You are on page 1of 10

WHITE PAPER

Data Governance:
Embracing Security and Privacy
Executive summary
We live in a global world where most online brands have an international
footprint, but different regions you do business in require different
approaches to data protection and privacy. Even if your business is
headquartered and operating in the US, international data privacy laws
should be a major concern.

In July 2016, the EU-US Privacy Shield took effect replacing Safe Harbor. In
less than two years, the General Data Protection Regulation (GDPR) will come
into play, enforcing all organizations to abide by specific protocols. While the
principles of accountability and transparency have previously been implicit
requirements of data protection law, the GDPRs new legal framework will
be critical for both businesses and consumers operating across borders in
todays digital economy to fully understand.

How will you balance providing a seamless customer experience with the
increasing responsibilities in data privacy and security? Vigilance is key
not just because of the legal ramifications of these new guidelines, but
the effect that leakage and security events have on the brand itself. As an
industry we owe it to end customers to be transparent and ethical with
data, ensuring that what is collected and known is used for the purposes of
better experiences for those end customers. By investing time to perform the
proper analysis and planning, you can be confident to implement a program
that will minimize risk, build trust, and protect your brand.

The precursors to massive change in our space are clear. Now we, as an
industry, need to adapt before we are forced to. From the vendors you
choose to work with, to the policies and procedures in place, this whitepaper
discusses steps to take today for building an effective data governance
strategy. Learn to make sense of the current legal landscape, ensure
successful integration across your organization, and how to provide these
safeguards to your customers.

2 Data Governance: Embracing Security and Privacy


Table of Contents

Overview of current environment...............................................................................4

Key implications..................................................................................................................5

Value proposition ..............................................................................................................6

The Tealium solution.........................................................................................................6

Summary...............................................................................................................................8

Data governance checklist .............................................................................................9

Data Governance: Embracing Security and Privacy 3


1. Overview of current environment
A significant legislative shift in data governance is taking place in Europe
and leading the way towards global change.

The rapidly-growing number of digital marketing vendors, channels,


and customer touchpoints, along with a shifting global data privacy
environment, is creating a serious data governance problem in the digital
space. With Safe Harbor1 being ruled invalid in October of 2015, the
EU-US Privacy Shield approved to take its place in July of 2016 and more
stringent regulations with GDPR less than two years away, companies
now face the risk of a severe penalties should they be found non-
compliant with these new regulations

The EU-US Privacy Shield, which replaced Safe Harbor, is a framework


for transatlantic exchanges of personal data for business purposes
between the EU and the US. It is a more prescriptive set of guidelines that
is intended to provide a higher level of protection for EU citizens, and
includes General Data Protection Regulation (GDPR) for how penalties
are enforced. The GDPR will become law in May 2018.

There are a number of key factors that companies should understand


regarding these new guidelines on the horizon. First, the GDPR applies
if you are processing personal data in connection with the provision of
goods and services to EU citizens (even if the goods or services are free),
or if you are monitoring EU citizens behavior. Second, it is important
to note that the regulations apply regardless of where the data
controller (you) is located and is not limited to businesses just in the EU.

The penalties for non-compliance with Privacy Shield and the GDPR are
severe. For major infractions, such as simply not providing an explicit
opt-in for visitors, the penalty is EUR 20 million or four percent of annual
revenue, whichever is greater. Minor infractions can result in penalties of
up to EUR 10 million or two percent of annual revenue.

1
This US-based legal framework built on seven principles for allowing data transfer from EU to US was abolished in 2015.

4 Data Governance: Embracing Security and Privacy


2. Key implications
With the new GDPR, it is your organization that could face penalties
of non-compliance with regulations, even if it is your vendors who are
at fault. Although the GDPR has established clear responsibility and
accountability around the handling of personal data by controllers
(you) and processors (vendors), the burden for data protection still rests
predominantly with you.

As brand and data controllers, your organization will be held responsible


for ensuring direct, as well as third-party, vendor compliance with both
the EU US Privacy Shield and GDPR. .

What is happening in Europe is believed to be the canary in the coal mine


for the US and elsewhere, potentially impacting your business in the near
future wherever your customers are located.

And while Europe has been at the forefront of this regulatory shift around
protecting EU citizens data, changes are taking place in the US, as well, to
protect US citizens data.

A US telecommunications firm began using unique, undeletable


identifiers, or supercookies, called UIDH (unique identifier header) to
track mobile customers for ad-targeting purposes in 2012. They had
made limited disclosures in its privacy policy, but did not update its
privacy policy to include information on its use of supercookies until
March 2015.

Meanwhile, an online advertising company began to use the


supercookies meaning the vendor could restore a cookie ID that a
user has cleared from his/her browser if it is associated with a UIDH.

The FCC said that the telecommunications companys failure to


disclose accurate and adequate information to consumers about
the supercookies violated the transparency requirements from the
FCCs 2010 net neutrality rules. They now have to implement a 3-year
compliance plan and obtain customers opt-in consent before sharing
UIDH with third parties.

Data Governance: Embracing Security and Privacy 5


3. Value proposition
Given our unique position in the data supply chain, having Tealium as a
trusted partner builds confidence in your business ability to appropriately
and legally manage data, while significantly reducing your reliance on your
digital marketing and analytics vendors to adhere to privacy standards.
Country-Specific Compliance
Some countries have very specific laws about what types of information
organizations can collect about their online visitors, and what sort of
privacy options must be enabled this includes any tags collecting data,
all of which must be compliant with local in-country privacy regulations.
Tealium iQ Tag Management supports geography-based privacy
compliance, allowing organizations to apply standards by country and
giving precise control over the data collection practices of each vendor.
Client-Side Decision-Making Capabilities
Our unique depth and breadth of experience across clients facilitates our
understanding of how to ensure explicit opt-in compliance on the front
end for visitors
Geographical Data Restrictions
Our automated regionalized data collection and storage for server-to-
server data governance serves as a key competitive edge over our peers
Support for Right to be Forgotten
Tealiums unique position as the data supplier to your marketing
technology ecosystem enables it to be an ideal place to handle with
user opt out across all your marketing channels. Tealiums server side
connectors will trigger delete directives through APIs whenever a user
has select to be forgotten. This is a start to providing support for GDPRs
Right to be Forgotten stipulation.

4. The Tealium solution


When it comes to the new legislation around data security and privacy,
Tealium is ahead of the curve helping businesses manage evolving
privacy and data protection expectations. It has become increasingly
important to understand how your data is being collected, where your
data is going and who is using that data. Our approach empowers users
to securely control and manage your data at the source across web,
mobile IoT and connected devices. Tealium offers a number of robust
privacy control features and granular vendor management capabilities
to support your Data Governance needs such as our Tag Marketplace
Policy, Resource Locks, Versions, multiple deployment environments,
individual user based permissions, workflow management and privacy
manager.
The Tealium iQ privacy manager is the core of the Data Governance
Package, and enables our customers to easily offer opt-in or opt-out
choices to their online visitors, providing total control over which third-
party vendors or cookies those visitors want to allow while browsing that
customers web properties.
Ultimately privacy is about giving your visitors choice. Using our privacy
manager you can allow visitors to opt in/out of individual tags or even
categories of tags.

6 Data Governance: Embracing Security and Privacy


Below we have summarized the Tealium iQ privacy managers key
attributes:

Elimination of data collection: As illustrated in the diagram below,


Tealium iQ ensures that a users privacy and Do Not Track settings are
honored by simply preventing various vendor tags from functioning on a
web page, or stopping the vendor code from being downloaded to the
page.

Customizability: Below are the various ways in which you can


customize display and functionality preferences within the privacy
manager

1. You can automatically display the privacy manager to a non-cookied


user when the page loads rather than requiring the user to click on
the "Modify Privacy Options" button using custom JS code, which our
Deployment Team can implement for you upon request.

2. The privacy manager has a layout template that you can modify,
which means you can access the HTML and CSS used to generate it in
the same way you would modify a tag template.

3. In Opt out by default mode, unless the user explicitly opts in to the
categories / tags no tags will be fired.

Data Governance: Embracing Security and Privacy 7


Summary
How well are you protecting your data?

The Tealium Data Governance Package helps customers manage their


installations to ensure data governance and privacy controls are in
compliance with varying local and regional policies across the globe.

To learn more about how partnering with Tealium can help your
company safeguard data privacy, please click here.

8 Data Governance: Embracing Security and Privacy


Data Governance Checklist
5 Steps for Balancing Customer Experience with Privacy & Security
In May 2018, the General Data Protection Regulation (GDPR) will take effect, enforcing all organizations to abide by
a new set of guidelines and protocols. While the principles of accountability and transparency have previously been
implicit requirements of data protection law, the GDPRs legal emphasis will be critical for businesses operating across
borders in todays digital economy.

This is a massive opportunity for companies to differentiate their brand and safeguard consumer confidence by
proactively embracing security and privacy. From the vendors you choose to work with, to the policies and procedures
in place, take these five steps to jumpstart your data governance strategy and prepare for successful integration across
your organization.

STEP 1: Perform Due Diligence


Audit data flows to know where and who have access.
Business Team Technology Team
Identify vendors in use Audit vendor technology
Validate vendor access Review vendor policies
Review current contracts Remove non-compliant or unused vendors

STEP 2: Start a Data Inventory


Take an inventory to understand what type of data is being processed and if it is required.
Business Team Technology Team
Agree on data sensitivity both from a legal and experience Document where the data is stored:
perspective Customer Campaign Enterprise (Financial/HR)
Agree on the data needed to run marketing vs. operations Ensure that data handling is in compliance with business
Document data requirements for running the business policies and legal requirements
Check vendor integrations

STEP 3: Build Controls


Develop procedures to provide clear and accurate notice of data usage both internally, with policy and process, and externally,
through notification, terms and conditions.
Business Team Technology Team
Verify proper contracts with vendors Configure vendors for least-access
Create governance policies and processes Create data audit guidelines and tests
Update external and internal communication Test and audit internally for compliance

Ensure employee training across the organization

STEP 4: Form a Data Governance Panel


Activate against internal processes for both business and technology teams to move forward.
Business Team Technology Team
Communicates with Technology team on: Communicates with Business team on:
Needs to drive marketing and customer experiences Best practices with access, transmission and storage of data
Legal ramifications of non-compliance Protection of the data and the customer from bad players
Expectations of the business on technology Internal External Partner
Enablement of the business within reason

STEP 5: Provide Clear and Accurate Notice


Communicate your data policy across the organization, and to customers and vendors. Its everyones responsibility!
Business Team Technology Team
Update Privacy Policy to reflect data usage (ex. cookie policy, Provide customers with Explicit Opt-In/Out
IP usage) Ensure Right to be Forgotten and general data deletion
Provide means for opt-out across all marketing directives
Communicate with Technology team on evolving data usage Communicate to Business team and vendors of compliance
changes or lack of

As new laws and large financial penalties emerge around data privacy, having Tealium as a trusted
partner builds confidence in your business ability to appropriately and legally manage data.
Contact us today to learn more: www.tealium.com
Tealium has offices worldwide. Phone numbers and addresses are listed on the
Tealiumweb site attealium.com/contact.

Global Headquarters
11095 Torreyana Road
San Diego, CA 92121
(858) 779-1344 2017 Tealium Inc. All rights reserved. Tealium, Tealium iQ, AudienceStream, and all other Tealium marks
tealium.com contained herein aretrademarks or service marks of Tealium. All other marks are the property of their
respective owners. Rev. 020117