Data security legislation like the GDPR allows users to control how and if their personal data is used by companies. Join our VP of Digital Strategy, Dawn Aly, and Open Source Security Lead, Mark Shropshire, both from Mediacurrent, as they give us actionable steps to take to ensure GDPR compliance.
Watch recorded webinar: http://bit.ly/2MVhON9
3. | 3
Mediacurrent is a full-service digital agency that
implements world class open source software
development, strategy and design to achieve defined
goals for enterprise organizations seeking a better
return on investment.
Who We Are
4. | 4
Today’s Team
Dawn Aly
VP, Digital Strategy
Mediacurrent
@dawnashleealy
Mark Shropshire
Open Source Security Lead
Mediacurrent
@shrop
5. | 5
Disclaimers
1. We are not lawyers.
2. This session is not a replacement for
legal council.
3. The scope of this talk is on the website
and not overall compliance.
6. | 6
Today’s Agenda
I. Guiding Principles of the GDPR
II. Creating a Positive PX
III. Security by Design
IV. Advanced Marketing Strategies
in a Post GDPR World
V. Creating an Action Plan
(not a Freak-Out Plan)
7. | 7
60%
The percentage of organizations that are at risk of
missing the GDPR compliance deadline.
Only 7% of surveyed organizations say they are in full
compliance with GDPR requirements today.
-Crowd Research Partners 2018 GDPR Compliance Report
9. | 9
What is GDPR?
GDPR (General Data Protection Regulation), adopted by the the European Union
Parliament April 27, 2016, intends to give individuals in the EU the ability to control
their personal data. International businesses will benefit by having simpler clarity
around user privacy related regulations, leading to consistent implementations.
The GDPR become enforceable on May 25th, 2018 and replaces the 1995 Data
Protection Directive.
Searchable GDPR: https://gdpr.algolia.com
Source: https://www.eugdpr.org
10. | 10
Who is at Risk for Compliance?
Anyone who can say yes to at least one of the following:
● Do you have a website with international traffic?
● Do you use a CRM or Marketing Automation platform?
● Does your site have an analytics platform like Google Analytics?
● Does your website use cookies?
● Does your website collect personal information? Anything from a store or a
contact form counts!
● Can users log in to your website?
12. | 12
The GDPR is not just an IT Discussion
43%of cyber attacks targeted
small businesses in 2015
$150 millionanticipated increase of data breach costs by 2020
89%Believe their competitive
advantage will be based on
the customer experience
85%Percentage of relationships
consumers will manage
without talking to a
human by 2020
Sources: Gartner, Gartner, Symantec, Microsoft, Juniper Research
$3.8 millioncost of a data breach for the average company
13. | 13
GDPR Roles
Legal entity or person
processing the actual
data on behalf of the
controller
GDPR required leadership position in
organizations for monitoring internal
GDPR compliance
Legal entity or person
determining need and
means for processing
personal data
Data Subject
Individual
whose personal
data has been
collected
Public authority appointed in EU
countries for monitoring
compliance of GDPR
Supervisory
Authority
Controller Processor
Data
Protection
Officer
14. | 14
User Rights and Requirements Overview
Right to Erasure
Breach Notification
Data Portability
Right to Access
Data Protection OfficersPrivacy by Design
15. | 15
Key Challenges Ahead
● Implementation requirements
are vague and often require
interpretation
● Compliance and continued
process improvements will come
at a cost to organizations
Fines up to 20 million
EUR or 4% or annual
global turnover for
noncompliance
18. | 18
Universal PX Principles
● Always be transparent with users
● Use easy to understand language / no “lawyer speak”
● Consent must be given and not assumed
● Protect user data
● Don’t collect more than absolutely necessary
● User must have the right to be forgotten
● Follow security and privacy by design methodologies
19. | 19PX Do’s and Don’ts
Data Collection Transparency Data Portability
Do’s
Don’ts
● Know what you collect
● Only retain for as long as you
need
● Protect data with encryption
● Audit and log
● Have clear privacy policies
● Let users know how you use
data and why
● Give users the right to decide
how and when data is
processed and shared
● Explain things in easy to
understand language
● Allow users control over their
data including:
○ Exporting data
○ Deleting data
○ Seeing the details of
their stored data
● Collect any PII that you don’t
absolutely need
● Allow anyone or system
access to data who doesn’t
have legitimate reason for
processing
● Hide who you share data with
and why you share it with
them
● Force users to opt-out (opt-in
should be the pattern)
● Create hard to read privacy
policies and other
documents related to data
privacy
● Rely on blanket consents
● Make it hard for users to
export data in a standard
format that is usable for
imports to other systems and
services
● Delay processing user
request for deletion, export,
or reporting
20. | 20
Pinterest Example
What works?
● Banner is located in a high
engagement section.
What doesn’t work?
● Poorly worded language
implies you should Accept
without seeing the changes.
● Links don’t easily outline the
differences between the
previous and the new policies.
21. | 21
Twitter Example
What works?
● Overlay is prominent.
● Clear, easy to understand language.
● Explains current settings.
● CTAs and features allows users to
control specific settings.
What could be better?
● Change sharing from an opt-out to an
opt-in process.
23. | 23
Secure by Design
Secure by design, in software engineering, means that
the software has been designed from the ground up to
be secure. Malicious practices are taken for granted and
care is taken to minimize impact when a security
vulnerability is discovered or on invalid user input.
https://en.wikipedia.org/wiki/Secure_by_design
24. | 24
Privacy and Security SDLC
1. PLANNING
Document and understand security
controls and regulatory requirements to
include in feature planning.
Software
Development
Life Cycle
3. TESTING
Identify defects through review
and testing controls guided by
security and privacy requirements.
4. DOCUMENTATION
Document detailed project feature
implementations and processes
and how they apply to security and
privacy requirements.
5. DEPLOYMENT
Release software to production
environments after approved
through agreed upon processes.
6. MAINTENANCE
Consider and implement changes
to controls and regulations
affecting the project.
2. IMPLEMENTATION
Development with security and
privacy controls in mind.
Privacy and Security
25. | 25
Security and Privacy Principles
● Limit attack surface
● Keep solutions simple
● Encrypt PII (Personally Identifiable Information)
● Know your regulatory requirements: FERPA, GDPR,
HIPAA, PCI DSS, CAN SPAM etc.
● Write policies and procedures and then follow them
● Automate auditing and compliance processes
● Log events and transactions
26. | 26
Notorious PII (Personally Identifiable Information) Locations
● User profiles and accounts
● Web personalization data
● Webform data
● Data import and export files and database tables
● Geolocation data
● Server log files
● Database backups
31. | 31
Make Trust Your
Competitive
Advantage
Sources: Inc.com, Label Insight, Harvard Business Review
94%
of customers are likely
to be more loyal to
transparent brands
32. | 32
Big Data May Not Be So Big
and definitely comes with
bigger responsibility
33. | 33
GDPR Benefits to Data
● Improved data quality because it’s submitted
by the people it describes
● Potential reduction in data cleansing costs
● Marketing strategies will be in-line with
customer desires vs marketers assuming what
they want
Sources: Altimeter
34. | 34
Google Analytics Retention
https://www.mediacurrent.com/blog/google-analytics-data-retention-controls-and-gdpr
35. | 35
Marketing Automation and CRM
● Be able to prove you have consent- even on
past opt-ins
● Consent for one campaign doesn’t mean
consent for all
● Talk with your Marketing Automation and CRM
platforms to see if they offer tools.
○ Just because they say they are
compliant, does not mean by default you
are too
41. | 41
● Opt-in language
● Privacy policy & legal
documents
● Internal messaging
around value and
marketing impact
Creating a Plan
● Data portability
● Revoking consent
● Data erasure
● Consent
customization
● What are we
collecting & why
● Active vs. passive
● Storage & encryption
● Integration points
Data Collection Points Messaging and Consent User Control
43. | 43
Example Website Opt-Ins
Hooray an Overlay
Here is some text about our
cookies, what they do, and
why they’re helpful for you.
Here’s some info about where
to learn more.
Would you like to opt-in?
Yes No
Hooray an Overlay
Here is some text about our
cookies, what they do, and
why they’re helpful for you.
Here’s some info about where
to learn more.
Would you like to opt-in?
Yes Review Settings
47. | 47
Absolute Minimums
Planning
● Write out your GDPR plan
including any audits you may
need to conduct
● Document all compliance efforts
● Include your rationale in all
documents
● Set aside untouchable time for
maintenance and improvements
on a regular basis
Execution
● Appoint a Data Protection Officer
● Apply any patches or security
updates available to your system
● Improve the clarity of your
Privacy Policy
● Seek consent from users
(newsletter, cookies, etc)
● Give users an easy way to
contact you about their data
● Update Google Analytics
49. Want to keep the conversation going?
Mediacurrent
Feel free to message Dawn or Mark with any questions you have
on getting your site GDPR compliant!
Dawn - dawn.aly@mediacurrent.com
shrop - mark.shropshire@mediacurrent.com
Have a GDPR project to discuss for your
organization? We can help!