Tech companies around the world should prepare to comply with the depth and volume of changes recently mandated by the General Data Protection Regulation (GDPR). What’s underlying these changes, and what kind of resources should companies be prepared to invest? That’s exactly what TUNE uncovered for you alongside other industry leaders, regulators, and EU legislators at the European Data Protection Days.
The New Normal: Elevated Transparency, Accountability, and Security
Although the new data security and privacy laws and invalidation of the Safe Harbor may seem like misdirected responses to the WikiLeaks revelations, including allegations of spying on Chancellor Merkel’s cell phone, it’s important to keep in mind that the underlying intent is to rebuild trust between business, government, and individuals. The conference itself was located minutes away from the Stasi Museum in Berlin, near where many EU citizens experienced haunting abuses of personal information within the last generation. In short, their concerns about privacy of personal information are not abstract.
Based on conversations with the EU legislators that pushed the GDPR, regulators will not be searching for foot faults and gotchas to inflict huge damages on US companies. These new developments are not meant to stifle trans-Atlantic commerce or divide through economic protectionism. Regardless of how the GDPR and Privacy Shield eventually unfold, the new normal for global data transfers is an expectation of trust built through transparency, accountability, and security.
Still, the new laws have strong implications for tech companies everywhere. Given the ever evolving data security and privacy standards, what’s a tech company to do?
4 Questions Tech Companies Should Ask Themselves
As the fluid legal landscape begins to settle, companies should look in the mirror and ask these four questions. Developing comprehensive answers to these questions is a great place to start earning some trust.
1. Auditability: Do you know what data you process, where you store it, and why you have that data in the first place?
Know your song well before you start singing. Be sure to understand what data is flowing through your technology before you start building protective infrastructure and procedures.
Privacy law is becoming increasingly complex, and privacy practices are receiving unprecedented amounts of scrutiny by regulators, clients, and partners. Specifically, trustworthy data practices achieve transparency, accountability, and security – all necessary to build deep relationships with others. A clear and justifiable data map is a great start to get all internal actors focused on the same problem.
2. Accountability: Who owns – and is ultimately accountable – for improvements to your data security program?
Enhancing security is a collective action problem: the entire company is better off with improved security, but individual teams may need to make short-term sacrifices to achieve this common goal. Collaborative projects often result in issues falling through the cracks, so companies should find a clear owner to drive this shared objective (likely the rationale for the GDPR’s data protection officer requirement).
Because engineering teams are often in the best position to fix problems, they may be the best team to own these challenges. The recent wave of data security laws is pushing companies to view security as a necessary component of a sophisticated business. Companies don’t outsource business strategy or product road maps to third parties that do not truly understand their business, so why should security be outsourced? TUNE recently hired a lead security engineer, and we couldn’t be happier to have a professional hacker helping us from the inside.
Make sure someone is on point for your company’s data protection, and hopefully your engineering team can own a meaningful piece of the program.
3. Individual Responsibility: How are you cultivating a security aware company culture?
No matter how many infrastructural garrisons you build or responses to scary hypotheticals that you document, your company’s chances of security success hinge on the human factor: what employees do or don’t do. Technical solutions are vitally important, but good behavior is still the best defense against costly data breaches. Whether losing an improperly protected laptop or falling for a phishing scam, the biggest threats are from the inside.
Raising awareness through security training is the best way to achieve lasting improvements in information security. Such training is primarily common sense, but regular and memorable reminders will make it stick. So train your teams, instill the seriousness of the consequences, and make it fun.
4. Philosophy: What’s your approach to data?
If you handle client or partner data, your data philosophy should be central to your business model, as it can inform product decisions, sales strategy, and more.
It will also help you choose external partners – do your vendors share your data philosophy?
Talk to your vendors as partners rather than adversaries. If a security incident occurs, you’ll want to stop the bleeding and patch existing weaknesses; for this, you may need to work with your vendors to promptly solve the problem. Viewing third parties as partners with shared interests will likely help accelerate that process and result in learnings and improvements for the future.
. . .
TUNE’s data philosophy is simple: your data belongs to you. We do not leverage your data for unauthorized purposes, take a cut of your ad spend or revenue, or share your data without your permission. We backup our data pledge in all client agreements, and proudly share it on our website.
As an industry leader, we want to push the entire mobile marketing ecosystem toward best practices – we’re all better off when we’re all better off. So join us in embracing the new normal of elevated data security practices, starting by asking yourself these four questions.
Like this article? Sign up for our blog digest emails.
As General Counsel, Ben Golden helps TUNE solve problems, manage risk, and lay the foundation for continued growth. Prior to joining TUNE, Ben was an attorney at Perkins Coie, served on the University of Washington's Board of Regents, managed a state legislative campaign, researched in Ghana on behalf of a start-up social enterprise, split an apple strudel with Kofi Annan while working at a think tank in Salzburg, and lectured on Pink Floyd lyrics as an English teacher in Taiwan. As a Double Dawg and proud Seattleite, Ben is thrilled with TUNE's industry leadership and community engagement.