Month: April 2018

Can the GDPR and Tag Management work in harmony?

“How can you prepare yourself for the GDPR without becoming blind; in other words, without losing the analysis data for your digital audiences?” That is the major worry currently preoccupying digital marketing teams. Since the GDPR sets out an entirely new order for managing personal data, companies must adopt new consent practices. Consequently, the entire tag management process must likely be revamped, including tag activation and the corresponding services (tracking analytics, retargeting, personalisation, etc.).

What is consent?
The concept is very clearly defined. Consent must be obtained in a way that is totally unambiguous. To obtain consent, you must clearly and explicitly explain to each person why you are processing their data. Furthermore, for it to be considered as freely given, the consent must constitute a genuine choice (and not an obligation). This means they must be able to access the service even if they refuse to give their consent.


These new practices raise 3 questions:

1. How can you make obtaining consent as simple as possible?
2. How can you minimise the time between obtaining consent and tracking reactivation?
3. How can you streamline tag management in the long term?

Everyone is still looking for the perfect formula to obtain consent. It can sometimes be tough to find the right image or words to explain in a clear and informative manner the purpose of the service without losing their interest. In an ideal world, you would use A/B testing to compare the success of different messages. However, for many companies, with just a few weeks before the GDPR comes into force, time is running out.

Technical challenge: how do you reactivate tags straight after obtaining consent?

Once consent is obtained, another challenge emerges: how can you reactivate tags as soon as possible and preferably before the user begins any other interactions? The only way to minimise this delay is to directly connect the consent banner to tag management, which requires a TMS (Tag Management System) also capable of managing consent. In the case of TagCommander, Commanders Act’s TMS, this falls under the remit of the specialised ePrivacy module.

This module can directly link consent for a specific purpose, for example analytics tracking, to the corresponding services and tags. Therefore, as soon as a user gives their permission, and before their next interaction, the tag container is immediately reloaded and the relevant tags activated.

And what if your TMS isn’t capable of handling privacy issues? In this case, the solution is to add lines of code for each tag to check consent has been obtained and handle activation accordingly. Such work, given the sheer number of tags involved (Commanders Act’s clients have on average 16 tags per page), soon becomes a chore and will be extremely labourious to maintain in the long run.

GDPR: an opportunity to streamline tags

This agile management of tags heralded by the GDPR does not only require the right equipment, but also a lot of mapping beforehand. The aim is to organise tags based on their purpose — so you can request the correct consent — and carry out a spring clean. During these ‘inventories’, it’s not uncommon to come across ‘forgotten’ tags, activated for partnerships that no longer exist but…which continue to transfer data.

This investigative work is also a chance to go even further and consider second-level tags. These tags are often a source of data leaks to unidentified third-parties. Once again, the TMS can prove to be vital as it can re-establish the tag hierarchy and allow for any interlopers to be deactivated. This is exactly what TagCommander does via its TagFirewall feature, which uses lists (white and blacklist) to identify authorised and unauthorised tags.

Second-level tags?
As their name suggests, these tags are called by the main tags activated on a website. An example would be an advertising or testing tag that requests other tags to help provide the service. Therefore, one type of tag, for which a user has given their consent, may call upon a second-level tag that the original site cannot directly access, and therefore lacks the necessary consent.


As marketing teams undertake measures to comply with the GDPR, which at first sight may seem like a hindrance, it becomes clear that ‘Less is Better’. A change that bears a striking resemblance to that of mass emailing, whereby after a fervent start (with a saturation of audiences), stakeholders adopted wiser and more simple practices. For tag management, this translates into only implementing tags that are truly useful for providing and managing the service, since over-collecting is clearly counterproductive. Could the GDPR be seen as an opportunity? It doesn’t seem too far-fetched…

GDPR: Survival guide for latecomers

For many companies, the GDPR (General Data Protection Regulation) is the thick dossier lying unopened on the desk, which they’ll “get to next week”. Yet, time is running out! On 25th May 2018, the GDPR will well and truly come into effect.

And with it, processing personal data will move away from a simple system of declaration to that of responsibility and audits. And a warning to anyone thinking of ignoring this responsibility…it could cost you dearly: a fine of €10 to 20 million or 2 to 4% of global turnover depending on the infringement. This raises a few key questions: how do you make the most of the upcoming weeks to get GDPR compliant? And more importantly, where do you get started? This is our little survival guide aimed at everyone running a bit behind…

#1 Evaluate the risks

Even when in a hurry, you cannot overlook this tedious task. The aim is to draw up a complete picture of the risks as well as a detailed map showing when data is processed, and the solutions required. To do so, list all the personal data you handle and analyse each step in its lifecycle from a security viewpoint.

What is the nature of this data?

  • For what purposes is it used?
  • Where is this information stored?
  • Is access secure, for example, using two-factor authentication?
  • Is its content protected e.g. with encryption?
  • Do third parties have access to this data? For what purposes? In what conditions?
  • Are the operations performed on this information properly logged?
  • Are the procedures regarding this information documented?

These questions are all highly relevant since the GDPR requires businesses to directly incorporate personal data protection into their operating and engineering model — hence the notion of ‘Privacy by default’ or ‘Privacy by design’. They must also be capable of accounting for the measures and initiatives taken day to day (accountability). Tiresome — we did warn you — but essential.

What makes data personal?
The GDPR defines personal data as any information related to a physical person that can be identified, directly or indirectly, by an identifier such as a name, ID number, location data, an online identifier or one or several factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. Therefore, cookies constitute personal data since they can indirectly identify the person. In concrete terms, with the GDPR, cookies can only be activated with the explicit consent of the user once they have been informed of the purpose.

#2 Have a spring clean and minimise data

A good way to comply with the GDPR’s mandates is to only collect data when it’s necessary. In short, that means only gathering the data needed for your services. Why ask for information regarding the profession or number of people in the household if this information has no bearing on the end service? When it comes to the GDPR, colleting excessive amounts of data poses considerable and unnecessary risk.

Let’s be absolutely clear, balancing data collection with its use necessitates data governance. Governance which will be that much easier, from establishing its principles to implementation, if the data is centralised within a Customer Data Platform (CDP)— and not spread out across multiple bases and applications.

Hence why the analysis task mentioned previously is so important. But don’t just stop there: take advantage of the opportunity to perform a huge spring clean of your data and adopt the minimisation principle advocated by the GDPR.

#3 Overhaul your consent practices

You have surely started to receive emails along the lines of: “Hello, are you still interested by our information? If you are and don’t want to miss anything, please click below to keep getting our emails each week, etc.” This type of email will be increasingly popular in the coming weeks for one simple reason: the GDPR requires data to be collected lawfully, fairly and in a transparent manner.

In simple terms, every piece of data must be obtained in exchange for a clearly defined and described service. One important clarification: providing personal information cannot be a prerequisite for providing the service — doing so invalidates the consent as it is no longer considered to be freely given.

Evidently, the GDPR clearly heralds the death of ‘soft opt-in’ and ‘passive opt-in’. Gone are the days when opening an account for a service included a pre-checked box to sign up for a newsletter. Each purpose needs its own consent; and each consent must be strictly limited to the necessary data. Hence the abundance of ‘reconfirmation’ initiatives — like the aforementioned emails — as companies strive to comply with GDPR’s consent conditions and consequently clean up their contact databases.

This means you need to review your consent forms. And while you’re at it, you may as well also add others to allow anyone to rectify, ask for a copy of or restrict the processing of their personal information.

#4 Get ready for a new form of cookie management

You may be wondering: what about cookies? Do they also fall under the GDPR requirements? The answer is yes, but the precise conditions are still being ironed out through the ePrivacy regulation. While GDPR focuses on the general protection of personal data, ePrivacy takes the key points of the GDPR to focus on electronic communications.

Instead of waiting for this new regulation to take shape, it seems opportune to abandon the usual phrasing of “By browsing this site you accept the use of cookies” for a much more detailed and instructive description of the cookies’ purpose. This new mechanic poses both a technical and organisational challenge that deservedly requires the attention of the marketing team responsible for digital activities.

For businesses that have to manage multiple tags across their web platforms, the best solution is to use a TMS (Tag Management System) specifically designed for handling personal data.

#5 Adapt your structure & educate your staff

Although evaluating risks as well as overhauling useful data and how you obtain consent are all important steps in getting GDPR compliant, they are not enough. The new regulation goes even further, compelling the entire company to think about personal data protection. And for that, the regulation stipulates several scenarios where the appointment of a DPO (Data Protection Officer) is necessary. In short, given the cases described, it would seem that appointing a DPO is unavoidable for any activity like e-Commerce.

However, every single employee, not just the DPO, must be informed of the risks involved for the company if it handles personal data too loosely. An initiative that must be sustained well beyond the 25th May 2018 deadline.

The DPO’s duties?
A DPO takes on the roles of consultant, coordinator and auditor, whose tasks are to:
-Advise and inform the processor;
-Ensure the law is obeyed;
-Serve as a point of contact for compliance authorities.

To not miss any of the latest news from Commanders Act, subscribe to our newsletter!  

© Commanders Act. All rights reserved 
Powered by CREAATION.

© Commanders Act. Tous droits réservés
Powered by CREAATION.

© Commanders Act. Alle Rechte vorbehalten.
Powered by CREAATION.

© Commanders Act. Tutti i diritti riservati.
Powered by CREAATION.

© Commanders Act. Todos los derechos reservados.
Powered by CREAATION.

This site is registered on as a development site.