The main lever of an effective Data-Responsibility strategy is the political will of the company to commit to it in an operational, provable and sustainable way. This starts with the collection of data on websites and web apps, in other words, data tracking. What is it? How do you set it up? Here are our tips.

Reminder: being Data-Responsible Experience shows that the absence of political commitment at the highest level of the company reduces the chances of translating a ambition Data-Responsible operationally and in tangible benefits. Actions, facts, and metrics are critical to demonstrating commitment, and therefore results. Communicating the " Data-ethics & responsibility "This fully justifies and strengthens the company's position. It is the best guarantee of satisfaction of the needs of the customers, the Privacy teams and the Digital teams.

An GDPR compliant processing policy

Deploying responsible data tracking means defining a strategy for collecting sensitive data (cookies, tags & MarTechs) in full compliance with the GDPR. And this, according to the 3 modes of consent: accepted, ignored, rejected.

The regulations can be segmented into 59 compliance points in 4 major categories:

• tracking technologies: presence, activation, deactivation
• cookies: setting, value, expiration, 3rd party security, sharing
• the datacollected: storage, encryption, locales, sessions, leakage
• data transport: https, http headers, referrer, CSP, STS, SRI, 3rd party

Being Data-Responsible 

To be a Data Steward, you must be able to ensure consent and compliance with the Data Protection Regulation whenever data is collected or newly released. 

A simple focus on cookies only scratches the surface. This control applies to all partial releases. This is a good opportunity to deal with the subject in stages, by only slightly mobilizing the chain of contributors. The goal: to guarantee the continuity of the teams' daily operations.

Therefore, it is strongly recommended to check the validity of these practices on the entire inventory of existing sites and Apps in production. This is an obvious indicator ofpotential infringement.

Ownership & information

Think of gathering at the same time, around the same table, the Privacy, Digital and IT teams with your service providers. Our studies have highlighted the fragmented knowledge of GDPR related topics by the different contributors.

To implement an effective strategy, your Privacy teams will have to get closer to the Digital and IT teams so that each entity and each contributor can have the same view on :

• obligations, 
• expectations, 
• the limits, 
• the possibilities,
• the objectives.

As everyone has their own spectrum of understanding of regulations, it is essential to define a common repository for all (including providers) regarding Web and Web Apps environments.

Operators and providers: all responsible?

Remember that the Web & Web Apps operator is solely responsible for violations in the eyes of the regulations. Turning against a provider who did not do the job in compliance will not cancel anything and will be a source of frustration, loss of time, additional costs, and generally of rupture.

It is therefore fundamental to "embark" your service providers and subcontractors in development, digital, content or campaigns in your Data-Responsible approach. It will be virtuous and win-win for all.

This will allow you to:

• Take stock of what you have mastered operationally in your digital stack;
• be part of a virtuous circle;
• speed up processes;
• create a link.

It will be necessary for all to collaborate, inventory,analyze the risk, communicate, empower andact. After a few scoping meetings, a quarterly follow-up will be more than sufficient.

Frequent automated checks

Automated, tool-based analysis of Web and Web App environments and their interactions is the only way to actively prevent infringement risks, engage contributors and secure high trust scoring for better visitor consent.

The nature, the multiplicity and the frequency of updates are only 3 of the reasons for the breakdown of compliance andefficiency of data tracking. The CMP (or Consent Management Platform) does not solve this problem because it is simply not its role.

Ensure GDPR compliance

It is therefore essential toanalyze the GDPR compliance of sites and Web Apps on the 59 identified criteria, and this at a frequency related to that of updates, content publications, campaigns, etc.

Depending on the nature of the sites, this should be done on a monthly, weekly, daily, or even more frequent basis for Marketplaces and e-commerce or Media sites. A good practice to know is the implementation of automated analysis from the development phase to the operation, through staging and pre-production.

This will allow you to:

• have real-time monitoring of changes and risks related to updates;
• alert the different contributors of a situation to be fixed (what, why, where, how) ;
• activate a targeted proactive maintenance at a lower human and financial cost;
• to record, to prove the method and the means in case of control;
• generate and maintain a high confidence score;
• communicate to regain consent.

In short, being Data-Responsible Keep your goal in your sights: conversion. Personalization, data, the Data TrackingThe process of obtaining consent is only one step in achieving the goal. However, if only one of these steps is not validated, the objective will be missed. And the first of the "checkpoints" is precisely consent.

Guaranteeing compliance with the GDPR and building a high trust index means establishing proof for your visitors that you are a Data-ethical & responsible company. For them, it's the assurance that they can give their consent with confidence and benefit from a better experience while respecting their privacy. For you, it is the possibility to have more qualified data in the respect of the GDPR, thus better possibilities of personalization, optimization and conversion.

Want to learn more about GDPR compliance and data security?