Ensighten – Assuring EU Consumers’ Privacy in Compliance with the General Data Protection Regulation
With the deadline for enforcement of the European Union’s General Data Protection Regulation (GDPR) quickly approaching, businesses engaging with consumers in the EU must implement compliance, or face fines that could potentially bankrupt them. Ensighten’s GDPR Website Compliance tools are designed to help these companies fulfill GDPR requirements regarding the collection, storage, and use of their customer’s personal data.
Tell us a little bit about your background and current position at Ensighten.
As Ensighten’s Chief Executive Officer (CEO), I provide strategic and operational leadership. Prior to joining Ensighten, I spent 15 years at Spectrum Equity, a leading private equity firm in the software and internet markets. I began my career with Ernst & Young and have held senior leadership positions at venture-backed start-ups and public companies.
Please briefly describe Ensighten’s Products.
Ensighten has a range of products providing marketing technologies to global brands, enabling them to transform their digital businesses for the better. Ensighten fuels their diverse marketing technology investments with first-party customer data and profiles so they can perform better by understanding and helping customers on an individual basis.
- Ensighten Privacy is the only enforcement tool in the market that puts the brand in full control of their most precious asset - data. It enables real-time data privacy enforcement, so websites can easily comply with GDPR and other data privacy regulations. By providing a real-time view of their digital data supply chain, organizations can view and manage all the ‘tags’ on its digital properties that could possibly be sources of data leakage.
- Ensighten Pulse enables the stitching together of many pieces of information from offsite and onsite sources to enhance the customer experience. Beginning offsite, through digital advertising, online video, and IoT (Internet of Things) devices, the customer journey begins well before visitors get to your branded channels. Pulse allows businesses to gain ownership and control of critical user-related advertising data. For customers, it fuels first-visit personalization and an overall more relevant browsing experience.
- Ensighten Manage orchestrates data and technology to deliver better customer experiences. It helps marketers group technology and data sources together on a customer data platform, so all its vendor tags and data can be managed through one intuitive interface. This is all done within a layer of security that ensures data privacy and governance.
How are the GDPR Website Compliance and Enterprise Data Compliance products related - if at all?
The GDPR Website Compliance tool is designed for smaller organizations that are only looking to get their websites GDPR compliant. All the features of the GDPR website compliance platform are available in the Enterprise version.
What is the GDPR, and when does it take effect?
GDPR, the General Data Protection Regulation, is the European Union’s new set of regulations for data protection, updating the 1995 Data Protection Directive. To provide greater protection and rights to individuals, businesses will need to change the way they collect and record consent from customers. They must request personal information in a more transparent way, so customers know exactly which of their data may possibly be shared if they do consent. It is a lot more rigorous than the older regulation, so it means a greater focus from businesses to comply and put customer care and consent at the front of their processes.
These regulations go into effect on, or rather, will start being enforced on, May 25, 2018. As of that date, companies can be held fully responsible for not complying and face serious consequences, including very stringent fines.
Do businesses located outside of the EU who market and sell to EU residents need to be GDPR compliant?
Yes. GDPR applies to any business engaging with consumers in the European Union, regardless of their location. They all face the same consequences, including financial penalties, for not complying. Despite Brexit, the UK intends to uphold the regulations for its citizens.
What are the consequences of not complying with GDPR?
There is a range of consequences of not complying with GDPR. The ICO (Information Commissioner's Office) and Data Protection Authorities (DPAs) will have the power to fine companies up to 20 million Euros or 4% of a company’s total annual worldwide turnover for the preceding year – leaving that company potentially bankrupt. These penalties are much higher than in the past.
Furthermore, not complying with GDPR risks long-lasting damage to customer trust and advocacy. A trusting rapport between businesses and their customers is core to maintaining any brand, as we’ve seen recently in the news from data breaches at big-name, well-known businesses.
Particularly, the marketing team needs to understand that if a brand has any 3rd-party tags on their website, they are at higher risk of non-compliance due to the way these technologies automatically “hoover up” customer data and take them out to other parties.
What if a business does not process any personal data but has it done by an integrated third-party provider such as Google, MailChimp, SalesForce, etc.?
All organizations need to know how their suppliers manage EU citizens’ data. There is no hiding by outsourcing responsibility!
How does a business prove GDPR compliance?
One way in which businesses can prove GDPR compliance is to create a personal data inventory, maintaining records of how and where personal data is transferred. This must be kept up to date and accurate in preparation for potential audits from the supervisory authority. Businesses will be expected to prove that consent was received for all collected personally identifiable information. As a step towards proving GDPR compliance, a data mapping exercise which captures customer activity and reports on data processing activities can be useful.
How does Ensighten integrate with existing websites to assure GDPR Compliance?
Ensighten’s Privacy GDPR solution can be deployed via any tag management system with a single line of code that never needs to be changed. It can be deployed on any size website without impacting latency at all.
With our solution, the website team selects a GDPR compliance level in accordance with their risk profile and selects third-party data permissions with whitelists and blacklists. This ensures that personally identifiable information is kept only for the uses required, and only by those with permission.
The dashboard tool highlights how many visitors have opted-in and -out of each marketing technology and receives alerts when new domains that require permission appear on their site. Most importantly, website teams can easily review visitor audit trails, available upon regulatory request.
Once integrated, does Ensighten assume all responsibility for continued GDPR compliance?
While our platform provides the tools to enable website compliance, the organization needs to assume responsibility for adhering to GDPR.
GDPR compliance requires that companies appoint a Data Protection Officer (DPO). What does that position entail and does Ensighten take on that role once your product is integrated?
The role of a DPO within a business involves reviewing their documentation and policies to ensure compliance with the GDPR. The DPO maintains all responsibility for the safeguarding and proper handling of customer data. Ensighten’s solution helps the DPO prove their website’s compliance.
In the event of updates or changes to GDPR, can Privacy GDPR be scaled easily and the DPOs notified and trained for any necessary changes?
Ensighten will be monitoring any updates to the GDPR regulations relating to websites and updating the platform where applicable however it is in the interest of the DPO’s to stay fully conversant with any changes to legislation and its potential impact.
How does Ensighten help prevent data breaches?
As long as privacy is running on the page, our tools will monitor all network requests to and from third-parties within the web browser’s DOM (Document Object Model). If the third-party domain has not been whitelisted, the request will be blocked.