GDPR came into full effect in May 2018 after a two year transition period from when the law was initially passed. That puts Europe a few years ahead of the U.S. in terms of adjusting to regional privacy laws. Despite that head start, many companies operating in Europe are still coming to grips with getting compliant, as you can see by the headline-grabbing fines levied at larger corporations.
If American businesses can learn anything from this, it would be to take a more proactive approach to data privacy and get ahead of the game, so you don’t find yourselves penalized as more states and more countries come online with regulations. According to a Gartner report from December 2020, by the end of 2023, 75% of the world’s population will have its personal data covered under modern privacy regulations.
OneTrust and other Consent Management Platform (CMP) providers are currently the fastest growing companies because so many businesses are wisely trying to implement cookie banners, manage user consent, and drop the right cookies based on user preferences. But one thing that might require a shift in mindset is that this new technology also needs to have a Quality Assurance plan if you want true peace of mind.
If you implement an automated data privacy monitoring solution at the same time as you’re installing your Consent Management Platform, you’ll be months, even years, ahead because you won’t have to go through the tiresome process of correcting something that’s already running.
Here then is a product-agnostic, six-point checklist to consider when you’re technically testing your data privacy implementation:
- Who on your team has a complete inventory of your Martech stack?
This might seem obvious, but most organizations simply haven’t found the time or resources to take inventory of their stack. If a worst case scenario of something sensitive, like employee salaries or a Facebook leak, is accidentally published on your site, what you would need to do is inform the market, tell your data authority, and then trace where the data might have possibly gone. You can’t do that if you don’t know every possible third party vendor on your site. As a matter of preparedness, a complete inventory is a first requirement.
An ObservePoint Audit can give you a complete inventory of your technologies.
- Where possible, ensure all Martech are being delivered through your Tag Management System (TMS).
Why would you need to do this? Consent Management Platforms work by integrating with your TMS. The TMS will enable or disable tags based on the consent preferences indicated by your CMP. So without a TMS, your CMP will have no effect. The other thing to note here is that if you have hard-coded tags outside of your TMS or piggybacking tags that are hitching a ride behind other tags, those will be invisible to your TMS and therefore your CMP.
The Tag Initiators report shows you the relationship of the analytics on your site.
- Are you taking for granted that your CMP is on EVERY page?
The GDPR says that a customer must be granted the option to opt out of cookies and analytics the moment they land on your website, which means you’ll either need to carefully consider all the pages they could land on or just have your CMP on every single page. Large websites might have entire sections that are managed by a third-party vendor, for HR or a help desk for example, so you’ll have to discuss the best way to approach privacy with those partners as well.
Use an ObservePoint Audit to make sure your CMP is accessible from any point.
- Is your cookie notice accurate? Does it contain all of the cookies that your site can set?
Now that you must notify your customers with a list of cookies, how will you make sure that your list is updated and complete? Data privacy monitoring solutions can automatically crawl through the code of thousands of pages to compare your list to the reality of what’s on your site, something that would take a human many months to do.
Automatically catalog all your cookies.
- Ensure that different consent preferences are actually respected.
This is where human error or the limits of your TMS come into play. We’ve noticed that 30-40% of CMP implementations are not working properly either because it isn’t on every page or because it can’t enforce tags and cookies that it can’t see. Using a data privacy monitoring tool can help you travel through your site under different consent preferences to QA your CMP implementation.
Define approved and unapproved states of consent and navigate your site under those preferences.
- Check that Personally Identifiable Information (PII) is staying within the correct boundaries.
One of the pillars of GDPR is that personal information of European customers must stay within the European Union (or sent only to countries with similar laws), so you’ll need to know where exactly you are sending customer data.
Identify and record the geolocation of all network requests.
We hope this checklist helps you along your journey to compliance. Click if you want to learn more about how ObservePoint's Privacy Compliance solution can help you with all six points. Or have a representative contact you by filling out this form!
About the AuthorMore Content by Michael Fong