Insight for Impact: Infomedia’s take on the GDPR

Insight for Impact: Infomedia’s take on the GDPR

By Rasmus Juel Jensen, Project Lead, and Thomas Vejlemand, CEO, Infomedia

Interview with Sophia Karakeva, Marketing and Communications Executive, DataScouting

1. GDPR is coming. How much does the new data protection regulation affect the media intelligence industry and which field is the most vulnerable?

The Infomedia business case is in transit from classic media monitoring towards media intelligence. The emphasis is on data analysis rather than the filtering, editing and distribution of media content, on which the classic media monitoring business case was based. We call this focus Insight for Impact.

As we believe insight to be crucial for our customers in their navigating the media landscape effectively, Infomedia welcomes the GDPR as an opportunity to look within our own organization – parring our GDPR efforts with the overall strengthening and professionalization on numerous levels, including HR, business process management, business intelligence, technology, marketing,law,end products and, indeed, data science.

The focus on the latter obviously leaves some fields more vulnerable than others. A major driver in the legal efforts behind GDPR is the challenges of protecting personal data in a world of communication dominated by major players like Facebook and Google. Meanwhile, a media intelligence company that does not cover the field of Social Media cannot provide the services demanded by customers.

Individual profiling without consent is a GDPR no go, but Social Media is in its nature almost impossible to analyze and monitor without processing personal data. This makesSoMe a particularly vulnerable field. The future will show whether companies like Facebook will comply with the GDPR – thus ensuring their users a level of privacy that allows the media intelligence industry to work with SoMe data without worrying about their own compliance in doing so.

2. Is your company ready? What changes did you have to undergo to comply with GDPR and what was the biggest challenge that you faced?

Following the GDPR topic closely in the news feed, in networks and on conferences, it is clear,that Infomedia is not in the back of the pack regarding readying itself for GDPR compliance. The work has been pushed along based on qualified assumptions opposed to waiting for the outcome of national interpretation and legislative drafting. Also, we used our GDPR efforts as a vehicle for organizational professionalization, cooperation and standardization – approaching the task more as a business case than a chore.The following describes the Infomedia approach to GDPR.

Composition of the Infomedia GDPR team

Infomedia’s GDPR efforts were formally launched in December 2016, putting a project lead in charge of heading the work. Looking at the initial presentation of the GDPR we chose to pool the work ahead under three main topics:

• Legal framework

• Policies and procedures

• IT approaches

This called for a GDPR team with broad representation within Infomedia, involving staff with expertise regarding HR, customer relations, data and business intelligence, business process management, IT and, of course, project management. Since we did not have any in-house legal expertise at the time, we hired a legal assistant referring directly to the GDPR-team. The composition of the team has changed parallel to progress of the project leaving the Project Lead and the Head of Business Intelligence as the core of the team. The team refers directly to the management team having the CEO, CFO and CTO directly involved.

Initial approach

The initial approach of the team was a thorough data analysis, mapping all our personal data and its processing in our systems. This analysis was passed on to external lawyers, who returned legal inputs regarding approaches to future procedures. Parallel to the legal analysis of current data processing procedures it was decided to clearly distinguish between customer data and HR data in the work to come.

Thorough data mapping is substantial work but serves as the overall testing of Infomedia’s legal grounds for processing personal data – thus meeting the GDPR demand towards documenting compliance. The test was carried out by our external law house, roughly following the format below:

Strategy customer data

Ongoing dialogue with our lawyer as well as legal capacities from The Association of Danish Media and FIBEP has been crucial in sharpening Infomedia’s legal approach towards GDPR compliance – especially in defining the legal ground for the processing of user data. Infomedia’s legal ground for processing personal data from users is legitimate interest. This legal stance will be elaborated upon in the answer to question number 5.

Steps regarding customer data have been taken on numerous levels in the organization, including the departments of Sales, Marketing, Customer Support, Technology and Finance as well as in end products, systems and Business Intelligence approaches. Other measures are being implemented in this final execution phase towards May 25th. Steps include:

• Sales, Marketing, Consultants and Customer Support

• Precautionary tuning of our CRM system to avoid systematic notations of personal matters on contacts and customers

• Description of Infomedia’s GDPR approach in numerous languages for the use in tender processes

• Standardized erasure procedures regarding obsolete user/customer data in the CRM system

• Technology

• Thorough analysis of necessary security measures and procedures, including data breach procedures

• Definition and implementation of IT-policies

• Implementation of activity log in systems

• Finance

• Securing of GDPR compliant legal framework from e.g. suppliers of IT support, CRM system, external SoMe platforms and platforms used in internal work flows

• Incorporation of GDPR in governance and business process management

• Products

• Pop up notifications in products informing customers on the Infomedia personal data approach and the rights of the individual

• Systems

• Standardized erasure procedures regarding obsolete user/customer dataUp to date security measures regarding log on procedures and recreation of forgotten passwords

• Adaption to revised login procedures – specifically pupils’ access to the substantial Infomedia media archive. In communicating with the Danish educational authorities, Infomedia has clearly emphasized non-compliant procedures in the current setup, since login data containing personal data on children is being passed on to Infomedia, who has no legal grounds for such data processing. We expect the authorities to comply with the GDPR come May 25th, but at this point it is unclear to us exactly how they plan to do so.

• Business Intelligence approach

• Procedures ensuring compliance regarding the use of UX analytics tools

• Procedures and technical measures meeting the individual’s right to insight and data portability

• Partners

The Infomedia business setup includes a Russian IT development and support team, an Indian production unit and providers of SoMe management platforms.

This motivated us to implement an independent HR-platform enabling us to clean our systems of HR-data structuring our share drive in the process of securing the safety of the data we process on staff.

The Indian setup presents little GDPR issues, since its primary focus is logistics, preparing and formatting publicized media content to fit the Infomedia flow.

We expect legal ramifications in relation to processing of publicized content to be an ongoing discussion in the media intelligence industry, but as for now, the Infomedia stance on the matter is simple: we must rely on publisher’s compliance regarding personal data issues in publicized content. This principle also applies to SoMe. Infomedia does not distribute SoMe content in our own systems and products but rely on partnerships with providers of social media management platforms.

​Strategy HR data

The HR focus has been on cleaning Infomedia’s systems of personal data and transferring this to an independent HR system to meet the demand for restricted access to sensitive personal data.

Legal analysis also clarified the need to obtain specific consent from the employees regarding the use of pictures. Consent represents a challenge since it’s withdrawable. Following the advice of our external law house, we chose the following approach:

• Consent has been obtained from employees regarding the internal use of their picture

• A contract represents the legal framework for the use of pictures in external material, e.g. printed and digital commercial material. The reason for this approach is simple: Infomedia cannot withdraw printed material once distributed.

Infomedia has taken the necessary steps regarding GDPR compliance in our recruiting, employment and offboarding procedures. Primary focus has been minimization of personal data in job applications and securing the right procedures when drawing up contracts and obtaining the information needed for bookkeeping and payment of wages.

Essential results of our GDPR efforts come May 25th will be:

• Thorough mapping of our entire personal data flow and our legal grounds for compliant data processing.

• GDPR Toolkit- a collection of guidelines, policies and procedures ensuring compliant business processes.

• GDPR Compliance Report- describing project approach, legal stances, policies, procedures, technological steps, controls, contractual status quo et cetera.

• Implementation of Gluu- a process management and workflow tool, enabling us to compile and communicate business processes and assigned responsibilities clearly throughout the organization.

• Implementation of Champ- an onboarding and knowledge sharing platform, key to ensuring and controlling that staff is up to date on internal GDPR policies and procedures.

The challenge: From project to business culture

Writing internal policies and establishing procedures is ongoing work. This work aims to both establish sustainable procedures and GDPR compliance as well as meeting our obligations as employer regarding the handling of personal data from the employees. The legal processing of the majority of this data does not rest on consent but on transparent procedures. The ongoing approach is to describe the procedures in a clear and simple language available and understandable to all.

The GDPR team believes that the focus on the employee’s rights, regarding the processing of their personal data, will play an important role in the education of the Infomedia staff concerning the handling of personal data in general. It is crucial, that the staff recognizes, that the GDPR project doesnot stop on May 25th 2018. In many regards, it starts here. The GDPR team recognizes its role in educating staff and establishing understandable processes clear to all. The biggest GDPR challenge weface is not the preparation towards the deadline but ensuring GDPR compliance in the every day business processes in the years to come.

3. GDPR mandates businesses implement state-of-the-art technology to protect against threats. How much have you invested in technology to prevent data leaks or encrypt data?

GDPR obligates businesses and organizations to consider personal data protection issues in the implementation of technology. It is, however, important to note that the GDPR balances these demands against the reality of current business set ups. One cannot expect current systems to be tweaked to perform against their nature.

In Infomedia, however, we expect to be fully able to meet requirements regarding adequate erasure procedures by tuning our current systems. The same goes for our obligation to meet the right to data portability as well as providing a sufficient level of security for staff, costumer organizations and individual users. We are currently shifting towards cloud servers supplied by ISO9001 and ISO27001 certified provider.

As touched upon early, the current setup with the Danish educational sector is not GDPR compliant. Obviously, Infomedia will go to great lengths to provide our services to the public. It is both sound business and of societal importance. It is, however, uncertain at this point, what measures are to be taken to adapt our system to a compliant set up from the specific login provider, thus impossible to identify a precise business case on the matter.

4. Given how important data analytics is today in our business, how will the GDPR affect that?

Analyzing the private individual, which is de facto profiling, is outside the scope of the general media intelligence corporation business case. The legal basis for such data processing is simply not there without explicit consent from the subject. Media intelligence corporations should sharpen their approach towards data analysis to ensure that analysis focuses on trends and not the individuals that GDPR sets out to protect.

That said, the media intelligence industry should be able analyze publicly available information. The rights upheld in the GDPR, e.g. the right to be forgotten, does not apply to public persona on a mission to control their public image. As mentioned earlier the Infomedia stance on publicly available content and data is clear: GDPR compliance should apply to the source – the publisher or initial distributor of content and data. Obviously, there is still a shared responsibility in the communications industry to rely on compliant data, but sources cannot deny their GDPR duties.

5. MMOs work with media databases. With GDPR, will MMOs need to get consent from every person in those databases?

Not necessarily. In Infomedia we base access to our media database – and the logging of usage - on legitimate interest rather than consent. Since we need individual logging for numerous reasons and cannot supply our services without logging, consent cannot be given freely – therefor not legally counting as consent. We need to log individual use to:

• Protect customer organizations from misuse

• Protect the individual user from possible claims of misuse

• Log of usage regarding royalty to suppliers of media content

Infomedia will still uphold the rights of the individual user – including the right to data portability – whereas the right to be forgotten will not be directly upheld; personal user data will be deleted or anonymized when it is no longer needed for bookkeeping.

As mentioned earlier, use and login-data of pupils will not be logged individually, since we do not have the legal grounds for such data processing. Instead Infomedia expects the authorities to implement a GDPR compliant login set-up in their end.

6. Artificial intelligence and machine learning are playing a major role in the media intelligence industry. What are the privacy issue with GDPR regarding AI and ML?

As touched upon earlier, de facto profiling of the private individual without consent is a GDPR no go. AI and ML offers a great potential for the collecting and processing of vast amounts of data. Risks linked to these technologies include the amalgamation of personal data from various sources to whom the individual indeed gave consent – but without being able to predict the implications of certain combinations of data. The GDPR, obviously, focuses on the protection of the individual, and the media intelligence industry should be very much aware of the difference between analyzing trends and profiling individuals. That said, Infomedia takes the personal data stand described earlier: one must expect publishers, editorial media and suppliers of SoMe platforms to ensure GDPR compliance in their business models.

7. What are the challenges for cloud service providers?

As Infomedia is not at cloud service provider, our primary focus in this field is our own approach to personal data practices – including working incloud-based CRM platforms such as Salesforce. That said, there are obvious legal implications connected to working in the cloud: organizations need to ensure, that cloud providers meet the standards of GDPR compliance, no matter where their headquarters may be situated.

The same, obviously, goes for cloud servers. One advice could be to choose ISO9001 and ISO27001 certified providers. The logic governing the ISO standards has not been lost on the architects behind the GDPR, and a data processor agreement with at ISO certified IT-provider is a strong signal to the market, that your organization is doing its outmost to protect not only personal data but also customer data, even though the latter may not be directly covered by the GDPR. Yet another example of GDPR as a positive driver for overall strengthening of business set-ups.

About the authors

Thomas Vejlemand

Thomas Vejlemand is the CEO of Infomedia, a leading Nordic media intelligence company based in Copenhagen. Thomas is behind the digital transformation now positioning the company as a communication and marketing insight partner for B2B industries.

Infomedia recently bought Opoint Technology for crawling of global online news medias.

Years of experience as CEO and board member in media, communication and technology companies. Advisor for start-up businesses.

Rasmus Juel Jensen

Rasmus Juel Jensen is the Project Lead in Infomedia. Holds a Master of History and Social Science from the University of Copenhagen. Employee in Infomedia since 2008. Areas of responsibility include heading Infomedia’s GDPR-program and Business Process Management.

About Infomedia

Infomedia A/S is a media intelligence company, who is leading in media monitoring and media analysis across print, web, broadcast and social media in Denmark and the Nordics. The company is based in Copenhagen and has offices in Oslo and Stockholm, a development team in St. Petersburg and a production team in Chennai, India. The company was established in 2003 and is owned 50/50 by the two media companies JP/Politiken and Berlingske Media.