How to deal with GDPR

The biggest change to privacy regulation in two decades is coming. Here, the IAB’s Yves Schwarzbart explains how your business can effectively prepare before the May 25 deadline.

We got there in the end. We’ve finally reached the point where the four-letter acronym – GDPR – is as hotly debated as any buzzword in the digital advertising industry.

Many believe that the General Data Protection Regulation has the potential to transform the industry in ways that seemed unthinkable only a few years ago. Designed to give individuals greater control over their data and introduce new accountability obligations for companies from 25 May 2018, the GDPR will likely shape the industry like no other policy development in its young history.

If 2017 is the year of AI, 2018 will be the year of the GDPR, at least until 25 May, at which point virtually every company in the digital advertising ecosystem will need to have its house in order and ready for inspection, or risk being subject to the GDPR’s eye-watering fines of up to 4% of global annual turnover (or €20m – whichever is greater).

The road towards compliance can look daunting at first. The GDPR is a complex piece of legislation that nevertheless suffers from shades of grey in many important areas for the digital advertising industry, including consent.

Guidance from European regulators to clear up these areas is on its way but may not arrive until December. That said, you should not wait until then to start enacting change, as many critical aspects on the road towards compliance can – and should – be addressed now.

The following five steps will put you on the right track toward 25 May’s deadline:

1. Designate a responsibility lead

Assign responsibility for GDPR implementation to a member of staff within your organisation. The GDPR will require many companies in the digital advertising industry to appoint a Data Protection Officer (DPO). If so, companies will have the choice to either outsource or use an in-house DPO.

Companies may therefore decide to task the DPO with GDPR implementation or another member of staff. In any case, don’t think of these roles as a burden to the company or its ambitions; rather, the role is to enable businesses and act as a go-between for relevant stakeholders, including regulators.

2. Raise company awareness

It will be essential for the lead or DPO to establish a GDPR Taskforce that reports directly to the highest level of management. The Taskforce should comprise of people from key functions across the organisation (operations, engineering, data HR, etc.) and work on preparing a compliance roadmap with budgetary considerations, where appropriate.

It should also organise regular training and briefing sessions as well as other relevant material that can be shared with all staff members, business partners and clients.

3. Review and map data processing activities

Accountability is a core element of the GDPR, meaning that it will be paramount to demonstrate and record compliance. The first step towards GDPR compliance is to conduct an information audit to identify what individuals’ personal data you hold, where you get it from, who you share it with and what purpose(s) you use it for.

When you run the audit, remember that the GDPR’s definition of personal data covers more than personally identifiable information (PII). A number of data points that many in the industry currently consider to fall outside the scope of data protection legislation will now be captured by the GDPR. That means that you shouldn’t assume that unique identifiers (e.g. cookie IDs or advertising IDs) are ‘anonymous’ data.

You should also implement measures to monitor the information going forward in order to ascertain the risk potential of data flowing in and out of your company.

4. Review and manage data partners

The information audit will help you understand and review which data partners you are working with – both directly and indirectly. Find out how your agencies and data partners are preparing for the GDPR and establish an effective data partner management system to ensure they are complying with their obligations. For example: obtaining consent where appropriate for the processing of personal data, as well as demonstrating compliance.

In time, organisations will need to revisit, review and adapt contracts or agreements with data partners to ensure compliance and that shared obligations and responsibilities under the GDPR are being managed adequately.

5. Read existing guidance but look out for new guidance

The GDPR is still filled with grey areas and regulators have yet to publish guidance for many important parts of the new law. We expect a waterfall of guidance to be released in October and December, but it’s important to review what’s already been published, including in areas such as Data Protection Officers (DPOs), Lead Supervisory Authority (LSA), the Right to Data Portability, Data Protection Impact Assessments and Data Processing at Work.

Complying with the GDPR brings challenges and opportunities. Whilst it can be daunting to take the first few steps towards compliance, just remember that regulators – and more importantly – customers will thank you for it.

—

Yves Schwarzbart is head of policy and regulatory affairs at IAB UK

The IAB has produced a GDPR checklist – available here.