Come May 25th, 2018, GDPR rolls into effect and anyone who collects, stores, and processes data about EU residents will find themselves under the spotlight. They all need to comply – or face penalties.
The consequences are steep enough to push the whole ad tech industry – which relies heavily on user data that will now need users’ explicit consent – in a quiet panic. This includes publishers who monetize their EU audiences through advertising.
With three months left, it’s time to work on a compliance plan of your own. To get started, here’s a human-readable GDPR compliance checklist for publishers.
What You’ll Need:
- Lawful Basis: Basically, a valid reason to continue doing whatever you (and your ‘processors’) are doing with EU residents’ data. Lawful bases include explicit consent, legitimate interest (which is NOT a Get-out-of-jail-free-card, quit hoping), contractual basis, legal obligation, etc.
Recommended Reading: Lawful Basis for Processing (Source: ICO.org UK)
- Vendor list: Each ‘data processor’ (ad tech vendors, as well as analytics and tag management platforms) on your site will need user’s explicit consent to continue using their data. The ‘data controller’ (publisher) must procure this consent. If you don’t know who is collecting data through your pages, use a tool like Evidon Trackermap.
- Privacy Notices: Or Consent notice, if that’s what your lawful basis is. This is where you commit to GDPR’s transparency principle by clearly telling visitors exactly what they’re giving up (data), why (your lawful basis), to who (all the processors you’ll be sharing this data with), how long this data will be kept etc.
- Record keeping skills: A lot of GDPR compliance is about keeping records of what you do with the data you have to demonstrate your accountability.
- A team of developers and a lawyer/GDPR consultant to approve your game plan before you start implementing it.
Once you understand all that, proceed with the following steps:
1. Review and Document: Data, Processing, and Sharing Activities
It sounds droll, but it’s one of the easier steps to achieve compliance. Also, it’s not optional. Richard Lam, who is working on his organization’s GDPR compliance project, says:
GDPR requires extensive record keeping, so document everything; what personal data you process and the lawful basis behind doing so. Document the process workflow of the personal data – where it’s stored, who’s in control of it, who it’s shared with, etc. Then formalize a process in case you receive a “right to be erased” request.
– Richard Lam, Head of Programmatic and Ad Ops, Network-N
The purpose of these records is to show that you are accountable for data within your organization. That said, this also has the added benefit of helping you identify what needs to be done and where in order to be GDPR compliant before the deadline.
2. Update Your Privacy Notice
The first rule of GDPR is to talk about your data collection and processing habits with visitors honestly.
In order for the processing to be fair, the data controller (the organisation in control of processing the data) has to make certain information available to the data subjects (the individuals whom the data relates to) in order to continue using their data.
– ICO.org UK
This applies regardless of whether you’re obtaining the data directly from data subject (your visitor) or from second or third-party arrangements. As long as the data you have is from an EU resident, you HAVE to disclose to them:
- who the data controller is; for the record, it’s the publisher,
- why their data needs to processed;
- who will be processing it (who it will be shared with),
- Any other information that should be disclosed in keeping with the spirit of transparency, like the effect of said processing (“online tracking”), how the data collecting will work (“cookies on your device”), etc.
Recommended reading: Good and Bad Examples of Privacy Notices (Source: ICO.org UK)
Publishers will find that for a lot of their advertising system to continue functioning as it does, they’ll need consent as their lawful basis. Good news is, this basis will also cover compliance with an updated ePrivacy directive – which is slated to come into effect on the same day as GDPR (although the chances of that happening look slim).
To be valid, consent MUST have the following adjectives: freely-given, specific, informed, granular, opt-in, and unambiguous. On a related note, silence, pre-ticked boxes, or inactivity does NOT count as consent.
Perimeter (a consent vendor) put out a useful wireframe for a GDPR-compliant consent notice:
Then you have to make sure that once given, consent is also easy to withdraw. As per Richard Lam:
You’re looking at implementing a double opt in method. I believe publishers of any scale with an active developer team/people/person should be able to create something functioning in-house. It’s what we are working on ourselves, and I know a few big publishers like The Guardian and News UK are doing the same. If you don’t have the developers, you could always use a consent vendor.
If you don’t own and operate the sites but have advertising rights to them, you’ll need to implement your consent notice across the network – including sites you don’t own/operate but have exclusive advertising rights to. Make sure that a granular opt-out on one site is remembered across all the websites under that network.
Note that you’ll need a parent or guardian’s verifiable consent to gather and process data from children under the age of 16 (may be lowered to a minimum of 13 in the UK). Transparency applies to children too, so your privacy notice must be written in language that children will understand.
3. Finalize What You’ll do When Your Users Exercise Their GDPR Rights
How would you react if someone asks to have their personal data deleted across the board, or access it? Can your systems help you locate and delete one user’s data within thirty days?
Recommended reading: Individual Rights and Subsections (Source: ICO.org UK)
Richard Lam shares the process his team put in place,
That was the easiest part to tick off our checklist, as it mirrors the subject access request (SAR) guidelines currently in place under the Data Protection Act.
We plan to have a contact form on our corporate website through which users can get in touch. The request goes to a central person here who will be responsible for SAR and data erasure requests. We then send user a form to fill in, they then provide a form of ID along with the completed and signed form, and we process it.
Since the consent needs to be “easily withdrawn”, this contact form will also be linked to all the privacy policies on our owned and operated websites.
Remember that whenever the user requests to access their data, you will need to provide the personal data in “a structure commonly used as well as machine-readable form” for no fees (unless the request becomes repetitive) and within thirty days.
4. Prevent and Report Data Breach
This is what has most everyone in the supply chain scratching their heads. In a system as labyrinthine as programmatic – where data is collected and passed around with little regard to frivolous concerns like origin or individual rights – how are you supposed to prevent data leakage?
The complexity of Lumascape won’t fly under GDPR. Shubham Grover, Product Specialist at AdPushup, outlines what publishers can reasonably do to prevent and protect themselves against data leakage:
- Never allow an SSP to add partners (for backfill demand) on their end without your consent.
- Connect with all of your tech vendors and partners and communicate your data policy, i.e., expectations for data handling, what’s allowed or not, etc..
- Review all current data sharing arrangements and partnerships. Revise contracts with partners in light of GDPR.
- Strip any personal data (as defined by GDPR) before you process it or share it with other entities (like Google Analytics or Mixpanel).
- Include all vendors currently collecting and processing data through you in your privacy notice.
Keep monitoring your digital properties to make sure no unauthorized entities are sneakily listening in to your user’s data. Know that “failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.”
It may not be foolproof on a larger scale, but it shows how committed you actually are to protecting your visitors’ data privacy rights.
5. Privacy Assessments and Personnel
You’re almost done.
Under GDPR, “privacy by design” is an express legal requirement for those who deal with user data. That means PIAs or ‘Data Protection Impact Assessments’ (DPIAs) are mandatory in situations
- where a new technology/platform is being implemented;
- where a profiling operation is likely to significantly affect individuals; or
- where there is processing of special categories of data (on a large scale)
Recommended Reading: Conducting PIAs: Code of Practice (PDF link)
If your assessment concludes that the data processing is “high risk to individuals” and that you can’t address those risks, you will need to consult the GDPR supervisory authority (SA) in your member state for guidance on further action.
I’ll reiterate that conducting DPIAs in situations mentioned above is a legal requirement. This is a good time to make it an organizational practice. Consider appointing someone who’ll be responsible for your data protection compliance and risk assessment.
And that’s it.
What happens once GDPR comes into effect? There’s little point in speculating. Remember that privacy and tracking were prime concerns for early adblock adoption and remains one of the major motivation to this day. It’s reasonable to assume that a lot of EU-based visitors won’t blink twice before opting out of all tracking/cookies once they have the choice.
Publishers who have years’ worth of EU-based audience segments are right to panic since, without consent, their data will be out of commission. “If it were me, I would seriously consider selling this data,” says Shubham. “DSPs will sorely need it (in hashed form) for creating contextual targeting segments who will be willing to pay more bucks than usual (audience extension data).”
With contextual targeting on the rise, niche publishers may find that they’re less likely to lose yield. Richard Lam, who manages programmatic and ad ops for a UK-based gaming vertical network, says, “I can see news publishers panicking, especially if they invested heavily in audience targeting, DMP, and data scientists. They had hundreds of different audience pots for targeting. So yeah, I guess if I were in those shoes I’d certainly be bricking it.”
But not all hope is lost. “Every cloud has a silver lining. There would be users who do opt-in on cookies. With that, first-party data will become gold for publishers,” he says.
ICO.org.uk Preparing for GDPR 12 Step Guide (PDF link)
Here are some recommended readings for understanding more about the subject: