10 actionable steps to charting a publisher’s course to digital GDPR compliance
Yes, it is the topic du jour, but somehow many are still adrift when it comes to the European Union’s impending General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018—under 100 working days or five short months away. Countless articles summarise requirements into generalities covering organisation-wide data elements, such as customer, partner and vendor information. More often than not this approach doesn’t mean much to Ad/Revenue Operations (Ad Ops) professionals.
The Ad Ops Challenge
GDPR presents three significant hurdles to Ad Ops:
- Identifying known data collection activity;
- Confirming it is legitimate under GDPR (i.e. that the rules are being met); and
- Detecting and remediating unauthorized data collection, which is potentially considered a data breach.
The highly-dynamic and opaque nature of the digital ecosystem often means that all three of these hurdles are difficult to clear without adversely affecting a media publisher’s strategic revenue channel. So, the key issue to resolve is this: how does a publisher go about managing data in a GDPR-compliant way but without undermining its business model(s) and therefore its commercial viability?
The answer, as usual, is Ad Ops. For this group, GDPR presents an important opportunity. As the frontline of digital operations, Ad Ops professionals are in the unique position to influence, drive, and co-create strategies to protect and optimise revenue in the changing regulatory environment. In fact, they have a powerful legitimate reason to control audience data collection activities on their digital properties and demand compliance from upstream partners.
10 Steps to GDPR Compliance
The daily demands placed on Ad Ops can be overwhelming, with the complexities—and vagaries—of GDPR an unwelcome intrusion. But it’s a critical opportunity. Here’s a 10-step approach (with supporting GDPR references) towards GDPR compliance for media-oriented websites and mobile apps:
1. Participate in an internal GDPR Task Force [GDPR Articles 37-39]
Every business— large and small—should have a GDPR ‘Task Force’ or something similar. This could be organised by a senior data privacy leader, such as a Data Protection Officer (DPO), which is now a requirement for many organisations. The Task Force should be staffed with key personnel across the organisation who interact with any type of personal data, i.e. operations, IT, privacy and risk, security, HR etc, and should include individuals across strategic markets as the GDPR has a global reach (see GDPR Article 3). As part of the Task Force, Ad Ops can explain the role of consumer data in the digital environment to deliver user-specific content and advertisements and how it supports the publication’s mission and contributes to revenue.
It is important to understand that the scope of personal data is broader than under existing EU data protection law. Under Article 4 of the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
To this extent, typical data collection, use and sharing activity generated from everyday access of websites and/or mobile apps for digital advertising purposes (i.e. cookie deployment or device identification) should be treated as personal data. Therefore, the term ‘non-Personally Identifiable Information’ should no longer exist as personal data under the GDPR is broader than PII, which is a significant change for digital advertising.
2. Evaluate the Privacy Risks [GDPR Articles 25, 35 & 36]
The Task Force will probably be responsible for developing a centralised roadmap for the organisation’s digital data and designing the plans to implement necessary processes and changes (including budgetary considerations) required to comply with the new law. Many organisations will need to conduct a Data Protection Impact Assessment (DPIA–a valuable exercise for good data hygiene), mapping the kind of data collected and processed. (Here’s a good template to follow.)
The DPIA should enable revenue and Ad Ops teams to get up close and personal with all data collection and processing activities, and knowing with whom data is being shared. There are many companies that can assist with DPIAs to develop a point-in-time data picture, which is a critical start to identifying data in the publisher ecosystem. However, the ever-changing digital environment requires continuous monitoring for compliance in order to provide an audit trail or truly demonstrate ongoing compliance. The bottom line is that the GDPR seeks to introduce a ‘Privacy by Design’ approach: removing or minimizing data or ‘pseudonymising’ it (e.g. hashing) to minimize the privacy risks.
3. Create an Authorised Partner List [GDPR Article 30]
Accountability is a central theme within the GDPR: you are required to record and account for all data processing activities. Ultimately, publishers will need to know and understand what data is being collected and processed, and who it is shared with—a serious challenge for the dynamic digital environment.
This means Ad Ops needs to develop a list of all parties that execute on the website (including contracted second parties and any subsequent parties called during the rendering of the visitor experience), analyse digital behaviour to understand data collection or targeting needs, and block those that exhibit anomalous or unapproved activity.
Conducting a data audit, compiling inventory and documenting authorized partners is a good first step; however, these will have to be continuously evaluated with an eye towards changing partner activity, new digital supply chain partners, international data transfers and consumer understanding of tracking/identification and its value to the digital experience.
4. Get Legal! [GDPR Article 6]
It may seem strange for Ad Ops teams to concern themselves with too many legalities, but with the GDPR it is imperative that those involved in data collection activities understand the consequences of their actions. The regulation outlines six legal bases to justify the processing of personal data:
- the user’s consent (which is defined more stringently than under current data protection law)
- the use of contracts involving the user
- legal compliance (i.e. with another law)
- protecting the interests of an individual
- when it is in the public interest to do so
- when it is the organisation’s legitimate interests to do so (provided it doesn’t override the rights of the individual)
Digital advertising will require the user’s consent, not least because it is required for the storing of information or gaining access to information already stored on a device—whether personal or not—(i.e. via a cookie) under the existing ePrivacy Directive (See Step 6.) This is where Ad Ops needs to work closely with the compliance teams: an innovative consent mechanism will be required for digital advertising activities. But, keep in mind that some data processing activities (e.g. for network security or when tackling fraud) may warrant different legal bases.
5. Enforce Digital Partner Compliance [Articles 26-30]
The GDPR introduces obligations (and liability) for all organisations, whether a ‘data controller’ or ‘data processor’. Find out how data partners are preparing for the GDPR and establish a working group with key partners to discuss compliance strategies. This requires first knowing your upstream partners from SSPs and exchanges through to DMP and DSPs. Some data partners are likely to have to conduct a DPIA as well—guide the process for them. In time, revisit, review and adapt contracts or agreements with existing partners to ensure that shared obligations and responsibilities under the GDPR are accounted for and that partners are complying with digital asset policies for your company. If a partner chooses to not comply with your policies reconsider your relationship with them.
6. Obtain Consent [GDPR Articles 7-9]
Consent is the new king in digital advertising, so review where and how you obtain it. Under the GDPR, consent must be given freely, specifically, and unambiguously, and it requires affirmative user action. Some pre-GDPR consent mechanisms (i.e. so-called ‘implied’ consent) may not be valid when the GDPR applies. And it remains to be seen if existing consent management platforms can properly handle authorized cookies delivered by third-party partners in addition to a publisher’s first-party cookies. It’s important that practical and user-friendly consent mechanisms are adopted. Where appropriate, review existing consent mechanisms and explore evolving market solutions to suit your business. EU regulators have provided some draft guidance on consent.
7. Be Transparent [GDPR Articles 12-14]
Revisit and restructure your Privacy Notice to ensure that it meets the requirements of GDPR. It is likely it will need to include more information than your existing one (such as all the technologies used to process data, including by third-party solution providers). Ad Ops teams will be directly responsible for any data collection activities. The UK Information Commissioner’s Office (ICO) Code of Practice provides a good template to follow, including what information to include, how the Privacy Notice should be written, and how to test, review and roll it out. But don’t stop there. Consider enhancing transparency by deploying additional measures including ‘Just-in Time’ mechanisms, video messages or the EU AdChoices programme.
8. Give your Customers Greater Control over their Information [GDPR Articles 15-22]
The GDPR seeks to give people greater control over their data and therefore includes many rights for individuals, such as the Right to Erasure and the Right to Data Portability. Media publishers will need to put in place processes to achieve these for their customers. Beyond consent, publishers need to provide mechanisms for consumers to solicit information collected and used by the publisher and absolutely honor requests for data removal. The ability to offer this functionality and test its reliability are further proof points to demonstrate compliance. Where appropriate, point to existing controls such as unsubscribe mechanisms and opt-out points, and consider other innovative data control solutions.
9. Designate a Lead Supervisory Authority [GDPR Article 56, 60-61]
Choose who your ‘Lead Supervisory Authority’ (i.e. regulator) will be when the GDPR becomes effective. This regulator will act as a single point of contact for the enterprise’s data activities throughout the EU. Documenting and opening up communication channels with the Lead Supervisory Authority now is critical to understanding how future enforcement will be carried out. Keep an eye on Brexit: if you are hoping to designate the UK ICO you may have to think again.
10. Prepare for any Data Breaches [GDPR Articles 33-34]
Implement (and test) procedures to detect, report, investigate and resolve a personal data breach (e.g. data loss or hack). Keep in mind that the reporting of high-risk breaches to the relevant Supervisory Authority (regulator) needs to happen within 72 hours of discovery—a timeline publishers are not positioned to meet. As Data Controllers, Publishers are ultimately responsible for breach notifications and, therefore, they need to be aware of any breach that occurs throughout the digital supply chain including upstream partners.
Sailing Through the GDPR Storm
All experts agree: GDPR will be a watershed moment for digital publishers. The next several months (let alone years) will be tumultuous as stragglers try to catch up and the more-prepared publishers await the success of their compliance programs.
On a positive note, the winds are favorable for digital publishers to take back control over their audience data. Direct access to the consumer relationship and the control of consumer consent puts publishers at the helm. However, it is up to the unlikely heroes—Ad Ops teams—to ensure smooth sailing when it comes to digital data compliance and risk management.
Since 1999 Matt has been working on the front line of digital advertising in an industry-facing capacity. Most recently he has taken on the role of European General Manager for The Media Trust, a US-based digital security and advertising quality assurance company.
Matt has consistently strived to generate industry consensus from senior leaders and drive innovation through collaboration. He is a frequent speaker, panelist, and chair at industry conferences including Digiday, IAB, dmexco, The Guardian, AOP (UK), Admangerforum, and corporate-operated events. He is an active advisor and investor for advertising and marketing technology start-up enterprises and a senior partner at AtlanticLeap.