Audience measurement and media surveys: protecting personal data
This constitutes progress in terms of personal data (PD) protection as digital technology is more and more present in our lives and algorithms increasingly performant. Médiamétrie’s audience measurement and media survey activity makes them conscious of data protection. The new European Regulation requires taking even a step further in this field. What are the actions taken by Médiamétrie? What are the specific features of audience measurement in this regard?
At Médiamétrie, Personal Data is sacred!
Data protection is not new to Médiamétrie. Their mission is to observe public behaviours and analyse changes in media use. Therefore, they collect panellists, interviewees and internet users' PD, whether it concerns their name, telephone number, or cookies, etc.
Médiamétrie developed a sound management system for these data that is based on technical elements guided by the Information Systems Department and processing rules that ensure protective management of PD entrusted to them.
Data protection is an integral part of the quality policy applied at Médiamétrie which has been ISO 9001 certified since 1998. In this framework, the manner in which the activity is conducted, and notably the production of surveys, is defined by processes. From the upstream stage, the "Managing a Project" process ensures that risk analyses are carried out even before any PD processing. The results of these analyses enable the optimisation of processing security.
As an example, a risk analysis was done on the Personal Portable Audience Measurement project on the technical as well as the data aspects of the measurement in order to ensure complete confidentiality of the participating panellists' personal data.
An approach structured by dedicated processes
To conform to the GDPR, Médiamétrie took the lead ! The data protection culture is engrained in the company. It has been a year now since working groups have been established to define and implement the measures required to bring Médiamétrie processing into conformance with the GDPR requirements.
Médiamétrie must ensure the privacy and complete integrity of data on the entire results production chain. Their main objective is to ensure the parties concerned whose PD they process (panellists, interviewees, internet users) that the processing is indeed secured and in conformance with the legal requirements that are necessary.
For panellists, there is nothing new. Médiamétrie has always obtained their consent as part of the agreement signed between the two parties. Panellists are thereby informed how their data are used and if they so desire, they can cancel the agreement with Médiamétrie at any moment. In conformance with the regulation, they can exercise their rights to the data that Médiamétrie has collected concerning them. Similarly, people interviewed by telephone are also asked for their consent after they have been informed.
The necessary measures to meet the Regulation requirements involve dedicated processes, established and implemented by staff members who are conscious of the "privacy" issue and by use of specific protection tools and techniques.
To provide an overall view of processed data, transversal mapping of PD was created. This mapping makes it possible to know exactly where the PD is located at each processing step. Similarly, a data processing activities register has been established, which enables precise inventory of all the actions taken.
The GDPR approach motivates Médiamétrie to challenge their practices, notably those concerning the data retention period. Using an impact analysis, the company's retention period was harmonised.
To ensure the protection of processed data, Médiamétrie applies measures to the data themselves such as pseudonymisation or anonymisation. They also use new protection measures: notably, the encryption of PD flows.
Internal access rights to PD are limited. Protection is at a maximum to avoid any divulging of information or intrusion by unauthorised third parties in the Médiamétrie information systems.
Being in conformance with the GDPR requires an examination of the processes from all angles through "Privacy Impact Assessments" (PIA). For each process this concerns identifying the risks related to the PD and taking the measures that are available to the company. Encoding is one example of these measures. Several PIAs are in progress or have already been carried out for projects such as the Personal Portable Audience Measurement project, Datalake, the One Next project (press audience measurement) and the 4-Screen TV audience measurement.
The development of Médiamétrie’s Data Business activity, which consists of qualifying, validating or enhancing external databases with audience data collected by Médiamétrie, also concerns specific actions. The data verification product, Data Checking, was the subject of a PIA.
Finally, data protection should also be ensured by Médiamétrie subcontractors who manage PD in their name and on their behalf. They are asked to sign an additional clause to the existing agreement that guarantees Médiamétrie, and therefore Médiamétrie’s clients, of their commitment to complying with the GDPR requirements. For example, a subcontractor in charge of sending e-mails to panellists and interviewees should be able to provide the technical and organisational measures that ensure PD protection such as data encoding. Audits are now planned for the most strategic subcontractors in terms of the GDPR.
The GDPR: all staff members are concerned
Raising staff awareness is central for Médiamétrie conformance with the GDPR requirements.
Although the Data Protection Officer (see boxed text) coordinates the conforming actions for the entire company, all the departments (surveys, data collection, marketing, informatics, accounting, etc.) are concerned, and individual vigilance is required in relation to personal data.
Some staff members are particularly exposed to these questions, notably, due to their access to many PD or to their direct contact with panellists and interviewees. They receive training dedicated to their field-specific problems.
However, on a daily basis, the GDPR is everyone's business. Informing and training staff is therefore essential. Raising awareness is systematic for all new employees. A week dedicated to PD has been organised in the company for the beginning of 2018. Internal workshops and newsletters for everyone are regularly devoted to the subject.
Protecting data: a long-term approach
Be that as it may, work continues after 25 May 2018. A company's processes change over time.
Médiamétrie has implemented a design method, "Security and Privacy by design", so that each new processing includes the requirements for conformance with the GDPR. The principle: from the upstream stage, asking oneself the right questions so that the operational processes and tools used for new processing ensures the privacy, integrity, availability and traceability of all data.
Finally, Médiamétrie pays particular attention to legislative work that will have an impact on all the stakeholders in the market. The e-Privacy regulation currently being discussed is one example of this: it is aimed at creating new management rules for data derived from internet users' browsing and providing additional guarantees to European citizens concerning the respect of privacy. It incites the media market to ask itself new questions on its economic model and digital development. As a stakeholder in this ecosystem, Médiamétrie formulates proposals and exchanges ideas with their counterparts, partners and clients. The aim is to work on the levers of European digital independence and the growth factors for the market.
3 questions for Arnaud Philippe, Quality & Security Department Director, Data Protection Officer
Médiamétrie has appointed a Data Protection Officer (DPO), Arnaud Philippe, in charge of coordinating the management and protection of private data.
1. What is your role as DPO?
My role is to be the guarantor of security and GDPR-compatible processing of all personal data handled by Médiamétrie. I am also the CNIL (French Personal Data Protection Authority) contact person for all questions concerning personal data processing. At Médiamétrie, I am the primary contact person on this subject for all departments. I also work in close collaboration with the legal as well as the communication department because raising staff awareness is a key element in the application of the GDPR. It is a very cross-disciplinary approach with which the entire company is associated: the IS, panel and legal departments and the Business Units. The BUs are very important in expressing client expectations and field-specific requirements.
2. What was your approach to bringing things into conformance with the Regulation?
The application of the GDPR at Médiamétrie has further strengthened the framework in which Médiamétrie processes personal data. It acted as a catalyser to emphasise the pertinence of processes. The Regulation incites the company to ask itself the right questions about needs concerning data, protection and anonymisation. Médiamétrie has had a very successful quality policy for several years now, which is confirmed by the ISO 9001 standard: as a result they have been able to adopt a process approach with perfect proficiency. At Médiamétrie there was already a high PD awareness. Through the GDPR, practices and approaches can be generalised for all staff members.
3. Why is it a continuing process?
The spirit is very close to an ISO-type of management system. Without expressing it directly, the GDPR is based on processes and develops the spirit of continuing improvement. Médiamétrie continuously develops new products and services, notably related to technological or methodological changes. They encourage us to ask ourselves questions on the PD we are going to process. This might be related to the availability of new equipment, for example, or the creation of new data processing algorithms. Consequently, our processes must adapt continuously in order to take these changes into account while continuing to ensure the individuals who participate in our audience measurements that their privacy is protected.
Laure OSMANIAN MOLINERO