general data protection regulation (gdpr)€¦ · data governance is the foundation for gdpr...
Post on 22-Jul-2020
4 Views
Preview:
TRANSCRIPT
White PaperS o l u t i o n s & t o o l s b e n c h m a r k t o s t r u c t u r e y o u r G D P R a p p r o a c h
J a n u a r y 2 0 1 9
General Data Protection Regulation (GDPR)
Disclaimer
This white paper is focusing on several aspects of the GDPR, as Colombus Consulting interprets it, as of the date of publication.Colombus Consulting has worked with clients from different industries on several GPDR missions and would like to share in this white paper return onexperience, best practices as well as a benchmark of GDPR solutions that can be used to help companies to structure their GDPR approach.
This white paper is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply toyou and your organization.
Content
1. Few months into GDPR, what is the return on experience? 4a. The role of the Data Privacy Officer 5b. Remediation and compliance on Data Privacy 6c. Impacts on Digital Marketing Mix? 7
2. How GDPR solutions could help Companies’ GDPR compliance? 9a. What are the benefits of a GDPR solution? 11b. How is the GDPR solutions market segmented? 12c. GDPR solutions mapping 13d. « Governance » features 14e. « Compliance & Risk Assessment » features 17f. « User Data Privacy » features 19g. « Digital Consent » features 22
3. GDPR means Change Management 25
4. Conclusion & Priorities 26
1. Few months into GDPR, what is the
return on experience?
Risks are more likely to come from data subject’s complaints.For example, some complaints have already been filed such as the MaxSchrems’ NOYB complaint against Google, Facebook, Instagram & WhatsAppand their “forced bundled consents”.
Regulators have a pragmatic approach and acknowledge that the fullcompliance is difficult to reach. As a result, not fully compliantcompanies “can expect to be treated leniently initially provided thatthey have acted in good faith”.However, authorities will keep on auditing and enforcing previous well-established fundamental principles, such as Data Privacy and Securityrequirements.
1. Few months into GDPR, what is the return on experience?
Most companies, which operate businesses within the European Union, have initiated major transformation projects in order to be GDPRcompliant. And while a few are fully compliant in May 2018, many are extensively engaged and racing to reach full compliance early 2019.
Source : https://noyb.eu
PRAGMATIC APPROACH RISKS
ACTIONS Company engaging into GDPR compliance follow a 3-phase path
• Appoint a Data Protection Officer(DPO)
• Set-up organization and roles todefine accountability and ensureproper data privacy processexecution (contracts, IT solutions,data management…)
Governance Remediation Long-term compliance processes
• Identify the non-compliant areas and quickwins to fix flaws
• Clean-up the databases: delete non-relevant contacts, regularize active contacts(notification, consent…)
• Define processes to ensurecompliance surveillance andenforcement
• Identify and deploy necessary toolsto support recurring processes
5
a. The role of the Data Privacy Officer
GDPR requires organizations to appoint a DPO (Data Protection Officer) in charge of ensuring the regulation enforcementwithin the company. This induces the establishment of a dedicated governance.
Role of the DPO (Data Protection Officer)
Steering
Training
Control
CoordinationPerformance
Traceability
Information
Data Protection Officer holds a
position in total independence
within the organization chart
▪ FMCG▪ Telco▪ Media… (customer-centric organizations)
▪ Banking▪ Insurance… (security-centric organizations)
Marketing DPO IT DPO
Priorities
Industries
▪ UX▪ Marketing consent▪ Marketing performance
▪ Data flows▪ IT Implementation ▪ Solutions
Legal DPO
▪ Tourism▪ Retail▪ Energy & Utilities…(regulation-centric organizations)
▪ Contrats & agreements▪ Control & enforcement▪ Compliance processes
There are 3 frequently observed scenarios depending on the GDPR focus:DPO within Marketing department, DPO within IT department and DPO within Legaldepartment
6
Inform the individuals about thepurpose of the use of their data,their rights and the organization’sinitiatives to protect them
Lead the wholeorganization through theregulation application
Train the staff to theData Processing bestpractices
Build audits toensure complianceand prevent the gaps
Ensure smooth links betweenthe Organization and theauthorities (GDPR, CNIL)
Measure Performance andpropose insights on theimpacts of the “DataProtection” initiatives
Ensure total traceabilityof all activities related todata processing andusage
DPO role and organization remain the same
b. Remediation and compliance on Data Privacy
Building an executable remediation plan is required to move towards GDPR compliance. The most urgent actions are generally targeting topicsthat are highly visible and have direct impacts on Customers.
HO
W?
▪ Launch Email Notice campaign to regularize un-notified data subjects
▪ Update Cookie Notice language
▪ Update Notice messages and Privacy Policystatements on Website
Whenever data subject’s personalinformation is collected and stored,the data subject must be informed ofthe nature and purpose of the datacollection
Whenever data subject’s personalinformation is collected and used forMarketing purposes, data subjects mustpreviously provide a deliberate and activeConsent, with no “pre-ticked Opt-In bydefault”
Ensure that data subject’s data is storedfor legitimate reasons and aligned withreal compliant notification and consent(Opt-In/Opt-Out) status
NOTIFICATION CONSENT DATABASE CLEAN-UP
▪ Launch Opt-In campaign (Email, SMS, post-mail…)to data subjects in order to get GDPR compliantconsent
▪ Deploy Cookie Consent banner on Website
▪ Update Opt-In forms on Website
▪ Delete “inactive” data subjects
▪ Delete un-necessary personal informationfrom data subjects
▪ Ensure that the previously collected Opt-Insare documented
▪ If not: regularize it… or set it to “Opt-Out”
The Database clean-up results in decreasing the volume of the actionable customer data, while increasing the stock and value of qualified and genuinely interested contacts
7
c. Impacts on Digital Marketing Mix
The data marketing world The publishing world
The Third-Party data business is strongly impacted by GDPR.
After the Cambridge Analytica scandal, players like Facebook are reducingor stopping their third-party targeting data partnerships. Some dependentthird-party data providers are particularly challenged to sustain theirbusiness. The third-party data market is globally decreasing as dataMarketers are focusing on first- and second-party data, which are easier tocontrol.
In order to remain in business, third-party data providers need to providehigh-quality data, with compliant consent… at a higher cost.
With GDPR and Cookie Consent conditions being more restrictive,Publishers have been selling less Ad spaces and droppingrevenues. This turns out providing a competitive advantage to thelarger players (ex: GAFA), which have larger volumes.
Therefore
Quality of the targeted ads is increasing
CPM is increasing
As things evolve, we will see to what extent a better Ads' quality generates a higher ROI and therefore compensates this CPM increase.
Some Media or Retail companies in the USA, which are not ready incompliantly securing website’s cookie consent for targeted advertisinghave quickly implemented a extreme solution: detect IP / location andblock the site from EU zone access, or redirect traffic to an EU-specificad-free version of the site.
8
2. How GDPR solutions could help Companies’
GDPR compliance?
2. How GDPR solutions could help Companies’ GDPR compliance?
Most Companies have been deploying tremendous efforts for the past months or years in order to implement remediation and comply with GDPR requirements. However,compliance needs to be sustained and lasting on the long run. This implies that the privacy processes and organizations that have been put in place need to be audited,challenged and adjusted, on a regular basis. Thus, deploying an efficient and secure GDPR compliance across the Organization requires to design it early on in a “Privacy byDesign” approach and to involve some degree of automation, industrialization and scalability.
As a result, a many software vendors have developed and launched GDPR-dedicated solutions, in order to provide companies with sets of tools and features that wouldhelp in their GDPR compliance programs.
10
In the following part, we explore some of the major GDPR solutions on the market through the analysis of their functionalpositioning (category) as well as their main features.
Solutions benchmark
We studied 45 solutions and more than 40 features.
Common: feature commonly provided by most solutions as a basic function Specific: feature provided by a few solutions, mostly as advanced feature or optionNiche: rare feature and provided by a very limited number of solutions
The features are assessed by a score that is meant to reflect the level ofprevalence in the market. The assessment score rates the features as:
The market can be segmented into 5 main categories:
1. Governance2. Compliance & Risk Assessment 3. User data Privacy4. Digital Consent5. All in One
a. What are the benefits of a GDPR solution?
GDPR TOOL
As a general practice, it is recommended to assess whether the GDPR solution will fit in the existing technical and organizational ecosystem. It isimportant to not under estimate how this solution will be added into existing processes and workflows during the implementation phase as well asduring the periodic update phases. 11
Give employees a better understanding of their obligations while dealingwith personal data
O P E R AT I O N A L E F F I C I E N C Y
S C A L A B I L I T YS E C U R I T Y
C E N T R A L I S AT I O N O F P R O C E S S E S
G D P R AWA R E N E S S
Reduce the number of files and centralise all processes in one place
Save all data and processing activities in a single secured environment
Give evidence to support company’s claims if the supervisory authority has any cause to investigate
A P P R O V E D BY R E G U L ATO R S
Master your data and increase your efficiency on a self-serve portal
Will match the Business changes and get the latest processing activities
b. How is the GDPR solutions market segmented?
Governance
Solutions which aim to provide support to build and maintain DataInventory, including data flow mapping, data register (data processinginventory) and data update records. They also provide reporting featuresto monitor and demonstrate compliance.
Compliance & Risk Assessment
Solutions which provide features to audit compliance, analyze processeddata and identify sensitive data and personal information, They also helpassess the risks, coordinate remediation action plans and sustaincompliance through collaborative workflows.
User Data Privacy
Solutions which provide secure and friendly user experience in userauthentication and ID management, assisting in the automatedgeneration of notification, privacy policy and access request form, andensuring the consolidation and accessibility of user profile and consentmanagement preference settings.
Digital Consent
Solutions which provide digital consent management features ondesktop and mobile web, such as the notification banners and privacypolicy generator, cookie consent collection interface and back-end, anddigital consent control panel as part of a global Consent ManagementPlatform.
All-In-One Solutions which provide a set of modules and features encompassing all the aforementioned categories – Governance, Compliance &Risk Assessment, User Data Privacy, Digital Consent –, in order to offer a comprehensive suite of tools dedicated to help companies intheir GDPR compliance programs.
As each vendor may have its own background and specificity, the numerous GDPR solutions on the market focus on different scopes, different businessareas, and therefore provide various types of features.
12
c. GDPR solutions mapping
13
Compliance&
Risk Assessment
Digital Consent
Governance
User Data Privacy
All in one
d. “Governance” features (1/2)
Data Governance is the foundation for GDPR compliance, it helps businesses identify what data they have, where it is, who is accountable for it.GDPR solutions in the « Governance » category allow to:
Build a precise mapping of the data, the flows of the processing as well as the applications across the organization
Generate Dashboards and compliance Reports for audit trails
14
Governance
d. “Governance” features (2/2)
15
Build a formalized Data Inventory as well as the Data processingregisters
Track the Data lineage through the data flowsProvide Collaboration features for ongoing updates of the Datainventory and Register
GDPR solutions in the « Governance » category allow to:
Governance
d. “Governance” features - scoring
1616
Governance
Features Common Specific Niche
Data Inventory Create & manage a Data Inventory, classifies and describes the Data
Data Register Assist in the development of the Data Register, provide detailed history of the processing
Application mappingAllow detection of the various applications which deals with Personal Information Data (collection, storage, process, transfer…)
Data flow visualization Draw flow maps for visualization of the data flows across the organization
Data QualityTrack data changes, ensure data consistency and alignment (data model field cleaning, deduplication, synchronization….)
SearchProvide Search Engine capabilities to allow exploration and dig-in of data assets, according to various search criteria
Collaboration WorkflowProvide collaboration tools to coordinate tasks for data register, risk assessment, compliance control, user access right and request management
Data Discovery Automation Automate the Data crawling and discovery in order to detect relevant GDPR personal or sensitive Data
Data LineageEnsure Data traceability, identify data flows across the Organization, tracks Data path, change and update history (processor, date, changes…)
e. “Compliance & Risk Assessment” features
17
Risk management has a primary objective of ensuring organizations comply with legal and regulatory obligations needed to conduct business.GDPR solutions in the « Compliance & Risk Assessment » category allow to:
Audit the compliance level across the organizationIdentify Personal Information among overall owned Data andassess associated risks
Define action plans and follow theremediation evolution throughcollaborative and workflow features aswell as Dashboards
Compliance & Risk Assessment
Compliance AuditIdentify weak points, process flaws and practices not compliant with regulations, and help define the path to remediation
PIA and DPIA managementProvide templates and tools to facilitate assessments (PIA and DPIA), risk identification and reports, and remediation plans
Reports for Compliance Proof (Audit Trails)Produce all required reports and documented evidences to demonstrate GDPR compliance efforts and accountabilities: data register, data flows…
Dashboard & Data Viz Provide Dashboards and Data Viz features with data analysis and statistics
Collaboration WorkflowProvide collaboration tools to coordinate tasks for data register, risk assessment, compliance control, user access right and request management
Data Risk AnalysisAnalyse company-owned Data to identifies Personal DataAnalyse Data models and processes to identify weaknesses and locate risks
Breach ManagementManage breach control, identify security flaws depending on Data sensitivity, manage user information in case of privacy violation and define action plans for remediation
Vendor Risk ManagementIdentify vendors, keep up-to-date a vendor inventory, help draw links and relationships between vendor and Personal Data sensitivity, analyse data transfers with third-parties and assesses vendor
Contract ManagementMonitor vendors and associated contracts, help conduct vendors due diligence, provide guidance to build and consolidate GDPR compliant contracts
Action PlanningBased on compliance assessment, define remediation path and provide project management tools to build action plans and track completion progress
e. “Compliance & Risk Assessment” features - scoring
1818
Features Common Specific Niche
Compliance & Risk Assessment
f. “User Data Privacy” features (1/2)
19
GDPR protects any and all personal user data across virtually every conceivable online platform.GDPR solutions in the « User Data Privacy » category allow to:
Manage ID and authentication and consolidate User profilesacross accounts and IDs
Provide templates to inform users of their rights (notifications) and provideforms for customers to exercise their individual rights (requests for access,modification, erasure)
User Data Privacy
f. “User Data Privacy” features (2/2)
20
GDPR solutions in the « User Data Privacy » category allow to:
Protect user data through encryption and anonymization features
Consolidate User Consents (ex: Consent Management Platform) across numerous marketing campaign channels (Digital, Email…) and ensure compliant & secure transmission to third-party tools (Campaign Manager control panel)
User Data Privacy
ID Control Panel Customer is able to control the data that will be shared with the website he is visiting
Data Encryption and Protection The customer data is encrypted and protected after being received in the website
Form Generation Ability to generate forms adapted to the brand and identity of the website
Access Request ManagementCustomer is able to request that the data he previously shared with a website be removed from their ledger or that he can gain access to said data
Consent ManagementEnable the website administrators to get, manage and document consents of their users for specific purposes, channels and technologies
Data Distribution Capability of the solution to transmit the compliant data to third-party technologies (CMS, CRM, DMP, ETL …)
Authentication managementManage the way customer access their account via various means (SSO, Multi-Factor Authentication, Password less,…)
Anonymization of the data Removal of all data that should not be relevant to the website in order to guarantee compliance with GDPR regulations
f. “User Data Privacy” features - scoring
21
Features Common Specific Niche
User Data Privacy
g. “Digital Consent” features (1/2)
22
Provide the Website Administrators ways to customizethe information (texts, look & feel) through configurationpanel
Provide precise legal information to data subjects,through generation of notifications (cookie bannerstexts), privacy policy, list of cookies involved in the site
GDPR sets a high standard for Digital consent. GDPR solutions in the « Digital Consent» category allow to:
Digital Consent
g. “Digital Consent” features (2/2)
23
Provide the data subjects with a way to accept, decline or specifically choose which cookie to accept/decline through a consent preference panel
Apply all the data subjects’ cookie preferences across all the websites domain and subdomains, as well as other partners or affiliated sites
GDPR solutions in the « Digital Consent» category allow to:
Digital Consent
Dig
ital
Co
nse
nt
Templates Possibility to use different templates for notices, consent forms, preferences configurator
Multi-language support Multiple language platform, automatic language detection (browser) and suitable language display
UI ConfigurationUI configuration capabilities for the Website designer to customize banners and pop-in’s Look&Feel, and better fit the Brand graphical charter
Preference SettingsCapability for the Website visitor to set-up his/her own level of cookie privacy preferences and cookie usage, from necessary technical to marketing level
Cookie Consent BannerA tool to facilitate banner generation (look & feel, notification language…) and display on the website at the visitor’s first visit, regardless of the opening page
Location-based personalizationAbility to dynamically adapt the content depending on data subjects’ location, in order to display the most suitable notices, depending on local regulations
Multi-domain managementCapability to manage cookies for several websites, to propagate and apply cookies and preference settings to multiple domain names
Easy Access to Preference settings Provide the Website’s visitor with easy access to view and modify Preference Settings
Tracker detection & recordAutomatic scan and detection of all trackers implemented in the website, ability to list them for the data subjects to set-up cookie preferences
Reporting Capability to provide advanced reporting features: monitoring, data viz, dashboard, extracts, audit trails
Tag Management System Integration Integration through TMS systems
Configurable Consent trigger criteriaConfigurable ways to consider data subjects’ action as a consent: explicit opt-in, soft opt-in (scroll opt-in, click-on-page opt-in…)
A/B Testing Advanced feature to test designs, look & feel, notices and call to action texts in order to maximize Opt-In rates
Mobile App capabilities Mobile App feature that help mobile app users to set up their ad consent
g. “Digital Consent” features - scoring
24
Features Common Specific Niche
Digital Consent
3. GDPR means Change Management
GDPR is encouraging each organization to review their existing processes and adopt a new way of interacting with internal or external partners.
The change management strategy should include the following pillars:
25
Optimise processes
Build a brand reputation
• Improve employee understanding of the role they play in protecting Company’s data
• Ensure project owners review & cover the GDPR aspects right from the beginning (privacy by design)
• Conduct staff training and awareness at regular intervals
Break the silos
• Join forces to embed privacy in your culture, processes and systems
• Encourage Business Units to work towards an omnichannel strategy
• Define cross Business Units processes
• Keep your customer at heart • Strengthening reputation and
relationships with Customers, and extermal Partners
• Build strong foundation around Cyber security
• Review & optimise current practices of processing data
• Improve data quality, accuracy and policy enforcement
• Ensure seamless traceability of processes
Increase employee awareness
4. Conclusion
*Source: Estimations IDC France
The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and dataprotection. About seven months after the GDPR’s effective date, organizations are still working on compliance and willbe for years to come.
Bearing in mind the wide scope of GDPR and the significant level of financial investment, it is necessary to think well onhow each company wants to embrace the data protection project and clearly define priorities to implement andmaintain a sustainable GDPR solution.
Some businesses have chosen to use a GDPR solution to help their business to build, implement and demonstrateprograms for GDPR compliance. The GDPR solutions landscape is already well developed, however, we notice that thebig players of the software solution industry have not entered this space yet, leaving opportunities to smaller vendors,challengers and specialists to develop their own solutions.
The budget required to comply with Europe’s new data law could rapidly increase depending of the data protectionperimeter that companies decide to undertake. Today, the average cost of the GDPR compliance starts between 4Mand 17M CHF depending of the sector, around 34M CHF for large international groups and could end up above 100MCHF for those in the banking sector / insurance.
26
4. Priorities
PRIORITIES FOR ORGANIZATIONS:
Beyond initial actions of setting up governance structure (ex: DPO nomination)
Focus on topics that are highly visible and have direct impacts oncustomers (obtention of valid consents from individuals andresponse to request to exercise the rights of data access,modification and deletion
Deploy solutions that cover the main features (consentmanagement, notifications, consent management, request forms…)
Depending on the nature of the organization’s activity, evaluate thebenefits in comparison with risks and costs, which allow todetermine the level of automation, industrialization of processesthat is truly necessary for each GDPR topics.
27
GDPR is effective since 25 May 2018
Need guidelines to implement yourGDPR & FADP* compliance?
Located in France and Switzerland, ColombusConsulting Shift proposes a unique offering, specializedin innovation, marketing and data, in order to supportits clients in their transformation projects, from strategyto execution.
Shift.colombus-consulting.com
Jean MeneveauPartner - Switzerland meneveau@colombus-consulting.com
+41 79 725 24 95
Team
David RobinPartner - France robin@colombus-consulting.com
+33 6 80 50 37 92
* FADP means Federal Act on Data Protection, which is the Swiss equivalent of GDPR
Delphine SerresSenior Consultant
Son NguyenManager
Maxime Robert Colin Consultant
Meryem BenaguidaConsultant
Contact us Today!
top related