run_frictionless, profile picture
Uploaded byrun_frictionless
295 views

Data Governance: Embracing Security and Privacy

In July 2016, the EU-US Privacy Shield took effect replacing Safe Harbor. The General Data Protection Regulation (GDPR) will enforce all organizations to abide by specific protocols. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s new legal framework will be critical for both businesses and consumers operating across borders in today’s digital economy to fully understand. https://runfrictionless.com/b2b-white-paper-service/

Embed presentation

Download to read offline
WHITE PAPER Data Governance: Embracing Security and Privacy
Executive summary We live in a global world where most online brands have an international footprint, but different regions you do business in require different approaches to data protection and privacy. Even if your business is headquartered and operating in the US, international data privacy laws should be a major concern. In July 2016, the EU-US Privacy Shield took effect replacing Safe Harbor. The General Data Protection Regulation (GDPR) will enforce all organizations to abide by specific protocols. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s new legal framework will be critical for both businesses and consumers operating across borders in today’s digital economy to fully understand. How will you balance providing a seamless customer experience with the increasing responsibilities in data privacy and security? Vigilance is key– not just because of the legal ramifications of these new guidelines, but the effect that leakage and security events have on the brand itself. As an industry we owe it to end customers to be transparent and ethical with data, ensuring that what is collected and known is used for the purposes of better experiences for those end customers. By investing time to perform the proper analysis and planning, you can be confident in implementing a program that will minimize risk, build trust, and protect your brand. The precursors to massive change in our space are clear. Now we, as an industry, need to adapt before we are forced to. From the vendors you choose to work with, to the policies and procedures in place, this whitepaper discusses steps to take today for building an effective data governance strategy. Learn to make sense of the current legal landscape, ensure successful integration across your organization, and how to provide these safeguards to your customers. Data Governance: Embracing Security and Privacy 2
Data Governance: Embracing Security and Privacy 3 Overview of current environment...............................................................................4 Key implications..................................................................................................................5 Value proposition ..............................................................................................................6 The Tealium solution.........................................................................................................6 Summary...............................................................................................................................8 Data governance package .............................................................................................8 Data governance checklist ...........................................................................................10 Table of Contents
Data Governance: Embracing Security and Privacy 4 1. Overview of current environment A significant legislative shift in data governance is taking place in Europe and leading the way towards global change. The rapidly-growing number of digital marketing vendors, channels, and customer touchpoints, along with a shifting global data privacy environment, is creating a serious data governance problem in the digital space. With Safe Harbor1 being ruled invalid in October of 2015, the EU-US Privacy Shield approved to take its place in July of 2016 and more stringent regulations with GDPR, companies now face the risk of a severe penalties should they be found non-compliant with these new regulations The EU-US Privacy Shield, which replaced Safe Harbor, is a framework for transatlantic exchanges of personal data for business purposes between the EU and the US. It is a more prescriptive set of guidelines that is intended to provide a higher level of protection for EU citizens, and includes General Data Protection Regulation (“GDPR”) for how penalties are enforced. The GDPR will become law in May 2018. There are a number of key factors that companies should understand regarding these new guidelines on the horizon. First, the GDPR applies if you are processing personal data in connection with the provision of goods and services to EU citizens (even if the goods or services are free), or if you are monitoring EU citizens’ behavior. Second, it is important to note that the regulations apply regardless of where the data controller (you) is located and is not limited to businesses just in the EU. The penalties for non-compliance with Privacy Shield and the GDPR are severe. For major infractions, such as simply not providing an explicit opt-in for visitors, the penalty is EUR 20 million or four percent of annual revenue, whichever is greater. Minor infractions can result in penalties of up to EUR 10 million or two percent of annual revenue. The EU ePrivacy directive, also known as the ‘cookie directive’, has resurfaced as of late since updates are needed in order to ensure it aligns well with the GDPR. Currently, the ePrivacy directive regulates how a company’s digital properties collect an EU citizen’s data and requires them to obtain consent to store or retrieve their personal data. While updates to the directive have not been finalized, suggested revisions could make this process even more complex and confusing for brands. 1 This US-based legal framework built on seven principles for allowing data transfer from EU to US was abolished in 2015.
Data Governance: Embracing Security and Privacy 5 2. Key implications With GDPR, it is your organization that could face penalties of non- compliance with regulations, even if it is your vendors who are at fault. Although the GDPR has established clear responsibility and accountability around the handling of personal data by controllers (you) and processors (vendors), the burden for data protection still rests predominantly with you. As brand and data controllers, your organization will be held responsible for ensuring direct, as well as third-party, vendor compliance with both the EU US Privacy Shield and GDPR. What is happening in Europe is believed to be the canary in the coal mine for the US and elsewhere, potentially impacting your business in the near future wherever your customers are located. And while Europe has been at the forefront of this regulatory shift around protecting EU citizen’s data, changes are taking place in the US, as well, to protect US citizen’s data. A US telecommunications firm began using unique, undeletable identifiers, or supercookies, called UIDH (unique identifier header) to track mobile customers for ad-targeting purposes in 2012. They had made limited disclosures in its privacy policy, but did not update its privacy policy to include information on its use of supercookies until March 2015. Meanwhile, an online advertising company began to use the supercookies – meaning the vendor could restore a cookie ID that a user has cleared from his/her browser if it is associated with a UIDH. The FCC said that the telecommunications company’s failure to disclose accurate and adequate information to consumers about the supercookies violated the transparency requirements from the FCC’s 2010 net neutrality rules. They now have to implement a 3-year compliance plan and obtain customers’ opt-in consent before sharing UIDH with third parties.
Data Governance: Embracing Security and Privacy 6 3. Value proposition Given our unique position in the data supply chain, having Tealium as a trusted partner builds confidence in your business’ ability to appropriately and legally manage data, while significantly reducing your reliance on your digital marketing and analytics vendors to adhere to privacy standards. In particular, Tealium can support your efforts in setting proper consent and providing clear transparency around data collection and usage; both key aspects of the ePrivacy directive. Country-Specific Compliance Some countries have very specific laws about what types of information organizations can collect about their online visitors, and what sort of privacy options must be enabled – this includes any tags collecting data, all of which must be compliant with local in-country privacy regulations. Tealium iQ Tag Management supports geography-based privacy compliance, allowing organizations to apply standards by country and giving precise control over the data collection practices of each vendor. Tealium’s flexibility in this offering is especially important in regards to the ePrivacy directive as each country can take on the aspects selectively. Client-Side Decision-Making Capabilities Our unique depth and breadth of experience across clients facilitates our understanding of how to ensure explicit opt-in compliance on the front end for visitors. Geographical Data Restrictions Our automated regionalized data collection and storage for server-to- server data governance serves as a key competitive edge over our peers. Support for ‘Right to be Forgotten’ Tealium’s unique position as the data supplier to your marketing technology ecosystem enables it to be an ideal place to handle user opt out across all your marketing channels. Tealium’s server side connectors will trigger ‘delete’ directives through APIs whenever a user has selected the right to be forgotten. This is a start to providing support for GDPR’s ‘Right to be Forgotten’ stipulation. 4. The Tealium solution When it comes to the new legislation around data security and privacy, Tealium is ahead of the curve helping businesses manage evolving privacy and data protection expectations. It has become increasingly important to understand how your data is being collected, where your data is going and who is using that data. Our approach empowers users to securely control and manage your data at the source– across web, mobile IoT and connected devices. Tealium offers a number of robust privacy control features and granular vendor management capabilities to support your Data Governance needs– such as our Tag Marketplace Policy, Resource Locks, Versions, multiple deployment environments, individual user based permissions, workflow management and privacy manager. The Tealium iQ privacy manager is the core of the Data Governance Package, and enables our customers to easily offer opt-in or opt-out choices to their online visitors, providing total control over which third- party vendors or cookies those visitors want to allow while browsing that customer’s web properties.
Data Governance: Embracing Security and Privacy 7 Ultimately privacy is about giving your visitors choice. Using our privacy manager you can allow visitors to opt in/out of individual tags or even categories of tags. Below we have summarized the Tealium iQ privacy manager’s key attributes: Elimination of data collection: As illustrated above, Tealium iQ ensures that a user’s privacy and Do Not Track settings are honored by simply preventing various vendor tags from functioning on a web page, or stopping the vendor code from being downloaded to the page. Customizability: Below are the various ways in which you can customize display and functionality preferences within the privacy manager: 1. You can automatically display the privacy manager to a non-cookied user when the page loads rather than requiring the user to click on the "Modify Privacy Options" button using custom JS code, which our Deployment Team can implement for you upon request. 2. The privacy manager has a layout template that you can modify, which means you can access the HTML and CSS used to generate it in the same way you would modify a tag template. 3. In “Opt out by default” mode, unless the user explicitly opts in to the categories / tags, no tags will be fired.
Data Governance: Embracing Security and Privacy 8 Summary How well are you protecting your data? Tealium’s Data Governance Package helps customers manage their implementation of Tealium’s software to facilitate their data governance and privacy controls. Tealium will assist customers in configuring and monitoring Tealium iQ Tag Management, AudienceStream and verify according to industry best practices.* Data Governance Package Configuration (One-Time) • Privacy Manager for up to five (5) Digital Properties Enables Visitors within the Digital Properties where Tealium iQ is deployed and the Privacy Manager enabled, to opt-in or opt-out accordingly for technology tags (and in some cases potentially dropping cookies) that subsequently load in Visitors’ web browsers. • Opt-In Notification for up to five (5) profiles Configuration of a Consent Modal Window (or perhaps a Banner) to inform Visitors that cookies, tracking mechanisms, and advertising technologies will be used on the website. In addition to this contextual window, selection option gears are configured for consent policies of these items. For example, the Visitor can choose to accept cookies but disallow specific marketing technologies such as a DSP. • Tag Marketplace Policy for up to five (5) profiles Configuration and limiting of vendors available in the tag marketplace policy to only provide specified tag templates in the Tealium iQ interface. This allows for only those tag vendor templates that Customer’s InfoSec team has deemed safe and acceptable to be accessible for any Tealium iQ administrator, thereby minimizing the risk that unwanted tags will operate on Customer’s Digital Properties. • Configure security-focused Extensions and/or Resource Locks and Labels Encryption Extensions and Resource Locks and Labels will assign specific data definitions and Tag Logic to specific Customer users, and prevent unauthorized editing or changes to those data variables, load rules, and tags. This configuration applies to these elements for up to five (5) profiles. • Review and configuration of user roles and permissions in accordance with least access best practices for up to five (5) profiles User roles and permissions are configured in an enterprise-class role-based access control approach that explicitly activates environmental privileges for several areas of the Tealium iQ interface. For example the ability to publish to one or more environments (Dev, QA, and Prod) and the ability to implement Tealium iQ extensions. • Configuration of tag reports that summarize data collection. Tealium deployment services will create reports that summarize the data collected throughout a designated time period and provide those reports to Customer. • Configuration of five (5) major user funnels for proper data layer configuration Tealium deployment services will configure the funnel(s) that will confirm the required data is in fact on the Digital Property in question. • Configuration of Opt-Out Audience This configuration will ensure that when users choose to opt-out of tracking (via the Consent modal), they are scheduled for purge from the AudienceStream solution. This is delivered by configuring an “Opt Out” Audience. *For AudienceStream enabled customers only.
Data Governance: Embracing Security and Privacy 9 • Configuration of opt-out actions for (5) supporting vendors. Using the ‘Opt-out Audience’ configuration, Tealium will configure vendor connector actions to remove or opt users out of campaigns, lists and databases depending on availability. *For AudienceStream enabled customers only. • Review event and visitor attributes ensuring proper long-term data storage and ensure restricted data is not delivered to systems unable to purge. For example, Tealium will work with Customer to designate data that should be labeled as “restricted”. Then all restricted data flags can be configured and mapped to Data Access for storage. *For DataAccess enabled customers only. Ongoing Deliverables (Quarterly) • Account Best Practices Review & Update Review of up to five (5) profiles for compliance with Tealium Data Governance best practices • User Management Audit Review of current user access levels and rights for incorrect configuration • Configuration of five (5) major user funnels for proper data layer configuration Tealium deployment services will configure the funnel(s) that will confirm the required data is in fact on the Digital Property in question. • Quarterly Tag Load Report A supplemental report that outlines tag loads, basic tag performance and alerts to tag errors. *Details of package are subject to change.
Data Governance Checklist 5 Steps for Balancing Customer Experience with Privacy & Security In May 2018, the General Data Protection Regulation (GDPR) will take effect, enforcing all organizations to abide by a new set of guidelines and protocols. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s legal emphasis will be critical for businesses operating across borders in today’s digital economy. This is a massive opportunity for companies to differentiate their brand and safeguard consumer confidence by proactively embracing security and privacy. From the vendors you choose to work with, to the policies and procedures in place, take these five steps to jumpstart your data governance strategy and prepare for successful integration across your organization. STEP 1: Perform Due Diligence Audit data flows to know where and who have access. STEP 3: Build Controls Develop procedures to provide clear and accurate notice of data usage both internally, with policy and process, and externally, through notification, terms and conditions. STEP 2: Start a Data Inventory Take an inventory to understand what type of data is being processed and if it is required. STEP 4: Form a Data Governance Panel Activate against internal processes for both business and technology teams to move forward. STEP 5: Provide Clear and Accurate Notice Communicate your data policy across the organization, and to customers and vendors. It’s everyone’s responsibility! Business Team  Identify vendors in use  Validate vendor access  Review current contracts Business Team  Verify proper contracts with vendors  Create governance policies and processes  Update external and internal communication Business Team  Agree on data sensitivity both from a legal and experience perspective  Agree on the data needed to run marketing vs. operations  Document data requirements for running the business Business Team Communicates with Technology team on:  Needs to drive marketing and customer experiences  Legal ramifications of non-compliance  Expectations of the business on technology Business Team  Update Privacy Policy to reflect data usage (ex. cookie policy, IP usage)  Provide means for opt-out across all marketing  Communicate with Technology team on evolving data usage Technology Team  Audit vendor technology  Review vendor policies  Remove non-compliant or unused vendors Technology Team  Configure vendors for ‘least-access’  Create data audit guidelines and tests  Test and audit internally for compliance Technology Team  Document where the data is stored:  Customer  Campaign  Enterprise (Financial/HR)  Ensure that data handling is in compliance with business policies and legal requirements  Check vendor integrations Technology Team Communicates with Business team on:  Best practices with access, transmission and storage of data  Protection of the data and the customer from ‘bad’ players  Internal  External  Partner  Enablement of the business within reason Technology Team  Provide customers with Explicit Opt-In/Out  Ensure ‘Right to be Forgotten’ and general data deletion directives  Communicate to Business team and vendors of compliance changes or lack of       Ensure employee training across the organization  As new laws and large financial penalties emerge around data privacy, having Tealium as a trusted partner builds confidence in your business’ ability to appropriately and legally manage data. Contact us today to learn more: www.tealium.com
©2018 Tealium Inc. All rights reserved. Tealium, Tealium iQ, AudienceStream, and all other Tealium marks contained herein are trademarks or service marks of Tealium. All other marks are the property of their respective owners. Rev. 050118 Tealium has offices worldwide. Phone numbers and addresses are listed on the Tealium website at tealium.com/contact. Global Headquarters 11095 Torreyana Road San Diego, CA 92121 (858) 779-1344 tealium.com

More Related Content

PDF
The 25 Most Beautiful B2B White Papers On The Planet
byrun_frictionless
 
PDF
Pharma Marketing: Get Started on Creating Great Customer Experiences with Jou...
byrun_frictionless
 
PDF
Overcoming Business Challenges with Azure
byrun_frictionless
 
PDF
Maximising value while migrating your Oracle Estate to Microsoft Azure
byrun_frictionless
 
PDF
How AWS Pricing Works
byrun_frictionless
 
PDF
AWS Well-Architected Framework
byrun_frictionless
 
PDF
LinkedIn Marketing Solutions Affluent Millennials Research Whitepaper
byrun_frictionless
 
PDF
Charting a Way Forward Online Content Regulation
byrun_frictionless
 
The 25 Most Beautiful B2B White Papers On The Planet
byrun_frictionless
 
Pharma Marketing: Get Started on Creating Great Customer Experiences with Jou...
byrun_frictionless
 
Overcoming Business Challenges with Azure
byrun_frictionless
 
Maximising value while migrating your Oracle Estate to Microsoft Azure
byrun_frictionless
 
How AWS Pricing Works
byrun_frictionless
 
AWS Well-Architected Framework
byrun_frictionless
 
LinkedIn Marketing Solutions Affluent Millennials Research Whitepaper
byrun_frictionless
 
Charting a Way Forward Online Content Regulation
byrun_frictionless
 

More from run_frictionless

PDF
Electronic contracts and electronic signatures under Australian law
byrun_frictionless
 
PDF
Mac Pro Technology Overview
byrun_frictionless
 
PDF
Sidecar
byrun_frictionless
 
PDF
The Google Cloud Adoption Framework
byrun_frictionless
 
PDF
Google's guide to innovation: How to unlock strategy, resources and technology
byrun_frictionless
 
PDF
Google Cloud Industries: The impact of COVID-19 on manufacturers
byrun_frictionless
 
PDF
Transforming specialty retail with AI
byrun_frictionless
 
PDF
Six Must-Haves When Using Slack
byrun_frictionless
 
PDF
Social Selling at Scale
byrun_frictionless
 
PDF
Journey mapping in banking & finance
byrun_frictionless
 
PDF
Strengthening Operational Resilience in Financial Services by Migrating to Go...
byrun_frictionless
 
PDF
Inclusive Fintech 50
byrun_frictionless
 
PDF
The Reconciliation Maturity Model
byrun_frictionless
 
PDF
Security and Compliance
byrun_frictionless
 
PDF
Information Security Whitepaper
byrun_frictionless
 
PDF
Constellation Labs - Business Whitepaper
byrun_frictionless
 
PDF
Marketing to Account Based Marketing Better, Effective and Rewarding
byrun_frictionless
 
PDF
What is Account-Based Marketing (ABM)
byrun_frictionless
 
PDF
DIGITAL MARKETING FOR FIXED OPS: Tips & Techniques for Your Dealership
byrun_frictionless
 
PDF
Digital Marketing Trends | 2019
byrun_frictionless
 
Electronic contracts and electronic signatures under Australian law
byrun_frictionless
 
Mac Pro Technology Overview
byrun_frictionless
 
Sidecar
byrun_frictionless
 
The Google Cloud Adoption Framework
byrun_frictionless
 
Google's guide to innovation: How to unlock strategy, resources and technology
byrun_frictionless
 
Google Cloud Industries: The impact of COVID-19 on manufacturers
byrun_frictionless
 
Transforming specialty retail with AI
byrun_frictionless
 
Six Must-Haves When Using Slack
byrun_frictionless
 
Social Selling at Scale
byrun_frictionless
 
Journey mapping in banking & finance
byrun_frictionless
 
Strengthening Operational Resilience in Financial Services by Migrating to Go...
byrun_frictionless
 
Inclusive Fintech 50
byrun_frictionless
 
The Reconciliation Maturity Model
byrun_frictionless
 
Security and Compliance
byrun_frictionless
 
Information Security Whitepaper
byrun_frictionless
 
Constellation Labs - Business Whitepaper
byrun_frictionless
 
Marketing to Account Based Marketing Better, Effective and Rewarding
byrun_frictionless
 
What is Account-Based Marketing (ABM)
byrun_frictionless
 
DIGITAL MARKETING FOR FIXED OPS: Tips & Techniques for Your Dealership
byrun_frictionless
 
Digital Marketing Trends | 2019
byrun_frictionless
 

Recently uploaded

PDF
Raman Bhaumik - A Licensed Pharmacist In Multiple States
byRaman Bhaumik
 
PDF
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
PDF
India-EU Deal 2026: The $27 Trillion Opportunity
byStellarix
 
PPTX
PRELIMS for PES on world businesses.pptx
bySureshGKPESUniversit
 
PPTX
Thermal Energy International - TMG - Q2 2026 Earnings Call
byMarketing847413
 
PDF
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
PDF
Decoded: The Mystery of Life and the Begining of Time
byanyebepeter
 
PDF
IFS state pension.pdf From IFS and Oxford
byHenry Tapper
 
PDF
Where to Buy Gmail Accounts Online: A 2026 Guide
byusaseoshops
 
PDF
Equinox Gold - February Investor Presentation.pdf
byEquinox Gold Corp.
 
PPTX
Production and Ops - 1 Unit-I-Foundation to Production and Operations Managem...
byDavies Chacko
 
PDF
Reliable Coolrooms for Commercial Kitchens
byCool Fast Refrigeration
 
DOCX
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
PPTX
Enterprise-Grade Remote Desktops Why Businesses Choose BuyRDPAdmin.pptx
bybuyrdpseo1
 
PDF
KASIM SEN: The Silent Weapon: The Strategic Role of PMOs in Defense (EN)
byLviv Startup Club
 
PDF
Top 10 Trusted Places to Buy Verified Airbnb Accounts Today.pdf
byriwansavage
 
PDF
Mesh WiFi for Mine: Reliable and Secure Wireless Connectivity for Mining Oper...
byAeroMesh Systems
 
PDF
15 Smart Hacks for Repurposing Forgotten Buy Gmail Profiles This Year.pdf
byBuy Old Gmail Accounts
 
PPTX
Production and Operations Unit 4 Unit - IV - Production Planning and Quality ...
byDavies Chacko
 
PDF
Top 7 Tips for Buying TikTok Accounts.pdf
byc23tykuq37te8lzue2ds
 
Raman Bhaumik - A Licensed Pharmacist In Multiple States
byRaman Bhaumik
 
Ultra Map Section I Interface Virtual.pdf
byBrij Consulting, LLC
 
India-EU Deal 2026: The $27 Trillion Opportunity
byStellarix
 
PRELIMS for PES on world businesses.pptx
bySureshGKPESUniversit
 
Thermal Energy International - TMG - Q2 2026 Earnings Call
byMarketing847413
 
Impact of Earnings Surprises on Short Term Asset Prices.pdf
bybharadwajduggarajupr
 
Decoded: The Mystery of Life and the Begining of Time
byanyebepeter
 
IFS state pension.pdf From IFS and Oxford
byHenry Tapper
 
Where to Buy Gmail Accounts Online: A 2026 Guide
byusaseoshops
 
Equinox Gold - February Investor Presentation.pdf
byEquinox Gold Corp.
 
Production and Ops - 1 Unit-I-Foundation to Production and Operations Managem...
byDavies Chacko
 
Reliable Coolrooms for Commercial Kitchens
byCool Fast Refrigeration
 
7 Best Legitimate Ways to Buy Verified Cash App Accounts in 2026.docx
byLos Angeles
 
Enterprise-Grade Remote Desktops Why Businesses Choose BuyRDPAdmin.pptx
bybuyrdpseo1
 
KASIM SEN: The Silent Weapon: The Strategic Role of PMOs in Defense (EN)
byLviv Startup Club
 
Top 10 Trusted Places to Buy Verified Airbnb Accounts Today.pdf
byriwansavage
 
Mesh WiFi for Mine: Reliable and Secure Wireless Connectivity for Mining Oper...
byAeroMesh Systems
 
15 Smart Hacks for Repurposing Forgotten Buy Gmail Profiles This Year.pdf
byBuy Old Gmail Accounts
 
Production and Operations Unit 4 Unit - IV - Production Planning and Quality ...
byDavies Chacko
 
Top 7 Tips for Buying TikTok Accounts.pdf
byc23tykuq37te8lzue2ds
 

Data Governance: Embracing Security and Privacy

  • 1.
  • 2.
    Executive summary We livein a global world where most online brands have an international footprint, but different regions you do business in require different approaches to data protection and privacy. Even if your business is headquartered and operating in the US, international data privacy laws should be a major concern. In July 2016, the EU-US Privacy Shield took effect replacing Safe Harbor. The General Data Protection Regulation (GDPR) will enforce all organizations to abide by specific protocols. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s new legal framework will be critical for both businesses and consumers operating across borders in today’s digital economy to fully understand. How will you balance providing a seamless customer experience with the increasing responsibilities in data privacy and security? Vigilance is key– not just because of the legal ramifications of these new guidelines, but the effect that leakage and security events have on the brand itself. As an industry we owe it to end customers to be transparent and ethical with data, ensuring that what is collected and known is used for the purposes of better experiences for those end customers. By investing time to perform the proper analysis and planning, you can be confident in implementing a program that will minimize risk, build trust, and protect your brand. The precursors to massive change in our space are clear. Now we, as an industry, need to adapt before we are forced to. From the vendors you choose to work with, to the policies and procedures in place, this whitepaper discusses steps to take today for building an effective data governance strategy. Learn to make sense of the current legal landscape, ensure successful integration across your organization, and how to provide these safeguards to your customers. Data Governance: Embracing Security and Privacy 2
  • 3.
    Data Governance: EmbracingSecurity and Privacy 3 Overview of current environment...............................................................................4 Key implications..................................................................................................................5 Value proposition ..............................................................................................................6 The Tealium solution.........................................................................................................6 Summary...............................................................................................................................8 Data governance package .............................................................................................8 Data governance checklist ...........................................................................................10 Table of Contents
  • 4.
    Data Governance: EmbracingSecurity and Privacy 4 1. Overview of current environment A significant legislative shift in data governance is taking place in Europe and leading the way towards global change. The rapidly-growing number of digital marketing vendors, channels, and customer touchpoints, along with a shifting global data privacy environment, is creating a serious data governance problem in the digital space. With Safe Harbor1 being ruled invalid in October of 2015, the EU-US Privacy Shield approved to take its place in July of 2016 and more stringent regulations with GDPR, companies now face the risk of a severe penalties should they be found non-compliant with these new regulations The EU-US Privacy Shield, which replaced Safe Harbor, is a framework for transatlantic exchanges of personal data for business purposes between the EU and the US. It is a more prescriptive set of guidelines that is intended to provide a higher level of protection for EU citizens, and includes General Data Protection Regulation (“GDPR”) for how penalties are enforced. The GDPR will become law in May 2018. There are a number of key factors that companies should understand regarding these new guidelines on the horizon. First, the GDPR applies if you are processing personal data in connection with the provision of goods and services to EU citizens (even if the goods or services are free), or if you are monitoring EU citizens’ behavior. Second, it is important to note that the regulations apply regardless of where the data controller (you) is located and is not limited to businesses just in the EU. The penalties for non-compliance with Privacy Shield and the GDPR are severe. For major infractions, such as simply not providing an explicit opt-in for visitors, the penalty is EUR 20 million or four percent of annual revenue, whichever is greater. Minor infractions can result in penalties of up to EUR 10 million or two percent of annual revenue. The EU ePrivacy directive, also known as the ‘cookie directive’, has resurfaced as of late since updates are needed in order to ensure it aligns well with the GDPR. Currently, the ePrivacy directive regulates how a company’s digital properties collect an EU citizen’s data and requires them to obtain consent to store or retrieve their personal data. While updates to the directive have not been finalized, suggested revisions could make this process even more complex and confusing for brands. 1 This US-based legal framework built on seven principles for allowing data transfer from EU to US was abolished in 2015.
  • 5.
    Data Governance: EmbracingSecurity and Privacy 5 2. Key implications With GDPR, it is your organization that could face penalties of non- compliance with regulations, even if it is your vendors who are at fault. Although the GDPR has established clear responsibility and accountability around the handling of personal data by controllers (you) and processors (vendors), the burden for data protection still rests predominantly with you. As brand and data controllers, your organization will be held responsible for ensuring direct, as well as third-party, vendor compliance with both the EU US Privacy Shield and GDPR. What is happening in Europe is believed to be the canary in the coal mine for the US and elsewhere, potentially impacting your business in the near future wherever your customers are located. And while Europe has been at the forefront of this regulatory shift around protecting EU citizen’s data, changes are taking place in the US, as well, to protect US citizen’s data. A US telecommunications firm began using unique, undeletable identifiers, or supercookies, called UIDH (unique identifier header) to track mobile customers for ad-targeting purposes in 2012. They had made limited disclosures in its privacy policy, but did not update its privacy policy to include information on its use of supercookies until March 2015. Meanwhile, an online advertising company began to use the supercookies – meaning the vendor could restore a cookie ID that a user has cleared from his/her browser if it is associated with a UIDH. The FCC said that the telecommunications company’s failure to disclose accurate and adequate information to consumers about the supercookies violated the transparency requirements from the FCC’s 2010 net neutrality rules. They now have to implement a 3-year compliance plan and obtain customers’ opt-in consent before sharing UIDH with third parties.
  • 6.
    Data Governance: EmbracingSecurity and Privacy 6 3. Value proposition Given our unique position in the data supply chain, having Tealium as a trusted partner builds confidence in your business’ ability to appropriately and legally manage data, while significantly reducing your reliance on your digital marketing and analytics vendors to adhere to privacy standards. In particular, Tealium can support your efforts in setting proper consent and providing clear transparency around data collection and usage; both key aspects of the ePrivacy directive. Country-Specific Compliance Some countries have very specific laws about what types of information organizations can collect about their online visitors, and what sort of privacy options must be enabled – this includes any tags collecting data, all of which must be compliant with local in-country privacy regulations. Tealium iQ Tag Management supports geography-based privacy compliance, allowing organizations to apply standards by country and giving precise control over the data collection practices of each vendor. Tealium’s flexibility in this offering is especially important in regards to the ePrivacy directive as each country can take on the aspects selectively. Client-Side Decision-Making Capabilities Our unique depth and breadth of experience across clients facilitates our understanding of how to ensure explicit opt-in compliance on the front end for visitors. Geographical Data Restrictions Our automated regionalized data collection and storage for server-to- server data governance serves as a key competitive edge over our peers. Support for ‘Right to be Forgotten’ Tealium’s unique position as the data supplier to your marketing technology ecosystem enables it to be an ideal place to handle user opt out across all your marketing channels. Tealium’s server side connectors will trigger ‘delete’ directives through APIs whenever a user has selected the right to be forgotten. This is a start to providing support for GDPR’s ‘Right to be Forgotten’ stipulation. 4. The Tealium solution When it comes to the new legislation around data security and privacy, Tealium is ahead of the curve helping businesses manage evolving privacy and data protection expectations. It has become increasingly important to understand how your data is being collected, where your data is going and who is using that data. Our approach empowers users to securely control and manage your data at the source– across web, mobile IoT and connected devices. Tealium offers a number of robust privacy control features and granular vendor management capabilities to support your Data Governance needs– such as our Tag Marketplace Policy, Resource Locks, Versions, multiple deployment environments, individual user based permissions, workflow management and privacy manager. The Tealium iQ privacy manager is the core of the Data Governance Package, and enables our customers to easily offer opt-in or opt-out choices to their online visitors, providing total control over which third- party vendors or cookies those visitors want to allow while browsing that customer’s web properties.
  • 7.
    Data Governance: EmbracingSecurity and Privacy 7 Ultimately privacy is about giving your visitors choice. Using our privacy manager you can allow visitors to opt in/out of individual tags or even categories of tags. Below we have summarized the Tealium iQ privacy manager’s key attributes: Elimination of data collection: As illustrated above, Tealium iQ ensures that a user’s privacy and Do Not Track settings are honored by simply preventing various vendor tags from functioning on a web page, or stopping the vendor code from being downloaded to the page. Customizability: Below are the various ways in which you can customize display and functionality preferences within the privacy manager: 1. You can automatically display the privacy manager to a non-cookied user when the page loads rather than requiring the user to click on the "Modify Privacy Options" button using custom JS code, which our Deployment Team can implement for you upon request. 2. The privacy manager has a layout template that you can modify, which means you can access the HTML and CSS used to generate it in the same way you would modify a tag template. 3. In “Opt out by default” mode, unless the user explicitly opts in to the categories / tags, no tags will be fired.
  • 8.
    Data Governance: EmbracingSecurity and Privacy 8 Summary How well are you protecting your data? Tealium’s Data Governance Package helps customers manage their implementation of Tealium’s software to facilitate their data governance and privacy controls. Tealium will assist customers in configuring and monitoring Tealium iQ Tag Management, AudienceStream and verify according to industry best practices.* Data Governance Package Configuration (One-Time) • Privacy Manager for up to five (5) Digital Properties Enables Visitors within the Digital Properties where Tealium iQ is deployed and the Privacy Manager enabled, to opt-in or opt-out accordingly for technology tags (and in some cases potentially dropping cookies) that subsequently load in Visitors’ web browsers. • Opt-In Notification for up to five (5) profiles Configuration of a Consent Modal Window (or perhaps a Banner) to inform Visitors that cookies, tracking mechanisms, and advertising technologies will be used on the website. In addition to this contextual window, selection option gears are configured for consent policies of these items. For example, the Visitor can choose to accept cookies but disallow specific marketing technologies such as a DSP. • Tag Marketplace Policy for up to five (5) profiles Configuration and limiting of vendors available in the tag marketplace policy to only provide specified tag templates in the Tealium iQ interface. This allows for only those tag vendor templates that Customer’s InfoSec team has deemed safe and acceptable to be accessible for any Tealium iQ administrator, thereby minimizing the risk that unwanted tags will operate on Customer’s Digital Properties. • Configure security-focused Extensions and/or Resource Locks and Labels Encryption Extensions and Resource Locks and Labels will assign specific data definitions and Tag Logic to specific Customer users, and prevent unauthorized editing or changes to those data variables, load rules, and tags. This configuration applies to these elements for up to five (5) profiles. • Review and configuration of user roles and permissions in accordance with least access best practices for up to five (5) profiles User roles and permissions are configured in an enterprise-class role-based access control approach that explicitly activates environmental privileges for several areas of the Tealium iQ interface. For example the ability to publish to one or more environments (Dev, QA, and Prod) and the ability to implement Tealium iQ extensions. • Configuration of tag reports that summarize data collection. Tealium deployment services will create reports that summarize the data collected throughout a designated time period and provide those reports to Customer. • Configuration of five (5) major user funnels for proper data layer configuration Tealium deployment services will configure the funnel(s) that will confirm the required data is in fact on the Digital Property in question. • Configuration of Opt-Out Audience This configuration will ensure that when users choose to opt-out of tracking (via the Consent modal), they are scheduled for purge from the AudienceStream solution. This is delivered by configuring an “Opt Out” Audience. *For AudienceStream enabled customers only.
  • 9.
    Data Governance: EmbracingSecurity and Privacy 9 • Configuration of opt-out actions for (5) supporting vendors. Using the ‘Opt-out Audience’ configuration, Tealium will configure vendor connector actions to remove or opt users out of campaigns, lists and databases depending on availability. *For AudienceStream enabled customers only. • Review event and visitor attributes ensuring proper long-term data storage and ensure restricted data is not delivered to systems unable to purge. For example, Tealium will work with Customer to designate data that should be labeled as “restricted”. Then all restricted data flags can be configured and mapped to Data Access for storage. *For DataAccess enabled customers only. Ongoing Deliverables (Quarterly) • Account Best Practices Review & Update Review of up to five (5) profiles for compliance with Tealium Data Governance best practices • User Management Audit Review of current user access levels and rights for incorrect configuration • Configuration of five (5) major user funnels for proper data layer configuration Tealium deployment services will configure the funnel(s) that will confirm the required data is in fact on the Digital Property in question. • Quarterly Tag Load Report A supplemental report that outlines tag loads, basic tag performance and alerts to tag errors. *Details of package are subject to change.
  • 10.
    Data Governance Checklist 5Steps for Balancing Customer Experience with Privacy & Security In May 2018, the General Data Protection Regulation (GDPR) will take effect, enforcing all organizations to abide by a new set of guidelines and protocols. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s legal emphasis will be critical for businesses operating across borders in today’s digital economy. This is a massive opportunity for companies to differentiate their brand and safeguard consumer confidence by proactively embracing security and privacy. From the vendors you choose to work with, to the policies and procedures in place, take these five steps to jumpstart your data governance strategy and prepare for successful integration across your organization. STEP 1: Perform Due Diligence Audit data flows to know where and who have access. STEP 3: Build Controls Develop procedures to provide clear and accurate notice of data usage both internally, with policy and process, and externally, through notification, terms and conditions. STEP 2: Start a Data Inventory Take an inventory to understand what type of data is being processed and if it is required. STEP 4: Form a Data Governance Panel Activate against internal processes for both business and technology teams to move forward. STEP 5: Provide Clear and Accurate Notice Communicate your data policy across the organization, and to customers and vendors. It’s everyone’s responsibility! Business Team  Identify vendors in use  Validate vendor access  Review current contracts Business Team  Verify proper contracts with vendors  Create governance policies and processes  Update external and internal communication Business Team  Agree on data sensitivity both from a legal and experience perspective  Agree on the data needed to run marketing vs. operations  Document data requirements for running the business Business Team Communicates with Technology team on:  Needs to drive marketing and customer experiences  Legal ramifications of non-compliance  Expectations of the business on technology Business Team  Update Privacy Policy to reflect data usage (ex. cookie policy, IP usage)  Provide means for opt-out across all marketing  Communicate with Technology team on evolving data usage Technology Team  Audit vendor technology  Review vendor policies  Remove non-compliant or unused vendors Technology Team  Configure vendors for ‘least-access’  Create data audit guidelines and tests  Test and audit internally for compliance Technology Team  Document where the data is stored:  Customer  Campaign  Enterprise (Financial/HR)  Ensure that data handling is in compliance with business policies and legal requirements  Check vendor integrations Technology Team Communicates with Business team on:  Best practices with access, transmission and storage of data  Protection of the data and the customer from ‘bad’ players  Internal  External  Partner  Enablement of the business within reason Technology Team  Provide customers with Explicit Opt-In/Out  Ensure ‘Right to be Forgotten’ and general data deletion directives  Communicate to Business team and vendors of compliance changes or lack of       Ensure employee training across the organization  As new laws and large financial penalties emerge around data privacy, having Tealium as a trusted partner builds confidence in your business’ ability to appropriately and legally manage data. Contact us today to learn more: www.tealium.com
  • 11.
    ©2018 Tealium Inc.All rights reserved. Tealium, Tealium iQ, AudienceStream, and all other Tealium marks contained herein are trademarks or service marks of Tealium. All other marks are the property of their respective owners. Rev. 050118 Tealium has offices worldwide. Phone numbers and addresses are listed on the Tealium website at tealium.com/contact. Global Headquarters 11095 Torreyana Road San Diego, CA 92121 (858) 779-1344 tealium.com