It happens every day: marketing purchases a new platform with the promise of helping the organization meet and exceed business targets. When it comes time to implement the revolutionary new solution, a privacy review is initiated as part of the onboarding process. When legal and privacy reviews are conducted, it becomes clear that many of the features and functionalities are a no-go: personal data is being disclosed to a third party not currently reflected in disclosures to users; first-party data required doesn’t have appropriate consent from consumers; and the targeting functionality relies upon automated decision making, which creates a high compliance risk.
It’s going to take 12 months before the platform is usable in a compliant manner. Millions have been spent on a solution which can’t realize any return on the investment until next year, at the earliest. Frustrations abound.
In today’s changing marketing and advertising technology environment, with third-party cookies being deprecated and new AI features being introduced to solve for subsequent signal loss, scenarios like the one described are increasing in their frequency. More personal data is required in advertising technologies; more automated decision making is embedded; and privacy risks are heightened. It is imperative for privacy and legal teams to clearly define policies and processes to enable decision makers in marketing and advertising functions to identify and consider compliance risk in all of their decisions.
The process begins and ends with legal and privacy teams. Clear guidance must be provided for what constitutes high, medium, and low-risk activities. To define these parameters, it is helpful to ask: if something goes wrong, what is the likelihood and impact of punishment?
Start with an initial assessment of if any personal data from consumers is involved. If not, risks are generally lower as the processing activity is unlikely to be in scope for privacy regulations. There are still risks for brand reputation and potential disclosure of proprietary information, which should be considered, but in the privacy context, any activities involving personal data are the focus.
When dealing with personal information/personal data of users, the stakes are raised. To assign risk for these scenarios, it is helpful to look at guidance from regulatory bodies, especially those in Europe, as guidance is much more explicit than compared with guidance from the United States. While the examples provided are from EU regulators, the principles are universal.
In April 2022, the European Data Protection Board published guidelines for how administrative fines should be calculated for supervisory authorities when assessing GDPR infringements. In October 2023, the UK’s Information Commissioner’s Office published draft guidelines for the same. In both, the specific information highlighted to be considered in an assessment of the seriousness of a violation is similar, with the following factors detailed:
- The nature of the infringement
The nature of the infringement is assessed by the concrete circumstances of the case. This considers what the infringed provision seeks to protect (i.e. what right of the consumer or obligation of the business has been violated). In addition, the degree to which the infringement prohibited the application of the provision and fulfillment of the objective is considered.
- The gravity of the infringement
The gravity of the infringement is essentially the severity of the violation. Several explicit factors are defined to be considered to determine the gravity of the infringement:
- The nature of the processing – This includes the context in which the processing is functionally based (business activity, non-profit, political, etc.) as well as the characteristics of the processing. The nature of processing are the techniques involved. If the purpose is to monitor a user, evaluate personal aspects of the user, is an application of new or innovative technology, if the processing is opaque, and if the processing involves automated decision making with the potential for a negative impact on the user, then risk is higher and thus more weight is added. More weight can also be added to this factor if there is a clear imbalance of power between the controller and the data subject.
- The scope of the processing – This factor considers the degree of difficulty the data subject and supervisory authority has to curb the unlawful conduct. It factors in if the processing is local, national, or cross-border to help determine this as well as the amount of resources dedicated to the processing activity by the controller. The larger the scope, the more weight can be attributed to this factor.
- The purpose of the processing – The purpose for which the processing is happening or the “why” behind the processing. If the processing is central to a controller’s core activities, then it can be given more weight as well as if the processing has a significant impact on outcomes for the data subject.
- The number of data subjects – This considers both the number of subjects impacted as well as the number potentially affected or put at risk due to the infringing behavior. Also considered is if the infringing processing is of a systemic nature. To determine this, the ratio of impacted subjects to total subjects can be considered. In both cases, the higher the number, the more weight can be factored in.
- The level of damage – This factor considers what harms were realized by the data subjects as a result of the processing and the extent to which rights and freedoms were violated.
- The duration of the infringement
For how long the infringement has been going on. In general, the longer the duration, the more weight is attributed.
- Intentional or negligent character of the infringement
If the infringement was done intentionally or is instead a breach of the duty of care, which is required by law. Intentional infringements carry more weight, but ignorance is not bliss. Negligent infringements at best can be regarded as neutral with weight assigned based upon the degree of negligence in the case.
- Categories of personal data affected
Regulations clearly define the categories of personal data which carry more weight (sensitive data, data of minors, etc). The type of data involved in the infringing processing is considered in the assessment of the violation’s seriousness.
An assessment of this information allows the supervisory authority to classify the seriousness of the infringement as low/medium/high, with guidance for the legal maximum penalty for each classification tier.
Similarly, legal and privacy teams can use these factors to assign compliance risk levels to new strategies and solutions proposed by business teams.
Identifying and assigning compliance risk for all activities is the first step. To empower decision making within business teams, it is also necessary to define policies and processes to manage activities within each risk level. The specifics for these standards will differ based upon the organization and the risk tolerance of the compliance and legal teams. Factors such as the size of the organization, applicable compliance regulations, the industry operating in, and the nature of consumer data dealt with should all be considered. Within the context of the organization’s risk tolerance, specific actions such as documentation requirements, ongoing monitoring, contractual obligations, risk mitigation considerations, and review processes are all defined for low/medium/high risk activities.
The goal is to embed a privacy-centric mindset within business teams by making them privacy conscious. Every new strategy and solution should be evaluated through the lens of compliance risk, with risk mitigation considered in the solution design processes. Articulating a process for assignment of compliance risk and requirements for processing activities within each risk level empowers business teams to make privacy-conscious decisions and get solutions to market faster to satisfy business objectives.