White PaperS o l u t i o n s & t o o l s b e n c h m a r k t o s t r u c t u r e y o u r G D P R a p p r o a c h

J a n u a r y 2 0 1 9

General Data Protection Regulation (GDPR)

Disclaimer

This white paper is focusing on several aspects of the GDPR, as Colombus Consulting interprets it, as of the date of publication.Colombus Consulting has worked with clients from different industries on several GPDR missions and would like to share in this white paper return onexperience, best practices as well as a benchmark of GDPR solutions that can be used to help companies to structure their GDPR approach.

This white paper is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply toyou and your organization.

Content

1. Few months into GDPR, what is the return on experience? 4a. The role of the Data Privacy Officer 5b. Remediation and compliance on Data Privacy 6c. Impacts on Digital Marketing Mix? 7

2. How GDPR solutions could help Companies’ GDPR compliance? 9a. What are the benefits of a GDPR solution? 11b. How is the GDPR solutions market segmented? 12c. GDPR solutions mapping 13d. « Governance » features 14e. « Compliance & Risk Assessment » features 17f. « User Data Privacy » features 19g. « Digital Consent » features 22

3. GDPR means Change Management 25

4. Conclusion & Priorities 26

1. Few months into GDPR, what is the

return on experience?

Risks are more likely to come from data subject’s complaints.For example, some complaints have already been filed such as the MaxSchrems’ NOYB complaint against Google, Facebook, Instagram & WhatsAppand their “forced bundled consents”.

Regulators have a pragmatic approach and acknowledge that the fullcompliance is difficult to reach. As a result, not fully compliantcompanies “can expect to be treated leniently initially provided thatthey have acted in good faith”.However, authorities will keep on auditing and enforcing previous well-established fundamental principles, such as Data Privacy and Securityrequirements.

1. Few months into GDPR, what is the return on experience?

Most companies, which operate businesses within the European Union, have initiated major transformation projects in order to be GDPRcompliant. And while a few are fully compliant in May 2018, many are extensively engaged and racing to reach full compliance early 2019.

Source : https://noyb.eu

PRAGMATIC APPROACH RISKS

ACTIONS Company engaging into GDPR compliance follow a 3-phase path

• Appoint a Data Protection Officer(DPO)

• Set-up organization and roles todefine accountability and ensureproper data privacy processexecution (contracts, IT solutions,data management…)

Governance Remediation Long-term compliance processes

• Identify the non-compliant areas and quickwins to fix flaws

• Clean-up the databases: delete non-relevant contacts, regularize active contacts(notification, consent…)

• Define processes to ensurecompliance surveillance andenforcement

• Identify and deploy necessary toolsto support recurring processes

5

a. The role of the Data Privacy Officer

GDPR requires organizations to appoint a DPO (Data Protection Officer) in charge of ensuring the regulation enforcementwithin the company. This induces the establishment of a dedicated governance.

Role of the DPO (Data Protection Officer)

Steering

Training

Control

CoordinationPerformance

Traceability

Information

Data Protection Officer holds a

position in total independence

within the organization chart

▪ FMCG▪ Telco▪ Media… (customer-centric organizations)

▪ Banking▪ Insurance… (security-centric organizations)

Marketing DPO IT DPO

Priorities

Industries

▪ UX▪ Marketing consent▪ Marketing performance

▪ Data flows▪ IT Implementation ▪ Solutions

Legal DPO

▪ Tourism▪ Retail▪ Energy & Utilities…(regulation-centric organizations)

▪ Contrats & agreements▪ Control & enforcement▪ Compliance processes

There are 3 frequently observed scenarios depending on the GDPR focus:DPO within Marketing department, DPO within IT department and DPO within Legaldepartment

6

Inform the individuals about thepurpose of the use of their data,their rights and the organization’sinitiatives to protect them

Lead the wholeorganization through theregulation application

Train the staff to theData Processing bestpractices

Build audits toensure complianceand prevent the gaps

Ensure smooth links betweenthe Organization and theauthorities (GDPR, CNIL)

Measure Performance andpropose insights on theimpacts of the “DataProtection” initiatives

Ensure total traceabilityof all activities related todata processing andusage

DPO role and organization remain the same

b. Remediation and compliance on Data Privacy

Building an executable remediation plan is required to move towards GDPR compliance. The most urgent actions are generally targeting topicsthat are highly visible and have direct impacts on Customers.

HO

W?

▪ Launch Email Notice campaign to regularize un-notified data subjects

▪ Update Cookie Notice language

▪ Update Notice messages and Privacy Policystatements on Website

Whenever data subject’s personalinformation is collected and stored,the data subject must be informed ofthe nature and purpose of the datacollection

Whenever data subject’s personalinformation is collected and used forMarketing purposes, data subjects mustpreviously provide a deliberate and activeConsent, with no “pre-ticked Opt-In bydefault”

Ensure that data subject’s data is storedfor legitimate reasons and aligned withreal compliant notification and consent(Opt-In/Opt-Out) status

NOTIFICATION CONSENT DATABASE CLEAN-UP

▪ Launch Opt-In campaign (Email, SMS, post-mail…)to data subjects in order to get GDPR compliantconsent

▪ Deploy Cookie Consent banner on Website

▪ Update Opt-In forms on Website

▪ Delete “inactive” data subjects

▪ Delete un-necessary personal informationfrom data subjects

▪ Ensure that the previously collected Opt-Insare documented

▪ If not: regularize it… or set it to “Opt-Out”

The Database clean-up results in decreasing the volume of the actionable customer data, while increasing the stock and value of qualified and genuinely interested contacts

7

c. Impacts on Digital Marketing Mix

The data marketing world The publishing world

The Third-Party data business is strongly impacted by GDPR.

After the Cambridge Analytica scandal, players like Facebook are reducingor stopping their third-party targeting data partnerships. Some dependentthird-party data providers are particularly challenged to sustain theirbusiness. The third-party data market is globally decreasing as dataMarketers are focusing on first- and second-party data, which are easier tocontrol.

In order to remain in business, third-party data providers need to providehigh-quality data, with compliant consent… at a higher cost.

With GDPR and Cookie Consent conditions being more restrictive,Publishers have been selling less Ad spaces and droppingrevenues. This turns out providing a competitive advantage to thelarger players (ex: GAFA), which have larger volumes.

Therefore

Quality of the targeted ads is increasing

CPM is increasing

As things evolve, we will see to what extent a better Ads' quality generates a higher ROI and therefore compensates this CPM increase.

Some Media or Retail companies in the USA, which are not ready incompliantly securing website’s cookie consent for targeted advertisinghave quickly implemented a extreme solution: detect IP / location andblock the site from EU zone access, or redirect traffic to an EU-specificad-free version of the site.

8

2. How GDPR solutions could help Companies’

GDPR compliance?

2. How GDPR solutions could help Companies’ GDPR compliance?

Most Companies have been deploying tremendous efforts for the past months or years in order to implement remediation and comply with GDPR requirements. However,compliance needs to be sustained and lasting on the long run. This implies that the privacy processes and organizations that have been put in place need to be audited,challenged and adjusted, on a regular basis. Thus, deploying an efficient and secure GDPR compliance across the Organization requires to design it early on in a “Privacy byDesign” approach and to involve some degree of automation, industrialization and scalability.

As a result, a many software vendors have developed and launched GDPR-dedicated solutions, in order to provide companies with sets of tools and features that wouldhelp in their GDPR compliance programs.

10

In the following part, we explore some of the major GDPR solutions on the market through the analysis of their functionalpositioning (category) as well as their main features.

Solutions benchmark

We studied 45 solutions and more than 40 features.

Common: feature commonly provided by most solutions as a basic function Specific: feature provided by a few solutions, mostly as advanced feature or optionNiche: rare feature and provided by a very limited number of solutions

The features are assessed by a score that is meant to reflect the level ofprevalence in the market. The assessment score rates the features as:

The market can be segmented into 5 main categories:

1. Governance2. Compliance & Risk Assessment 3. User data Privacy4. Digital Consent5. All in One

a. What are the benefits of a GDPR solution?

GDPR TOOL

As a general practice, it is recommended to assess whether the GDPR solution will fit in the existing technical and organizational ecosystem. It isimportant to not under estimate how this solution will be added into existing processes and workflows during the implementation phase as well asduring the periodic update phases. 11

Give employees a better understanding of their obligations while dealingwith personal data

O P E R AT I O N A L E F F I C I E N C Y

S C A L A B I L I T YS E C U R I T Y

C E N T R A L I S AT I O N O F P R O C E S S E S

G D P R AWA R E N E S S

Reduce the number of files and centralise all processes in one place

Save all data and processing activities in a single secured environment

Give evidence to support company’s claims if the supervisory authority has any cause to investigate

A P P R O V E D BY R E G U L ATO R S

Master your data and increase your efficiency on a self-serve portal

Will match the Business changes and get the latest processing activities

b. How is the GDPR solutions market segmented?

Governance

Solutions which aim to provide support to build and maintain DataInventory, including data flow mapping, data register (data processinginventory) and data update records. They also provide reporting featuresto monitor and demonstrate compliance.

Compliance & Risk Assessment

Solutions which provide features to audit compliance, analyze processeddata and identify sensitive data and personal information, They also helpassess the risks, coordinate remediation action plans and sustaincompliance through collaborative workflows.

User Data Privacy

Solutions which provide secure and friendly user experience in userauthentication and ID management, assisting in the automatedgeneration of notification, privacy policy and access request form, andensuring the consolidation and accessibility of user profile and consentmanagement preference settings.

Digital Consent

Solutions which provide digital consent management features ondesktop and mobile web, such as the notification banners and privacypolicy generator, cookie consent collection interface and back-end, anddigital consent control panel as part of a global Consent ManagementPlatform.

All-In-One Solutions which provide a set of modules and features encompassing all the aforementioned categories – Governance, Compliance &Risk Assessment, User Data Privacy, Digital Consent –, in order to offer a comprehensive suite of tools dedicated to help companies intheir GDPR compliance programs.

As each vendor may have its own background and specificity, the numerous GDPR solutions on the market focus on different scopes, different businessareas, and therefore provide various types of features.

12

c. GDPR solutions mapping

13

Compliance&

Risk Assessment

Digital Consent

Governance

User Data Privacy

All in one

d. “Governance” features (1/2)

Data Governance is the foundation for GDPR compliance, it helps businesses identify what data they have, where it is, who is accountable for it.GDPR solutions in the « Governance » category allow to:

Build a precise mapping of the data, the flows of the processing as well as the applications across the organization

Generate Dashboards and compliance Reports for audit trails

14

Governance

d. “Governance” features (2/2)

15

Build a formalized Data Inventory as well as the Data processingregisters

Track the Data lineage through the data flowsProvide Collaboration features for ongoing updates of the Datainventory and Register

GDPR solutions in the « Governance » category allow to:

Governance

d. “Governance” features - scoring

1616

Governance

Features Common Specific Niche

Data Inventory Create & manage a Data Inventory, classifies and describes the Data

Data Register Assist in the development of the Data Register, provide detailed history of the processing

Application mappingAllow detection of the various applications which deals with Personal Information Data (collection, storage, process, transfer…)

Data flow visualization Draw flow maps for visualization of the data flows across the organization

Data QualityTrack data changes, ensure data consistency and alignment (data model field cleaning, deduplication, synchronization….)

SearchProvide Search Engine capabilities to allow exploration and dig-in of data assets, according to various search criteria

Collaboration WorkflowProvide collaboration tools to coordinate tasks for data register, risk assessment, compliance control, user access right and request management

Data Discovery Automation Automate the Data crawling and discovery in order to detect relevant GDPR personal or sensitive Data

Data LineageEnsure Data traceability, identify data flows across the Organization, tracks Data path, change and update history (processor, date, changes…)

e. “Compliance & Risk Assessment” features

17

Risk management has a primary objective of ensuring organizations comply with legal and regulatory obligations needed to conduct business.GDPR solutions in the « Compliance & Risk Assessment » category allow to:

Audit the compliance level across the organizationIdentify Personal Information among overall owned Data andassess associated risks

Define action plans and follow theremediation evolution throughcollaborative and workflow features aswell as Dashboards

Compliance & Risk Assessment

Compliance AuditIdentify weak points, process flaws and practices not compliant with regulations, and help define the path to remediation

PIA and DPIA managementProvide templates and tools to facilitate assessments (PIA and DPIA), risk identification and reports, and remediation plans

Reports for Compliance Proof (Audit Trails)Produce all required reports and documented evidences to demonstrate GDPR compliance efforts and accountabilities: data register, data flows…

Dashboard & Data Viz Provide Dashboards and Data Viz features with data analysis and statistics

Collaboration WorkflowProvide collaboration tools to coordinate tasks for data register, risk assessment, compliance control, user access right and request management

Data Risk AnalysisAnalyse company-owned Data to identifies Personal DataAnalyse Data models and processes to identify weaknesses and locate risks

Breach ManagementManage breach control, identify security flaws depending on Data sensitivity, manage user information in case of privacy violation and define action plans for remediation

Vendor Risk ManagementIdentify vendors, keep up-to-date a vendor inventory, help draw links and relationships between vendor and Personal Data sensitivity, analyse data transfers with third-parties and assesses vendor

Contract ManagementMonitor vendors and associated contracts, help conduct vendors due diligence, provide guidance to build and consolidate GDPR compliant contracts

Action PlanningBased on compliance assessment, define remediation path and provide project management tools to build action plans and track completion progress

e. “Compliance & Risk Assessment” features - scoring

1818

Features Common Specific Niche

Compliance & Risk Assessment

f. “User Data Privacy” features (1/2)

19

GDPR protects any and all personal user data across virtually every conceivable online platform.GDPR solutions in the « User Data Privacy » category allow to:

Manage ID and authentication and consolidate User profilesacross accounts and IDs

Provide templates to inform users of their rights (notifications) and provideforms for customers to exercise their individual rights (requests for access,modification, erasure)

User Data Privacy

f. “User Data Privacy” features (2/2)

20

GDPR solutions in the « User Data Privacy » category allow to:

Protect user data through encryption and anonymization features

Consolidate User Consents (ex: Consent Management Platform) across numerous marketing campaign channels (Digital, Email…) and ensure compliant & secure transmission to third-party tools (Campaign Manager control panel)

User Data Privacy

ID Control Panel Customer is able to control the data that will be shared with the website he is visiting

Data Encryption and Protection The customer data is encrypted and protected after being received in the website

Form Generation Ability to generate forms adapted to the brand and identity of the website

Access Request ManagementCustomer is able to request that the data he previously shared with a website be removed from their ledger or that he can gain access to said data

Consent ManagementEnable the website administrators to get, manage and document consents of their users for specific purposes, channels and technologies

Data Distribution Capability of the solution to transmit the compliant data to third-party technologies (CMS, CRM, DMP, ETL …)

Authentication managementManage the way customer access their account via various means (SSO, Multi-Factor Authentication, Password less,…)

Anonymization of the data Removal of all data that should not be relevant to the website in order to guarantee compliance with GDPR regulations

f. “User Data Privacy” features - scoring

21

Features Common Specific Niche

User Data Privacy

g. “Digital Consent” features (1/2)

22

Provide the Website Administrators ways to customizethe information (texts, look & feel) through configurationpanel

Provide precise legal information to data subjects,through generation of notifications (cookie bannerstexts), privacy policy, list of cookies involved in the site

GDPR sets a high standard for Digital consent. GDPR solutions in the « Digital Consent» category allow to:

Digital Consent

g. “Digital Consent” features (2/2)

23

Provide the data subjects with a way to accept, decline or specifically choose which cookie to accept/decline through a consent preference panel

Apply all the data subjects’ cookie preferences across all the websites domain and subdomains, as well as other partners or affiliated sites

GDPR solutions in the « Digital Consent» category allow to:

Digital Consent

Dig

ital

Co

nse

nt

Templates Possibility to use different templates for notices, consent forms, preferences configurator

Multi-language support Multiple language platform, automatic language detection (browser) and suitable language display

UI ConfigurationUI configuration capabilities for the Website designer to customize banners and pop-in’s Look&Feel, and better fit the Brand graphical charter

Preference SettingsCapability for the Website visitor to set-up his/her own level of cookie privacy preferences and cookie usage, from necessary technical to marketing level

Cookie Consent BannerA tool to facilitate banner generation (look & feel, notification language…) and display on the website at the visitor’s first visit, regardless of the opening page

Location-based personalizationAbility to dynamically adapt the content depending on data subjects’ location, in order to display the most suitable notices, depending on local regulations

Multi-domain managementCapability to manage cookies for several websites, to propagate and apply cookies and preference settings to multiple domain names

Easy Access to Preference settings Provide the Website’s visitor with easy access to view and modify Preference Settings

Tracker detection & recordAutomatic scan and detection of all trackers implemented in the website, ability to list them for the data subjects to set-up cookie preferences

Reporting Capability to provide advanced reporting features: monitoring, data viz, dashboard, extracts, audit trails

Tag Management System Integration Integration through TMS systems

Configurable Consent trigger criteriaConfigurable ways to consider data subjects’ action as a consent: explicit opt-in, soft opt-in (scroll opt-in, click-on-page opt-in…)

A/B Testing Advanced feature to test designs, look & feel, notices and call to action texts in order to maximize Opt-In rates

Mobile App capabilities Mobile App feature that help mobile app users to set up their ad consent

g. “Digital Consent” features - scoring

24

Features Common Specific Niche

Digital Consent

3. GDPR means Change Management

GDPR is encouraging each organization to review their existing processes and adopt a new way of interacting with internal or external partners.

The change management strategy should include the following pillars:

25

Optimise processes

Build a brand reputation

• Improve employee understanding of the role they play in protecting Company’s data

• Ensure project owners review & cover the GDPR aspects right from the beginning (privacy by design)

• Conduct staff training and awareness at regular intervals

Break the silos

• Join forces to embed privacy in your culture, processes and systems

• Encourage Business Units to work towards an omnichannel strategy

• Define cross Business Units processes

• Keep your customer at heart • Strengthening reputation and

relationships with Customers, and extermal Partners

• Build strong foundation around Cyber security

• Review & optimise current practices of processing data

• Improve data quality, accuracy and policy enforcement

• Ensure seamless traceability of processes

Increase employee awareness

4. Conclusion

*Source: Estimations IDC France

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and dataprotection. About seven months after the GDPR’s effective date, organizations are still working on compliance and willbe for years to come.

Bearing in mind the wide scope of GDPR and the significant level of financial investment, it is necessary to think well onhow each company wants to embrace the data protection project and clearly define priorities to implement andmaintain a sustainable GDPR solution.

Some businesses have chosen to use a GDPR solution to help their business to build, implement and demonstrateprograms for GDPR compliance. The GDPR solutions landscape is already well developed, however, we notice that thebig players of the software solution industry have not entered this space yet, leaving opportunities to smaller vendors,challengers and specialists to develop their own solutions.

The budget required to comply with Europe’s new data law could rapidly increase depending of the data protectionperimeter that companies decide to undertake. Today, the average cost of the GDPR compliance starts between 4Mand 17M CHF depending of the sector, around 34M CHF for large international groups and could end up above 100MCHF for those in the banking sector / insurance.

26

4. Priorities

PRIORITIES FOR ORGANIZATIONS:

Beyond initial actions of setting up governance structure (ex: DPO nomination)

Focus on topics that are highly visible and have direct impacts oncustomers (obtention of valid consents from individuals andresponse to request to exercise the rights of data access,modification and deletion

Deploy solutions that cover the main features (consentmanagement, notifications, consent management, request forms…)

Depending on the nature of the organization’s activity, evaluate thebenefits in comparison with risks and costs, which allow todetermine the level of automation, industrialization of processesthat is truly necessary for each GDPR topics.

27

GDPR is effective since 25 May 2018

Need guidelines to implement yourGDPR & FADP* compliance?

Located in France and Switzerland, ColombusConsulting Shift proposes a unique offering, specializedin innovation, marketing and data, in order to supportits clients in their transformation projects, from strategyto execution.

Shift.colombus-consulting.com

Jean MeneveauPartner - Switzerland meneveau@colombus-consulting.com

+41 79 725 24 95

Team

David RobinPartner - France robin@colombus-consulting.com

+33 6 80 50 37 92

* FADP means Federal Act on Data Protection, which is the Swiss equivalent of GDPR

Delphine SerresSenior Consultant

Son NguyenManager

Maxime Robert Colin Consultant

Meryem BenaguidaConsultant

Contact us Today!