GDPR will come into effect on 25 May 2018, representing the biggest change to data protection across the EU in a decade.
Talking to a lot of advertisers, you could be forgiven for thinking that the sky is falling. But there’s a light at the end of the tunnel, and the change does represent significant opportunities for companies smart enough to take them.
Tiffany Morris is General Counsel & Vice President of Global Privacy at Lotame, and has been having 3 – 5 GDPR-related calls a week with her clients over the last few months. Lotame has two parts to its business, both of which are going to be heavily affected by the incoming regulations.
On one hand the company operates a data management platform with a heavy client base in Europe. On the other is the Lotame Data Exchange, one of the larger third party data exchanges for licensing third party data.
So, Morris is definitely a good person to speak to about GDPR.
“We can’t escape it, it really is at the core of what we are doing in both areas,” she says.
Setting a standard
For Morris, one clear effect of the approaching implementation date is an increased desire for cooperation among the company’s clients, especially with regards to some key areas where there is still a huge amount of uncertainty.
“One of the areas that we are really focused on with clients is how to handle consent,” she says. “How do we handle lawful means of processing in a world where we are placing third party tags? We are investigating universal consent management solutions.” Consent is going to be one of the biggest issues for many companies, but the guidance available so far hasn’t been clear. The IAB released its standards for consent in November 2017 which while useful, left many companies undecided on how they are going to implement them.
“GDPR is also a nice opportunity to explain to clients in a lot of detail about how some of the functionality works and what role we have vis-à-vis the data versus how they are controlling their own data,” says Morris. “So, one positive of GDPR is being able to get down in the weeds with clients and really show the value that we bring to the table.”
The data exchange side of the business adds a further layer of complication to the process. The recently released EU Article 29 Working Party consent guidelines lacked any specificity around the responsibilities of third parties in the ecosystem. “So, we are faced with this challenge moving forward of having a lot of data aggregators that are getting data from a lot of sources,” continues Morris. “We like the scale but we know that we need quality data, we need to know the provenance of that data, we need to be able to establish that there was a lawful means of collecting and processing it.”
Another clear effect of entering the final straight before the implementation date is the division of clients into those that have a good idea of what they need to do and are working hard to get a handle on the many grey areas. Others, however, are still struggling.
“There are ones that know what they need to do, are trying to figure it out and have the capital to hire advisors if they need them,” Morris says. “You also have those clients that are publishers and already have challenging business models and when you layer GDPR on top of that they can struggle to get their heads around the economic challenges that media businesses may be facing. It’s a pretty broad spectrum.”
The issue of consent
There are a whole host of potential obstacles for companies to stumble over in their quest for compliance. The huge diversity of data management and processing systems, as well as the wide range of data sources could all combine with faulty governance to create a serious headache for companies.
For Ari Levenfeld, Chief Privacy Officer at the world’s largest independent buy-side ad platform Sizmek, the numbers of non-complying companies could be high: “GDPR is a potentially major risk for companies that don’t take steps to comply. A recent Forrester study predicted that as many as 80% of all companies will not comply with the GDPR by the May 25 deadline – half of which will choose not to comply. Conversely, companies that have decided to invest significant time and resources into GDPR compliance are positioned not just to protect themselves from regulatory scrutiny and massive fines, but also protect the interests of their customers.”
Morris thinks the biggest challenge, especially in the adtech ecosystem, is going to be establishing what the lawful means for processing data, and passing it on through the ecosystem. Every partner involved in a particular ecosystem will have to prove that they have gained consent and that they have the right means to process the data in question.
“That’s the most challenging because if you look at how a transaction is processed and how many partners data flows through before an ad is actually served, and how many of those transactions are processed through the use of third party tags. It’s very difficult envision how you get that chain if you are relying on consent for example,” she says.
“How do you pass that chain of consent along in real time to what may be 30 different partners before the ad is served? That is specific to our industry, and we have to figure it out as an industry because I don’t think we are going to see that guidance coming from regulators.”
The problem this creates is significant. Consent needs to start with the consumer, but they can’t be involved in providing consent at every step in the ecosystem chain, especially when they don’t have enough fingers to count the number of companies involved in using the data generated by the initial transaction.
“So much of the law is driven around the idea that consumers should understand how their data is being collected and used and that they should really have a lot of authority in deciding how it is used,” Morris explains. “That works well in a 1-2-1 relationship.
“But what is more complicated is that a hypothetical retailer is relying on a multitude of partners to use and process that data in different ways. And, particularly in adtech, so many of those partners would never have a direct relationship with the consumer, and most consumers, not because they are uneducated but because they haven’t been exposed, doesn’t understand how this ecosystem works.”
Providing the kind of robust disclosure that this theoretically require, where a company lists the 10 or so ways they are planning to use and sell on a customer’s data, could mean going into so much detail that the disclosure becomes essentially indigestible for the consumer. “I think that is a really, really big challenge,” agrees Morris.
The issue of security
The focus of GDPR is principally about the privacy of consumers, about giving European citizens more control over the online data that is generated as they interact with companies. This creates responsibilities for companies not just around gaining consent to use data, but also handling it in a way that ensures it remains safe.
Security in this context means more than just making sure that the data isn’t stolen or compromised, it means guaranteeing that it is not subject to unauthorized or unlawful processing. For Levenfeld, this has created concerns among many brands that they might be lacking the technical and organisational measures needed to comply with the new requirements.
“The GDPR has numerous, specific compliance requirements around data governance and policy,” he says.
“For example, privacy by design is no longer an easy checkbox that companies may say they have considered when developing their products. Instead, considering privacy by design under the GDPR requires real effort and proof.”
At the very least companies are going to need to complete Data Protection Impact Assessments for each product or service they sell that utilises personal data. “Companies also need to explicitly define and publish their data retention periods,” Levenfeld says. “Companies should build data governance mechanisms to govern how data is collected and processed, to help ensure that they are only processing when they have a lawful basis to do so.”
With regards to the security in the adtech world in particular, the emphasis for companies will be making sure that they know exactly who has access to the private data transactions with consumers generate, both internally and externally.
“Measuring the effectiveness of your security systems with penetration testing by security specialists, regular updates and patching of software, and the creation of a Technical Organizational Measures (TOM) document are important ways to keep up to date and document your efforts,” continues Levenfeld.
“Security also includes putting a plan in place to respond to breaches and mitigate damage should one occur. At Sizmek, we recommend that companies complete table-top exercises to run through their breach response plan so key team members have experience practicing how to follow a breach response process before it actually happens.”
Focusing on quality
Another important consideration for international companies that do a large proportion of their business in Europe is whether they carry these changes over to the other parts of their operations. “I think, if you look at a few years ago, and I was guilty of it too, you would have different discussions with US clients then you would have with European or global ones around privacy,” says Morris.
In this sense, GDPR could really set a global standard for the way that businesses are expected to deal with security. “It doesn’t make sense from a cost perspective to handle privacy differently in the US and India and so on then you do in Europe. I think what you’ll see companies doing is adopting the European standard for everything, and it will become the bar.”
So, while the regulations are set to leave lasting changes across the adtech landscape, it is not an entirely negative picture. The majority of press coverage, especially in the UK, around GDPR has painted a picture of a doomsday scenario where no one is ready on the implementation date. What has been largely absent so far is any talk of opportunities that the new laws present to companies smart enough to exploit them.
“It is an opportunity for companies to really dig in cross functionality and understand how their various business units are using and processing data,” agrees Morris. “That is helpful and is a valid exercise for any company, and maybe prior to this law people weren’t doing enough in this area.
“We really see this as an opportunity to focus on data quality, because the costs of compliance are higher under GDPR, it doesn’t make a lot of sense to be throwing around large quantities of data without really understanding where it has come from and whether it brings a ROI to data buyers.”
At the heart of GDPR is the necessity to change the focus of data collection and processing from quantity to quality. It is no longer going to be a reasonable strategy for companies to just hoover up as much data as they can and then try to decide what to do with it after the fact. Companies are going to be required to have clear aims and clear strategies for what they are going to do with the data they collect, and be able to articulate them in a way that doesn’t turn off consumers.
Because under GDPR a business does need to tell consumers what they are planning on doing with the data, not just what data they are using. “That is what is hard for the initial party that has the direct relationship with the consumer because they may be using that data in so many different ways and working with so many different partners all doing different things, and under the law, in theory, they need to disclose every use of how they are collecting and processing the data and obtain consent or establish a lawful means of processing for each use,” explains Morris.
A retailer, for example, could find themselves having to tell their consumers that they collect their personal information so that they can make sure that the shipping and delivery get a purchased product to the right place. The consumer is likely to give consent for this. But, the retailer will also have to say that they also sell the data to a third party so that they profit from their consumer data, and then go through the 15 – 20 other ways that they are going to use the data. The retailer is theoretically required to gain consent for each of these individual uses.
“A consumer could theoretically say that they are fine with the use of data to ship them products, but are not ok with it being sent to third parties,” says Morris.
Costs of compliance
Perhaps one of the most frequent questions that Morris is asked is whether the incoming regulations will lead to a heavier cost of compliance for companies. The answer will really depend on what type of data a company is dealing with. Many US companies could see a rise in the cost of compliance due to the wider classification of what constitutes personal data.
US companies have historically viewed personal data as being things like names, street addresses and government IDS. Data that is capable of immediately identifying an individual. European law, and especially GDPR, widens this definition of personal data to include things like cookies IDs and device identifiers.
“For companies like us, who only have cookie and device identifiers, it’s a big change to treat that in the same way we would if we were collecting social security numbers,” says Morris.
This could affect the cost of compliance because if you are trading data, names and government IDs are always going to have more value than mobile advertising IDs. “So, now you take a company that has been trading only in these device identifiers, the perception is that those have lower economic value,” says Morris. “You earn less money from processing those types of data, but they are now held to the same compliance standard as a company like a bank that’s processing financial information like names and account numbers. That seems a little incongruent.”
In the end, perhaps the biggest question is what the result of GDPR will be for consumers. Will implementation actually result in a more personalized ad landscape for consumers? Is there going to be any noticeable benefit for consumers at all? For Morris, it really comes down to what consumers actually want:
“I think what they want more than anything is access to free content. That’s the world in which we have been operating, where I get access to lots of free content on the internet because I put up with the word of online advertising. I really think that is what consumers want. I think that what regulators don’t realize is, if you take away that online advertising component, which this law along with the proposed ePrivacy regulation makes a potential outcome. This means that consumers lose free content as companies put up paywalls as they need to recoup the revenue they lost from decreased advertising.”
This leads to a worry that what might appear to be a good development for consumers in the short term may end up having detrimental effects in the years to come.
“I worry that it’s going to be ‘hey, we thought we wanted more flexibility around how companies use our data and what types of ads we see, but now I’m paying for Facebook and I didn’t ever really want to do that.’”
– by Colm Hebblethwaite
