Shrems II thumbnail
william littman headshot Posted by William Littman October 22, 2020

How to future-proof your company for evolving data privacy regulation

Companies across the globe are struggling to comply with a growing patchwork of data privacy laws and regulations, from the General Data Protection Rule (GDPR) in Europe to local laws like New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act).

This month, I was joined by Zach Edwards, founder of analytics and optimization agency Victory Medium, and privacy experts from Crownpeak, for the first in our series of Data Privacy & Marketing webinars: How Schrems II is Raising the Privacy Risk Stakes. The bottom line? Most companies are thinking about data privacy the wrong way. 

Yes, it’s important to track data privacy legal developments, such as the Schrems II decision by the Court of Justice of the European Union earlier this year. And it’s true that the once borderless internet has fractured into a “splinternet” of various fiefdoms, each with its own laws and regulations governing data. But if a company sees data privacy merely as a legal compliance puzzle it must solve, it’s missing an opportunity. That opportunity is a chance to carefully manage and control a company’s greatest asset, what some call the new currency of business: Data.

How to think about this asset, how it gets transferred between companies, and how to avoid costly data handling mistakes other companies have made were among the pressing issues covered in this webinar, and here are some of my key takeaways:

Future-proofing your company against continually evolving data privacy laws

Too many companies treat data privacy as a mere compliance issue, tracking and addressing each new legal development. 

But responding piecemeal to each new law or decision, like Schrems II, is a recipe for frustration. With each year, new laws arise in the daunting international patchwork of data privacy rules. 

world map with privacy laws

Instead of treating data privacy as an evolving compliance issue, companies need to proactively manage their data. This means rethinking their partnerships and their practices around privacy, and taking charge.

Given that no one can predict future legal developments, this proactive approach is the best chance of future-proofing your company’s operations against data privacy violations and data-handling mistakes that cost consumer trust.  

Having a banner on your website that asks users to accept cookies is not enough. That is approaching data privacy from a compliance mindset. Your business needs to go far beyond this band-aid approach to data management. And that starts with understanding the answer to this question: 

Where does the data go?

Webinar guest Will Broadhead, Senior Director of Engineering at Crownpeak, shed light on how user data gets collected by websites — and where it goes.

Cookies are only one technology for collecting data about the user. There are many other technologies, such as beacons and pixels, that collect and transmit user data to third-party vendors.

For example, after a user clicks on a button, a great deal of user data can be compressed within the URLs that load in the browser before the new page appears. These URLs can be used to transmit the data to third parties, such as marketing technology vendors.

Thus, for a company to understand where its user data is going, it must be aware of all the embedded third-party tools within its website.

Crownpeak makes this task easy with Trackermap, which provides a visual map of all the vendors on your site that have access to your website data and how these vendors connect to one another. 

crownpeak trackermap

Cautionary case studies show the importance of tracking data transfers

One frequent user of Trackermap is Zach Edwards, our final webinar guest and the founder of the analytics and optimization agency Victory Medium.

Zach shared his research into recent corporate data-handling mishaps. These data management mistakes, Zach explained, were often the result of companies focusing on piecemeal compliance instead of looking at their data sharing in a more proactive, holistic way.

For example, when the mobile streaming platform Quibi launched earlier this year, the email addresses of users who signed up for the service were added to a URL, which was then transmitted to a third-party advertiser, who collected the emails addresses. 

Quibi only learned of this issue after Zach’s research brought it to their attention. Although Quibi then quickly eliminated the problem, the fact that they had missed the issue prior to launch underscores that most companies do not have the right approach to managing their data.

Quibi effect

Another example of a company that overlooked a data sharing issue was Zeta Global, which owns the Disqus commenting system. In their efforts to comply with GDPR, the company sought to turn off Disqus-related data transfers for websites in European countries. But they mistakenly failed to turn off the transfers in three European countries — Iceland, Norway, and Liechtenstein — and only learned of this mistake when a reporter told them about it. 

Zach pointed out how Crownkeak’s Trackermap can empower companies to avoid mistakes like these because it enables auditors and other team members to easily visualize where a company’s data is being shared across the globe and where it might be at risk. The Trackermap tool enables visibility into items such as legacy implementations (for example, an analytics package you thought was removed months ago) as well as redirects (calls made to other third-party services, often without your knowledge, but with direct access to your customer data). Seeing this information in graphical displays on Trackermap is much easier than manually trawling through lines of code to identify vulnerabilities.

Building a better data management process 

In part two of this series, The Tipping Point for Global Regulation & Risk?, we covered how to build a proactive data management process that avoids the mistakes some companies have made. Part one is worth watching first to learn about Zach’s other case studies and to gain a deeper understanding of how data gets transferred between companies. Watch it on demand now, and continue your journey to a sounder approach to data management.