PoV

Getting Ready for GDPR


March 2018

Getting Ready for GDPR

Turn regulatory uncertainty into your competitive advantage


Background

In May 2018, the biggest change in consumer privacy regulation in over 20 years will come into effect. The General Data Privacy Regulation (GDPR) will significantly change how European and global marketers, publishers, marketing technology companies, and data brokers manage consumer data.

Despite hyperbolic rhetoric from some industry trade groups, GDPR does not mean the end of data-driven, people-based marketing. However, it does pose challenges to existing methods of consumer data collection, processing, and application – challenges that require urgent attention from every organization interacting with European consumers.

What changes with GDPR

GDRP changes existing European privacy practices across multiple key areas.

While the fundamentals of GDPR are well-documented today, there is still uncertainty around interpretation and implementation of the regulation as GDPR has yet to come into effect. Specifically, there is significant uncertainty as to how regulators will audit and enforce GDPR across complex data supply chains. As we detail elsewhere, we believe blockchain technology will help ensure compliance, regardless of ultimate interpretation.

Rigorous Consent Requirements

GDPR creates a more rigorous process for consumer consent to data collection. No longer will companies be able to use complex legalese to obtain consent; instead, consent language must be unambiguous and clearly outline why data is collected and how it will be used.

Expanded Definition of PII

For many organizations, PII is currently defined only as identifiers that can be linked directly to a person such as home addresses, email addresses, or telephone numbers. As such, most advertising technology companies have washed their hands of regulatory scrutiny by explicitly saying that they do not handle PII. However, GDPR expands the definition of PII to include identifiers that can be indirectly linked to an individual. This includes digital identifiers such as IP addresses or cookie IDs, all of which are essential to the functioning of most parts of the ad tech stack. Organizations and their tech vendors may have to update their privacy policies and data handling practices in response to this expanded definition.

Financial Penalties

GDPR has teeth. Companies can be fined up to 4% of their annual revenue or €20 million for the most severe violations.

Global Risk

While previous European privacy regulations affected only businesses located in the EU, GDPR affects any business which collects or processes data from European consumers. So even if your website is hosted in North America or Asia, GDPR affects any data you collect from EU residents.

Recommendations

For EU businesses, GDPR represents a strengthening – and legal codifying – of concepts already present in European privacy directives. Nonetheless, GDPR will require many European businesses to modify their existing data collection and processing practices.

For global businesses who may collect data from EU consumers, GDPR introduces significantly more rigorous privacy requirements than currently employed in markets such as the United States. These organizations will need to weigh the risk of financial penalties due to GDPR non-compliance against the costs (financial and otherwise) of implementing new privacy practices.

Most importantly, GDPR means organizations with strong first-party data strategies and close, collaborative relationships with their marketing technology vendors will have a significant competitive advantage over those reliant on a scattered tech stack. In response to the looming implementation of GDPR, organizations should:

  • Build a cross-departmental plan. For any marketer whose product touches EU consumers, we recommend setting up a cross-department working group on GDPR that includes compliance/legal stakeholders, IT, web management, CRM, and any other department that  uses for consumer data — it’s not just about digital data or advertising!
  • Know what data is collected from your digital properties…and by whom. GDPR places additional regulatory burdens on organizations to police the compliance of data processors who act on their behalf. In programmatic media, complex supply chains can mean your website may contain code from dozens of vendors such as DSPs, DMPs, and ad exchanges who gather data from your site and for whom you may be responsible for ensuring compliance. At the bare minimum, your organization should understand what information these vendors are collecting and what their policies are for handling this data.
  • Understand your agency and ad tech vendors’ plans to ensure business continuity. For some ad tech vendors, GDPR may force a significant redesign of certain functionality. Areas such as 3rd party data and cross-device targeting may specifically carry the most risk of disruption. Talk to your DMP and DSP partners about their plans for addressing GDPR and ask which areas of functionality need to be altered – and what development timelines look like –  to maintain compliance.