Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

4/16/2018
10:30 AM
Roger Kjensrud
Roger Kjensrud
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How GDPR Forces Marketers to Rethink Data & Security

The European regulation is making marketing technology companies re-examine their security, and that's a good thing.

Multinational marketers are closing in on the May 25 date by which they must comply with the EU's General Data Protection Regulation (GDPR). As the date looms, marketers are tying up loose ends to ensure they meet the deadline. However, most view the GDPR — a regulation that governs the way in which consumer data is collected as well as how it's used and stored — as a major challenge and remain uncertain how much their data policies will change. Scrambling to meet the deadline, companies are in various states of preparedness.

The GDPR will offer consumers in the EU more control over their personal data and outlines requirements for data collection, storage, and use. It will also impose potentially steep fines on companies with poor data-handling practices and those that experience data breaches in which they are found at fault. While the regulations are limited to the personal data of consumers living in the EU, they apply to any company handling, transmitting, or storing that data, whether it has a physical location in the EU or not. This includes marketing technology (martech) companies that process data for and receive personal data from their customers.

What Is Personal Data?
Many martech companies don't collect personally identifiable information, which means the data does not directly identify an individual. Generally, the consumer is assigned a cookie with some random, unique value to tie certain website events together. With the GDPR, the notion of personal data is extended to include online identifiers such as IP addresses and cookie values.

These identifiers do not identify an individual, but if you combine these with additional information, you can identify a person. So it becomes critical that we understand the nature of the additional information to process it in a secure and compliant manner. Securing data may include what the GDPR refers to this as pseudonymization, where the data is processed so that it cannot be attributed to a specific person. Hashing and encryption are examples of pseudonymization.

What About Personal Data You Didn't Ask For?
Martech companies need to think through and map out how all their data is collected and what is sent to them from their partners and customers. I recommend answering the following questions:

  1. What data are you collecting, and what data are your customers sending you?
  2. As a data processor, do you really need the data customers are sending you? If you do not really need it, do not accept the data. Period.

Furthermore, I recommend that customers perform pseudonymization on any personal data before the data processor collects it. The less personal data martech companies handle, the better.

The Right to Forget
Within the martech sphere, companies will either obtain consent or have a legitimate interest for processing personal data and need to comply with requirements such as data portability, also referred to as the "right to forget." The right to forget revolves around the concept that consumers have a right to demand the deletion of their personal data from companies that have that data, even if they previously have given permission for its collection.

Brands collect and store consumers' first-party data as a matter of course — that is, any data consumers offer when they buy something or conduct transactions online. If you're shopping on Amazon, banking with Wells Fargo, buying tickets with Ticketmaster, or booking rides on Uber, you have offered your data. Besides the brands, the requirements apply to their third-party vendors, including their data processors. Martech companies may also have access to all or part of this data, or process some or all of it for the brands, including pseudonymized personal data.

The right to forget can be technically challenging to solve for, especially in martech, where millions of records are processed daily.

If you apply pseudonymization to personal data, it becomes very important to store this data in one place (database normalization). Any reference to the personal data will come via a foreign key or token. When martech companies receive a request to delete personal data, it is a matter of updating the record with some value that does not mean anything (e.g., "unknown").

The idea here is that companies do not physically delete everything associated with the customer but, rather, change the pseudonymized value and leave everything else in place because retailers have legitimate business interests in the data. The net effect is that the retailer will have its metrics available — for example, the number of sales for a given marketing channel. If the pseudonymized data is spread to multiple data stores and systems, it becomes very hard to control and satisfy the right-to-forget principle.

The GDPR Effect
With the GDPR in place, the martech sector must look at privacy issues as part of the requirements for building its systems — these issues cannot be afterthoughts. As software is built, the privacy piece must be part of it from the start — a "privacy by design" approach. The sector also needs to start treating IP addresses, device identifiers, and other identifiers as personal data. Just because these don't identify a person by themselves, the combination with additional information could.

It is also important that martech companies train their teams and make it clear to customers that they do not want any of their customers' personal data that they do not need to provide services to the customer. On the training front, teams need to make this a requirement at the beginning of the process when they integrate and onboard customers. If, however, the customer does need to send personal data, the data must be pseudonymized.

Overall, the GDPR forces companies in the martech sector to rethink their systems and how they handle data. We want to be transparent and build systems that protect consumers' data according to what they consented to. In an era when security breaches are pervasive, the GDPR is something we need. 

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Roger Kjensrud is Co-Founder and Chief Technology Officer at Impact, where he's tasked with architecting and enhancing the company's natively integrated marketing technology platform for addressing fraud detection and prevention; marketing intelligence; and managing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.