Third-Party Data Sharing In Focus Again with Finland DPA Investigation
The importance of monitoring data sharing by websites and mobile apps to vendors and other third-parties has been an area that we have written about frequently on the Clarip Privacy Blog since the Cambridge Analytica scandal broke last March. Today, we received another indication of the importance of such monitoring as there are news reports that the Finland Data Protection Authority has launched an investigation into third-party data sharing by a Nokia-branded mobile phone.
This is one of the many problems addressed by Clarip’s Data Risk Intelligence software. By helping organizations identify the cookies, beacons and trackers that are operating on their website and app, it can give organizations (including privacy teams, compliance departments, IT and other internal stakeholders) insight into what is happening behind the scenes with their software. As any large organization knows, getting a grip on what is happening with all of the data can be difficult, and the Clarip privacy software makes it easier through an amazing data visualization.
What happened in Finland?
The media reports indicate that a consumer went to NRK, the largest media organization in Norway. The media investigation showed that unencrypted data was being sent to a server domain tied to a state-owned telecommunications company in China by a Nokia 7 Plus.
The Finnish government plans to investigate whether personal information was sent and whether there was an appropriate legal justification. Although the investigation appears in the early stages, it will likely review whether there was personal data covered by the European Union General Data Protection Regulation (GDPR), whether there was a lawful basis for such processing of personal data under Article 6, if there was sufficient protections in place (such as Standard Contractual Clauses) for cross-border data transfers, and the sufficiency of any controller-processor contracts.
Why Do Problems Like this Develop?
Clarip CEO Andy Sambandam has spoken repeatedly on the compliance challenges around software programming in today’s development environment. There are many possible explanations for the inclusion of a potentially problematic vendor, including the reuse of old code where the vendor was previously authorized, but no longer was supposed to be there. The code also may have been developed internally for a different purpose and not sufficiently vetted before it was added into a different application. The code also may have been developed by a third-party contractor, and used in the internal systems without getting flagged by the compliance department for review.
How can Companies Avoid Problems in this Area?
1. Ongoing monitoring of the production environment is crucial. Data-sharing issues need to be caught by someone in the organization and not by consumers and the media. After the Facebook – Cambridge Analytica scandal, every company should be proactively stepping up their compliance efforts around third-party data sharing. This is an area of focus for both regulators and the media, as well as a big potential problem for companies if their data sharing goes awry. Facebook has shown that data sharing scandals can cause numerous problems for a company, including a public relations nightmare, significant government investigation costs, the loss of customers and a drop in stock price. Significant efforts are made by companies to prevent data breaches though cybersecurity – more needs to be done to proactively discover and prevent privacy breaches.
2. Vendor Management – Organizations need to have a complete list of their current vendors used. When a new vendor is identified in production, the compliance department or privacy team can review the inclusion of that vendor to make sure that all of the company’s internal processes have been followed. If the company either doesn’t have a complete list of all of its third-party vendors or isn’t monitoring systems for the inclusion of new vendors, and is merely relying on internal processes to function correctly, then problems like this one can occur. If there is a strong vendor management process and procedures are followed, then such an organization could stop the inclusion of a problematic vendor before it was ever included in code for testing.
3. Privacy by Design and Default – Organizations that bake privacy practices into software development at multiple levels would have analyzed the implications of data sharing with another telecommunications company long before the software reached the production environment. They also would have documented such a decision at some point in the process.
4. Privacy Disclosures – It is crucial for organizations to regularly review their privacy disclosures against what is actually happening on their website and mobile applications. This also may have resulted in discovery of the data sharing in certain circumstances.
As more attention is drawn to privacy practices, organizations need to be improving their internal processes in order to avoid the cost and negative attention of government investigations. Clarip is a leader in data mapping software for organizations looking to improve their privacy practices and make advancements toward California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) compliance. If your organization would like a demo of the Clarip technology, please call 1-888-252-5653.
Other Relevant Posts:
Dutch DPA Issues Privacy Policy Recommendations Following Review of Organizations Processing Special Data
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Dutch DPA Says No Cookie Walls Because of GDPR Consent
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent
More Resources:
Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.