On May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect, and a post-Brexit UK has stated they will also adopt the new regulations into their own laws. By constituting the legal grounds for processing data and granting rights to data subjects, GDPR aims to protect and allow individuals control over personal data – which is now broadly defined as any information that can be used to identify a person. The GDPR also stipulates that companies that process large amounts of data will need to designate a Data Protection Officer (DPO).
This has huge implications for the digital advertising industry, even those based outside the EU, as GDPR applies to any company that processes the personal data of data subjects collected within EU member states. This extends to the data of non-citizens collected within the EU as well. Accountability for non-compliance extends to the entire supply chain, so both publishers and marketers are concerned with adapting to this new legislation.
What’s in the GDPR?
The newly established rights are defined as “the right to portability” and “the right to be forgotten.” The right of data portability means that data subjects have the right to easily accessible copies of data collected on them, which must be in a format that another data controller could easily import, and must be provided free of charge – similar to when healthcare companies provide medical records upon request, or when banks assist with switching accounts to a competitor. The right to erasure (or, to be forgotten) establishes that companies that collect data must establish affirmative consent from the subject to do so, keep a record of said consent, which the subject may withdraw at any time, and that data must be erased or otherwise rectified in a timely manner. Also notable is a new onus on data controllers to inform regulators and affected data subjects of any breach of personal data within 72 hours of detection.
The GDPR also creates its own new office position, as it stipulates that a DPO is mandatory in the case that “the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale.” Any company that relies on web analytics falls into this category. While the actual accountability for GDPR compliance falls to the company itself, a DPO is there for assistance maintaining that compliance. Their function is to not only be an expert on the GDPR, but to support data protection impact assessments and audits and to act as an arbiter between data subjects, the company’s departments, and the supervisory authority.
The DPO's input should be sought for any venture that includes personal data. As such, the volume of work required of a DPO will vary from business to business, with some needing only a few days of DPO input while others may require a full time DPO with a support team. The DPO can sit in any department, so long as it avoids a conflict of interest, or could potentially be an external consultant.
How will this affect you?
It is unclear is how exactly GDPR will be enforced. Dire predictions of fines up to €20 million (or four percent of a company’s annual global revenue, whichever is more) have been dismissed as “scaremongering” by the UK’s Information Commissioner’s Office, which points out that while GDPR enables regulators to impose large fines, it also establishes “a suite of sanctions” that allow for corrective guidance without taking punitive financial measures.
The full effect of GDPR on the ad industry won’t be known for some time, but because GDPR reduces the amount of user data advertisers have access to, advertisers may choose to buy ads on sites with recognizable brands rather than target audiences more specifically. This could send more ad spend towards premium publishers, leaving those who rely on ad-targeting in a struggle to remain competitive and signifying a shift away from programmatic audience targeting.
What you can do to prepare
It remains to be seen if the EU will be able to export these regulations to other countries, but the far-reaching nature of them will be felt globally. One way for US-based companies to prepare is by self-certifying under the EU-US Privacy Shield Framework, a data transfer agreement that complies with European data protection requirements, but this still leaves other key elements of GDPR for companies to grapple with.
If you’re feeling a little stressed out at the end of all of this, that’s understandable. AdExchanger has created GDPR guides for publishers and marketers to lend some clarity to the process. Diginomica has created its own handy list of compliance tips. If your company falls under the purview of GDPR, don’t just read about it, call your legal counsel and make sure you’re protected.