Image

Médiamétrie is THE neutral and independent trusted third party in the media and digital ecosystem. Two essential areas of this trust concern the protection of individual data and information security. Audience and survey data require the greatest vigilance from Médiamétrie. In addition to implementing GDPR compliance 3 years ago, Médiamétrie pursues a process of continuous improvement to manage the security and protection of individual data, in particular through the establishment of a shared organisation and processes. What are the actions taken by Médiamétrie? What are the specific features of audience measurement in this regard?

Particular attention to personal data

Médiamétrie is the only stakeholder to offer a consolidated and accurate view of media consumption. For this purpose, it collects personal data from panellists, interviewees, Internet users, whether it is their name, telephone number, cookie, etc. Also, the protection of all this information and its processing in accordance with the legislation are fully in line with the values of Trust and Transparency promoted by the company.

Médiamétrie has developed a sound management system for this data that is based on technical elements managed by the Information Systems Department and processing rules that ensure protective management of the personal data entrusted to it.

An approach structured by dedicated processes

Médiamétrie must ensure the privacy and complete integrity of data on the entire results production chain. Its main objective is to ensure the parties concerned whose personal data it processes (panellists, interviewees, internet users, employees, clients and suppliers) that the processing is indeed secured and in compliance with the necessary legal requirements.

For panellists, Médiamétrie always obtains their consent within the framework of agreements signed by both parties. Panellists are thereby informed how their data is used and if they so desire, they can cancel the agreement with Médiamétrie at any time. In accordance with the regulations, they can exercise their rights to the data that Médiamétrie has collected concerning them. Similarly, people interviewed by telephone are also asked for their consent after they have been informed.

Since this concerns measurements that use cookies or trackers, such as video streaming measurements for example, compliance with the regulations requires a positive action by the internet user: their acceptance or refusal of the audience measurement cookie, after display of the information banner when they consult websites.

The measures needed to meet the requirements of the General Data Protection Regulation involve dedicated processes, established and implemented by staff members who are conscious of the "privacy" issue and through the use of specific protection tools and techniques.

In order to have an overall view of the data processed, cross-sectional mapping of personal data makes it possible to know exactly where this data is located at each stage of the processing. Similarly, a register of data processing activities precisely lists all the actions performed. The retention periods for data are defined in proportion to the purposes of the processing carried out.

To ensure the protection of processed data, Médiamétrie applies measures to the data itself such as data minimisation, pseudonymisation or anonymisation. It also uses new technical protection measures: notably, the encryption of personal data flows.

Internal access rights to personal data are limited. Protection is at a maximum to avoid any disclosure of data or intrusion by unauthorised third parties into Médiamétrie's information systems.

Médiamétrie performs “Privacy Impact Assessments” (PIA). For each process, this involves identifying the risks related to the personal data and taking the measures that are available to the company. Encoding is one example of these measures.

Finally, data protection must also be ensured by Médiamétrie’s subcontractors who manage personal data in its name and on its behalf. Their commitments in terms of personal data are formalised contractually. Security insurance plans are appended to the contract and specific audits are performed by Médiamétrie to ensure compliance with the obligations.

Raising staff awareness is central to Médiamétrie's compliance with the legal and regulatory requirements. Arnaud Philippe, Médiamétrie’s Quality & Security Department Director and Data Protection Officer, coordinates compliance actions across the company: “My role is to be the guarantor of security and GDPR-compatible processing of all personal data handled by Médiamétrie. I am also the CNIL (French Data Protection Authority) contact person for all questions concerning personal data processing. At Médiamétrie, I am the primary contact person on this subject for all departments.”

All the departments (surveys, data collection, marketing, IT, accounting, etc.) are concerned, and individual vigilance is required in relation to personal data. Staff members particularly exposed to these issues, notably, due to their access to numerous personal data or because of their direct contact with panelists and interviewees, receive training dedicated to their field-specific problems.

However, on a daily basis, Privacy is everyone’s business. Informing and training staff is therefore essential. “I work in close collaboration with the legal department on the one hand, and also with the Communication Department and the Human Resources Department, because raising staff awareness is a key element in the application of the GDPR. This is a very cross-functional approach in which the whole company is involved: the IT department, the panel management, the legal department, and the marketing and sales entities. The marketing and sales entities are very important in expressing client expectations and field-specific requirements”, Arnaud Philippe points out.

Security and privacy by design

Médiamétrie has initiated the implementation of a shared organisation and process allowing a high level of security to be controlled. The objectives focus on increasing the maturity and level of security at Médiamétrie and its partners and compliance with the GDPR.

Frédéric Bertin, Médiamétrie’s Information Systems Security Officer, says: “The cornerstone of this approach is privacy by design, an approach that consists of integrating security and privacy issues from the design of projects and solutions.”

The principle is to ensure that the operational processes and tools used for new processing guarantee the privacy, integrity, availability and traceability of all data.

Right from the start, the Project Managers apply the principles of Security & Privacy By Design as part of the deployment of Agile design methods across the company. Médiamétrie seeks to optimise the security of processing by carrying out risk analyses even before any process is applied to personal data. The aim is to ensure business continuity and recovery in the event of an incident.

As an example, a risk analysis was done on the Personal Portable Audience Measurement project on the technical as well as the data aspects of the measurement in order to ensure complete confidentiality of the participating panellists' personal data.

Certification for strengthening security and data protection

Data protection is an integral part of the quality policy applied at Médiamétrie, which has been ISO 9001 certified since 1998. In this framework, the manner in which the activity is conducted, and notably the production of surveys, is defined by processes. To go further, Médiamétrie has started an ISO 27001 certification process - on an information security management system - and ISO 27701, its extension to data protection.

Frédéric Bertin explains: “The principle involves building of processes and an organisation on which to rely to manage all of Médiamétrie's security, in a continuous improvement process.”

Considering the importance it represents, the scope defined for certification is panel management.

ISO 27001 certification requires building an Information Security Management System (ISMS). Such a system is first of all defined by processes and procedures for risk management and safety improvement, then implemented, controlled and assessed in relation to the defined objectives and finally, it is subject to corrective or improvement actions. Risk analysis methodologies are applied.

ISO 27701 certification is an extension of 27001, which relates to a management and privacy protection system. It describes the security measures to be implemented for the processing of personal data.

This approach to managing security within a single system is a company project which Médiamétrie expects to complete in 2023 with certification.

Protecting data: a long-term approach

Finally, Médiamétrie pays particular attention to legislative work that will have an impact on all the stakeholders in the market. The e-Privacy regulation currently being discussed is one example of this: it is aimed at creating new management rules for data derived from internet users' browsing and providing additional guarantees to European citizens concerning the respect of privacy. It incites the media market to ask itself new questions on its economic model and development. As a stakeholder in this ecosystem, Médiamétrie makes proposals and discusses with its counterparts, partners and clients. The aim is to work on the levers of European digital independence and the growth factors for the market.

Laure Osmanian Molinero