The recent ruling that the IAB Europe’s consent gathering framework is unlawful is more than a regular wake-up call for data processors and controllers out there.
Seeing as Google, Amazon, and the entire tracking industry relies on IAB Europe’s consent system, the decision by the EU’s data protection authority should act as a wake-up call for data protection professionals.
The ruling will undoubtedly have substantial short-term consequences for companies (think data deletion, new consent gathering, trust, and transparency issues).
However, I feel that it is an opportunity for companies to rethink how they operate when it comes to data collection, privacy, and compliance.
The fundamental problem most companies face is that their data operations and way of thinking have more or less stayed the same. Compliance is seen as an add-on where processes, consent, and documentation are applied after setting the core data strategy.
Companies need to look at compliance as infrastructure and offer solutions built with a privacy-first mindset. It is not just about avoiding consumer backlash or fines. It is about ensuring a competitive business in the next 5 or 10 years.
Where can you start?
Understand your data
One of the most common mistakes that organizations make is that they often lack a single source of truth for their data.
If you can’t trust consent frameworks such as the IAB framework, then it’s more important than ever to have a holistic and contextual view of your data. Such a view should be able to answer at least:
- How and when was the data collected.
- What is the purpose of collecting the data?
- Where is it stored?
- The type of the data and the segment (consumer, employee etc).
Additionally, there should be systems in place to safeguard against the loss or leak of data, with sufficient systems against hacker attacks and software that would allow proper functioning even in case of certain types of crises, such as the one created by Continuity2 – BCMS provider.
Understand where your data is located in terms of flows
This extends to understanding data in terms of flows. It’s essential that organizations understand where the data they use is located, both in terms of region and vendors.
How does data flow in between these entities? These are all questions that require a holistic view of your data to answer. Obviously, you should take special notice of data leaving the EU region, but does your system automatically alert you to that?
Collect what you need (and understand where data is not needed)
It seems that the default approach for companies is to collect as much data as possible, without much consideration to whether the data being collected is needed.
It’s almost as if companies adopt the mindset of collecting it all now and cleaning it up later. The problem is that often companies don’t get to this later.
It could be time to take the approach of only collecting data that you need to accomplish your goals. It will not be a one-off task and will require monitoring as a company’s goals and datasets evolve over time.
But robust systems do exist that can alert data protection teams when data collection doesn’t meet defined collection requirements. It might be time to rethink these requirements in your organization.
Implement data retention
Has an effective data retention policy been implemented at your organization? Data retention is critical for modern businesses. Without it, too much data may be stored for too long, leading to operational inefficiencies, increased costs, and legal and security risks.
Retention isn’t just about how many different parameters you store. It’s also about the periods that you store it in and the purpose of the processing and storing of the data. For example, sensitive data should, in general, have a lower retention period.
You should also consider that if you must keep a certain amount of data due to regulatory demands, it might be beneficial to implement two retention rules.
When you do not have a need for the data anymore, you should move it to a place where it is less accessible and encrypt it. Then, once you are permitted to delete it entirely, you can.
Know your vendors and third parties
Understand your vendors, partners, and other 3rd parties you entrust with data. How are they processing your data, do you have the right to audit, etc.
Very few companies can manage all their data tasks without involving other parties. That’s why it’s crucial for data protection teams to know their vendors and data providers.
A culture of auditing is vital here. There are several tools that can help with this, but an excellent place to start is to make sure that you have a process for regularly auditing the third parties that you entrust with your data.
This lets you map out how data flows into and out of your organization and makes routine data compliance tasks such as opt-in, DSRs and other data processing requests much simpler.
Founder & CEO of Wult.