy to see the complexity of their digital supply chain, and to identify some of the compliance-related risks that I’ve referred to. While some technologies are directly placed (connected to the purple node), many others aren’t (those not directly connected to the purple node). This isn’t “bad,” but it’s important to be aware of. It becomes dangerous when the website owner is not aware of the technology, particularly those indirectly accessing the page, and/or there isn’t a digital governance process in place to vet, evaluate, and monitor vendors.
The risk from a GDPR perspective is that the vast majority of these technologies have the ability to collect various types of user data (IP Address, Location, Device ID, Username, Passwords, Financial Data, Search History, etc.); this is the point organizations need to understand when preparing for the GDPR – without this kind of visibility, they are risking non-compliance due to lack of visibility.
An additional exposure point that I don’t believe businesses think about when it comes to GDPR regards who GDPR is designed to protect… Customers? Employees? Both are correct answers, but not complete; GDPR exists to protect everyone including site visitors, potential customers, job candidates, general browsers, press and the list goes on.
To dig into this point further, here’s a look at Trackermaps from industries that aren’t heavily focused on the online space, and tend to deploy fewer technologies overall.
My hypothesis would be that these organizations tend to be the most conservative when leveraging tag-based technologies, and are probably, at the moment, completely focused on defending the “paint,” without thinking about further out. These examples include homepages of: a $30B Canadian financial institution, a $25B British Aerospace/Defense Company, a $80B German Industrial Electronics Company, a $40B US Based Chemical Company and a $70B French Energy Company.
Each of these examples shows potential risk areas that the organizations may not be aware of. For example, does the German Industrial Electronics Company realize Adobe Audience Manager (a technology they deployed), is making a call to Yahoo Ad Exchange (a technology that was not directly deployed)? If not, this would be a potential risk, from a GDPR perspective, as well as a data leakage and user experience perspective.
In addition to identifying what technologies are on your site, Evidon captures intelligence about these vendors, and through our regex database, we classify the type of data collected by each. For example, we know Yahoo Ad Exchange has the ability to collect: IP Address, Search History, Location Based Data, Device ID, Name, Phone, Email, Login information and Financial Information, and can share it with other parties. While the argument can be made that though a vendor can collect this data, it doesn’t mean they are, but I have to question whether the site owner knows enough to “close out,” and up their GDPR game?
Want to learn how you can “close out” and be GDPR game ready? Scan your own page and see your own Trackermap at https://www.evidon.com/