5. Personal data confidentiality
Description of the risk
Advertising and communication activities involve the processing of a significant volume of personal data. Laws and regulations governing personal data protection are complex, constantly evolving, differ from country to country and give rise to significant and growing compliance costs. Supervisory authorities are increasingly vigilant, imposing ever‑higher penalties. Control policies, regulatory interpretation, and restrictions on cross‑border data transfers are becoming increasingly stringent. As part of its digital strategy, the European Union introduced regulations affecting the advertising and marketing industry with the ambition of turning the European Union into a single digital market and “create a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses. " These include the Digital Services Act, the Digital Markets Act and the Data Governance Act.
Following the General Data Protection Regulation (EU) 2016/679 (EU GDPR), a growing number of countries have adopted personal data protection regulations. In the United States, in the absence of federal regulations, many states, including California, Virginia, Colorado, Connecticut, Iowa, Montana and Utah, have enacted data protection laws. These laws strengthen the requirements in connection with how companies are authorized to use consumer personal data. Other US states have adopted or are on a path to proposing their own draft laws on the protection of personal data, which, if passed, will continue to make the situation complex by further fragmenting the legislative landscape. In addition, some US states have introduced new laws governing the processing of sensitive data. It is likely that other US states will follow this approach in the near future.
Many other countries have enacted data protection laws, including Brazil, the People’s Republic of China, India, Australia, the United Arab Emirates and Saudi Arabia.
Artificial Intelligence (AI) has developed rapidly in recent times and is commonly used in advertising‑related activities. This development comes with increased attention from regulators. Many countries are implementing AI‑specific laws and regulations, notably at the European Union level (Artificial Intelligence Act approved by the European Parliament) and in certain US states.
The Groupe, which deals with an increasing quantity of personal data, could be subject to increased scrutiny by supervisory bodies. Any breach of applicable laws and regulations may, in addition to liability suits and sanctions against the Groupe, including pecuniary penalties, create a loss of client confidence and have an adverse impact on the Groupe’s reputation and activities. Furthermore, any loss or unauthorized disclosure of personal data may lead to significant damages for the persons concerned and may render the Groupe liable.
Risk management
The GDPO (Global Data Privacy Office) is part of the Groupe’s Legal Department, which reports to the Secretary General. Its role is to oversee the data protection program, advise agencies on data protection issues and help them with risk management. From an operational point of view, the GDPO relies on its Global Data Privacy Operations Team (GDPOps), including Privacy Leads and Data Privacy Stewards in the various countries, in charge of implementing and monitoring the compliance program. The GDPO and GDPOps teams work closely with the GSO (Global Security Office) whenever there is a data security question.
The data protection policy is based on the principle of “Privacy‑by‑Design” and must ensure compliance with applicable laws and best practices. The internal procedures governing these aspects are available on the Groupe’s website. This Privacy‑by‑Design policy integrates issues related to the use of artificial intelligence (AI) in processes and various systems so that responsibilities are clear, with rigorous oversight and strong governance.
Suppliers are subject to an initial due diligence whose purpose is to assess their processes and policies in terms of data protection and security, to verify their compliance and to understand their practices. The various GDPO, GDPOps and GSO teams work together for these initial reviews.
A Groupe process is dedicated to incident response (Incident Response Process) to manage cybersecurity incidents and data breaches.
Trainings for all employees take place every year with reminders on the European GDPR (General Data Protection Regulation), the CCPA (California Consumer Privacy Act) as well as on data security. Specific ad hoc trainings are delivered as needed.