top of page

Case Study

GDPR

image 82.png

In today’s digital age,

data protection has become a critical priority for businesses of all sizes. With vast amounts of personal and sensitive information being collected, stored, and processed, companies are increasingly responsible for safeguarding data against breaches and misuse. A proactive approach to data protection is essential not only to ensure compliance with regulatory requirements but also to build trust with customers and mitigate growing cybersecurity risks.

The General Data Protection Regulation (GDPR) stands as a comprehensive framework addressing the most pressing data security challenges. It harmonizes data privacy laws across Europe and sets strict requirements for organizations handling personal data. GDPR also addresses user concerns about privacy, giving individuals greater control over their information while demanding transparency from businesses.​

With rapid technological advancements and data explosion, the regulation pushes companies to collect only necessary data and process it responsibly. Additionally, GDPR’s strict security requirements help businesses combat the growing risks from data breaches and cyber threats, mandating appropriate safeguards and imposing significant penalties for non-compliance.

By adhering to GDPR and taking proactive data protection measures, businesses can strengthen their cybersecurity posture, stay ahead of regulatory demands, and maintain the trust of their users in an increasingly interconnected world.

Problem Overview:

Navigating Regulatory Challenges & Privacy Demands

As a global native advertising platform, MGID operates in a highly regulated space and must comply with laws like GDPR, CCPA, and AdTech privacy frameworks. The company faced several challenges:

Expanding into new markets meant stricter data protection laws, higher compliance costs, and increased scrutiny from enterprise clients.

Growing user awareness of data rights required a structured approach to handling data access, deletion, and consent management.

Enterprise clients demanded verifiable security compliance, making GDPR alignment essential for closing deals.

Unclear breach response protocols before GDPR compliance increased the risk of fines and reputational damage in case of an incident.

These challenges required a proactive, security-first approach, not just regulatory box-checking.

Key Results: 

Strengthened Security & Business Growth

Big4 Validation: Zero Non-Conformities


MGID's meticulous implementation of GDPR practices was validated through a rigorous external audit conducted by a Big4 firm, which confirmed zero non-conformities with GDPR standards. This validation demonstrated that MGID’s GDPR compliance was robust enough to withstand both user policy examinations and legal scrutiny. The absence of required corrective actions reinforced MGID’s reputation as a trusted partner in the industry, particularly as a member of Google's Authorized Buyer Program.

Compliance as a Competitive Advantage

As GDPR compliance becomes a prerequisite for collaboration with enterprise clients, MGID’s robust privacy framework removes a key barrier for partnerships. The company’s commitment to data privacy standards has enabled it to seamlessly address RFIs from potential customers on data protection, easing concerns that could otherwise be deal-breakers for Enterprise clients who prioritize compliance.

Streamlined Compliance and Reduced Operational Burden through DPF


Participation in the Data Privacy Framework (DPF) program enabled MGID to streamline EU-U.S. data transfers, ease contractual processes, and reduce the operational burden of vendor assessments. This proactive approach allowed MGID to maintain compliance more efficiently, swiftly meet client expectations, and reinforce their status as a reliable partner in the AdTech industry.

Efficient Data Rights Management

At the heart of MGID’s GDPR compliance efforts was the development of a robust internal infrastructure and processes for handling data subject requests. This mechanism enabled MGID to effectively uphold users' rights as mandated by the regulation, while significantly reducing the risk of substantial fines for any violations of those rights.

Swift Breach Response & Risk Mitigation

 

We ensured that MGID had the necessary processes and technical measures in place to handle potential data breaches. The company is now equipped to respond swiftly to breaches, minimizing their impact and reducing the likelihood of severe legal or financial repercussions. By embedding GDPR compliance into both its legal and technical infrastructure, MGID has safeguarded its business from risk while fostering greater trust with customers and partners—proving that privacy and security are central to its long-term success.

Adtech Company Criteo Hit

with 40$M Fine by French DPA

The investigation by the French DPA uncovered five infringements of the GDPR by Criteo:

Article 7.1 GDPR

Failure to demonstrate that the data subject gave its consent

Articles 12 and 13 GDPR

Failure to comply with the obligation of information and transparency 

Article 15.1 GDPR

Failure to respect the right of access​

Articles 7.3 & 17.1 GDPR

Failure to comply with the right to withdraw consent and erasure of data 

Article 26 GDPR

Failure to provide for an agreement between joint controllers

As a result, Crite was issued a fine of EUR 40 million, a decision the AdTech company is intending to appeal

Solution:
Building True Compliance

In the fast-evolving digital world, ensuring data privacy is not just a legal requirement but also a key element of building trust with clients and partners. 

Partnership

MGID's native monetization platform is chosen by the world's premier publishers

cocacola.webp
bankofamerica.webp
citroen.webp
airbnb.webp
debate.webp
image 72.webp
coverfox.webp
image 80.webp
international business.webp
italiaonline.webp
grupo.webp
image.webp
kia.webp
lazada.webp
medlife.webp
qatar.webp
msn.webp
realclear.webp
tokopedia.webp
vietnamnet.webp
times now.webp
playmaker.webp
opera.webp
newsweek.webp

MGID, with Sekurno’s guidance, embarked on a comprehensive GDPR compliance journey that went far beyond ticking regulatory boxes. The goal was to build a robust, risk-managed security framework capable of protecting personal data, avoiding regulatory fines, and delivering transparency to all stakeholders.

  • Data Protection Impact Assessment (DPIA):
    Conducting a Data Protection Impact Assessment (DPIA) was crucial for identifying high-risk data processing activities. The DPIA enabled us to assess the risks and determine appropriate mitigation strategies to ensure MGID’s practices did not expose them to unnecessary regulatory scrutiny.
  • Lawfulness of Processing Review:
    To comply with GDPR, we reviewed how MGID processed personal data, ensuring every activity was legally justified under GDPR principles, such as consent or legitimate interest. This critical analysis ensured that all data collection and processing were grounded in proper legal bases, eliminating potential vulnerabilities in the system.
  • Employee Awareness and Training:
    GDPR compliance isn’t just about systems and processes—it’s fundamentally about people. To ensure that every MGID employee understood their critical role in maintaining compliance, we delivered comprehensive GDPR awareness training. These sessions equipped staff with a clear understanding of key data protection terms and principles, while also emphasizing their responsibilities in addressing data subject rights and reporting potential data breaches. This approach ensured that every team member was not only informed but also actively engaged in maintaining ongoing compliance.
  • Data Flow Analysis:
    The foundation of any GDPR compliance initiative is understanding where personal data flows. We started by meticulously mapping how MGID collected, processed, stored, and shared personal data across its services. This step gave us a clear picture of MGID's data handling processes and helped us pinpoint which data required the highest level of protection.
  • Data Breach Management:
    One of the most challenging aspects of GDPR is responding to data breaches. We implemented a robust breach management procedure, including internal protocols for quick detection, classification, and reporting. Should a breach occur, MGID is prepared to notify relevant authorities and affected individuals within the GDPR-mandated 72 hours, significantly reducing risks of penalties and ensuring swift, appropriate responses.
  • GDPR-Specific Policy Implementation:
    Compliance policies are the backbone of any privacy program. For MGID, we created a full set of GDPR-specific policies, including Records of Processing Activities (ROPA), Privacy and Cookie Notices, Data Subject Rights Policy, and a Personal Data Breach Notification Policy, and others. These policies ensured that MGID was fully compliant with GDPR requirements while streamlining internal operations.
  • Third-Party Assessment:
    A critical aspect of GDPR compliance for MGID was ensuring that all external vendors with access to its data adhered to the same high standards of data protection. We began by identifying all third-party vendors involved in data processing, a crucial step to secure MGID's data flow. To ensure compliance, we established legally binding contracts with every third party, explicitly outlining their obligations under GDPR. This proactive approach helped safeguard MGID's data from potential risks associated with third-party interactions, while also demonstrating MGID’s commitment to GDPR standards and data protection.
  • Compliance Statement:
    As there is currently no formal certification for GDPR, the final step in the implementation process involved the Data Protection Officer (DPO) preparing a detailed GDPR Compliance Statement. This document highlights the key elements of MGID’s data protection framework and demonstrates the company's adherence to GDPR. The statement serves as proof of MGID’s commitment to safeguarding personal data and provides assurance to clients and partners of their compliance with GDPR standards.
  • Will penetration testing disrupt my business operations?
    No, ethical hackers will work closely with you to ensure that testing does not impact your regular operations or service availability.
  • Why do we need penetration testing?
    Penetration testing helps organizations identify vulnerabilities before cybercriminals can exploit them, ensuring robust security and compliance with industry regulations.
  • What’s the difference between vulnerability scanning and penetration testing?
    Vulnerability scanning is an automated process to identify potential vulnerabilities, while penetration testing is a more comprehensive, manual effort to exploit and analyze those vulnerabilities.
  • What is OWASP, and why is it important?
    OWASP stands for the Open Web Application Security Project. It’s a nonprofit that works to improve software security. Their top 10 list of web application vulnerabilities is a crucial resource in the pentesting community.
  • What was the first step MGID took toward GDPR compliance?
    The foundation of any GDPR compliance initiative is understanding where personal data flows. We started by meticulously mapping how MGID collected, processed, stored, and shared personal data across its services. This step gave us a clear picture of MGID's data handling processes and helped us pinpoint which data required the highest level of protection.
  • How do you ensure that testing is done securely and responsibly?
    Our team strictly follows industry methodologies like OWASP and PTES and works in isolated environments, ensuring no data leakage or unintended disruptions.
  • Can I conduct penetration testing internally?
    While organizations can have internal teams perform pentesting, external teams provide an unbiased perspective and can identify vulnerabilities that internal teams might overlook.
  • What are the different types of penetration tests?
    There are several types, including network penetration testing, web application testing, mobile application testing, and social engineering tests.
  • What can I expect in the final report?
    Our detailed report provides an executive summary for management, technical findings, a threat model document, and a checklist of all tests performed.
  • How often should I conduct penetration testing?
    Industry best practices recommend annual penetration tests at a minimum. However, it’s ideal to test more frequently, especially if you make significant changes to your infrastructure or applications.
  • What is ‘white box’ and ‘black box’ testing?
    ‘White box’ testing is when the tester has knowledge of the internal structures or workings of the application. ‘Black box’ testing is done without any prior knowledge of the infrastructure.
  • Is penetration testing costly?
    The cost of penetration testing varies based on scope, complexity, and type. However, considering the potential loss from a security breach, it’s a worthy investment for businesses.
  • What makes Sekurno different from other cybersecurity firms?
    Sekurno offers a comprehensive approach to cybersecurity, combining advanced pen-testing, continuous security support, and AI-assisted processes. With a dedicated team for each client and a commitment to transparency, Sekurno ensures that businesses are protected beyond mere compliance.
  • How does Sekurno ensure transparency in its services?
    Sekurno believes in no hidden fees and provides regular updates to clients. Every project involves at least two engineers, ensuring an unbiased approach, and we adhere to standards with checklists for all tests performed.
  • How has Sekurno benefited its clients in the past?
    Sekurno has a proven track record with over 80 projects completed, saving clients a cumulative $90M. We pride ourselves on a 5/5 client satisfaction rate.
  • What certifications do Sekurno's experts hold?
    Our team comprises experts with some of the most challenging certifications in the cybersecurity domain. This ensures that our clients receive top-notch service from knowledgeable professionals.
  • What does "security beyond compliance" mean?
    While many firms focus on meeting the minimum security standards set by regulations, Sekurno goes beyond that. We aim to reduce risks to the highest extent possible, ensuring that businesses are not just compliant but also genuinely secure.
  • How does Sekurno's AI-assisted process enhance cybersecurity?
    Our AI-assisted processes help in creating more accurate threat models, generating detailed reports, and formulating security policies. This ensures a faster response time and more efficient threat detection and mitigation.
  • How do I get started with Sekurno’s Application Security Services?
    To get started, you can schedule a consultation with our team. We will conduct an initial assessment of your current security posture, integrate a dedicated security expert into your team, and provide continuous support throughout the SDLC.
  • How does integrating security early (Shift-Left) benefit my business?
    Integrating security early, or shifting left, helps in early detection of vulnerabilities, reducing the cost and time required for remediation. It also improves the overall security posture of the application, leading to fewer security incidents and compliance issues.
  • What stages of the SDLC does Sekurno cover?
    Sekurno covers all stages of the SDLC, including: Requirements Analysis Architectural Design Software Development Testing Deployment Maintenance
  • What is Application Security?
    Application security involves integrating security practices into the software development lifecycle (SDLC) to protect applications from vulnerabilities and threats. It includes measures such as secure coding practices, threat modeling, security testing, and continuous monitoring.
  • Why is Secure SDLC important?
    Secure SDLC is crucial because it helps identify and mitigate security vulnerabilities early in the development process, reducing the cost and time required to fix issues. It also enhances the overall security and quality of the application, ensuring compliance with industry standards and regulations.
  • What tools and methodologies does Sekurno use?
    Sekurno uses industry-recognized tools and methodologies, such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and frameworks like OWASP ASVS and NIST CSF to ensure comprehensive security coverage.
  • How does Sekurno ensure compliance with industry standards?
    Sekurno ensures compliance by integrating security best practices and regulatory requirements into the SDLC. We use frameworks such as ISO/IEC 27001 and NIST CSF to guide our security measures and maintain alignment with industry standards.
  • Can Sekurno integrate with our existing development tools and workflows?
    Yes, Sekurno can integrate with your existing development tools and workflows. We work closely with your team to ensure seamless integration of security practices into your current processes, enhancing your overall security posture without disrupting productivity.

The impact of this engagement on our business has been profound. With Sekurno's help, we were able to implement a structured approach to security, which not only enhanced our internal processes but also significantly improved our market position. Notably, we signed agreements with world-known brands, something that wouldn't have been possible without the security measures and certifications we achieved through this collaboration.

Maksym Romanchuk - Deputy of CTO at MGID Inc.

Conclusion:
ISO 27001 as a Cornerstone for Long-Term Success

MGID’s journey toward GDPR compliance, guided by Sekurno, reflects the company’s forward-thinking approach to data privacy in the ever-evolving AdTech industry. With a team of dedicated experts, MGID tackled this complex process with efficiency, maintaining strong organization, swift task execution, and seamless communication at every stage. This collaborative effort underscored their commitment not only to regulatory alignment but also to building a resilient and future-proof data protection framework.

By establishing comprehensive, GDPR-compliant systems and adopting best practices, MGID strengthened its operational capabilities, simplifying EU-U.S. data transfers, reducing the burden of vendor assessments, and enhancing client trust. Their proactive stance on compliance has empowered MGID to swiftly address regulatory requirements and client RFIs, positioning them as a preferred partner for enterprise clients who prioritize robust data privacy measures.

MGID’s achievement extends beyond compliance; it has cultivated a culture of accountability and transparency, aligning the company with the highest standards in data protection. This commitment to continuous improvement in security practices reinforces MGID’s credibility and stability in a highly competitive market, setting the stage for sustainable growth and long-term success in the digital age.

  • Sekurno's LinkedIn
  • Sekurno's Facebook
  • X

Contact

team@sekurno.com

Offices

TNW City, Singel 542, 1017 AZ Amsterdam, Netherlands

 

Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 10151, Estonia

cybernova-sign
USAID-Identity

© 2024 Sekurno. All rights reserved.

bottom of page