GDPR in a digital ecosystem
Updated: Dec 30, 2018
A short read demonstrating how GDPR has taken effect on the digtial ecosystem and what you can do to be prepared.
The Original version of this was published on LinkedIn on September 26, 2017 and has been updated below with new information.
How can we help with solving the complex challenges of GDPR faced by everyone in the digital ecosystem? Well, please see below for how we see the current status of GDPR regulation and how it applies to the media industry. We have set up our business to be ready from the get-go.
As everybody should know by now, GDPR is coming into effect on May 25th, this year. The big question is: Are you compliant? If your business operates as any part of the supply chain in digital media, you could be facing fines of up to €20m Euros or 4% of your annual global turnover. As an example, for a breach of protocol by say, Marmite, this fine would be linked to parent company Unilever’s global revenue. Some $2bn
Carphone Warehouse has been fined £400,000 this year already for a serious data breach around cybersecurity - had this been post-May 25, then the fine could have been around £336m
Last November Uber revealed some 57 million customer accounts were hacked. Post-GDPR the fine for that kind of breach would have cost them $800m.
And you might remember Google is facing a challenge for collecting user data unlawfully through iPhones: if found guilty, that one could sting at around $3.58bn.
Fines for non-compliance are going to hurt!
Would a more transparent system of collecting and processing data and its consent have prevented these events?
The regulation has been created to build privacy by design for consumers and to give them control over how organizations collect, store and manipulate their personal data. Current legislation is being replaced which does not adequately protect users. Organizations will be restricted from using consumer data that can identify an individual to then serve them a tailored message unless specific consent has been given.
All personal cookie data falls under GDPR, and it cannot be processed without a GDPR compliant basis. IP address and mobile device IDs, geo-location data, and public WiFi data are included here too - the reach of the regulations is far and wide.
Consent is now king - if as a user you have not freely given clear, specific, informed and unambiguous consent to a request to use ‘your’ data in order to tailor messaging to you then you will be undergoing a non-compliant experience and you’ll be able to raise a complaint with the ICO.
GDPR demonstrates that legitimate interest can be justified if the organisation’s interest is not outweighed by the Subject’s freedoms and rights. The entire marketing industry seems to be hanging its hat on this lifeline, and some are translating this as catch-all permission to keep business-as-usual, because of the relevance of their message to their target. One retargeting company has apparently put into their T&Cs that a user’s browsing behaviour can so accurately indicate their interests, that all advertising they will deliver to them is therefore in their interest – and so their consent to do so is unambiguous, even though the Subject has not explicitly agreed (the major flaw in this is that permission is still needed to collect the data in the first place). Nonetheless, this is an example of how the ad-tech community especially, is angling to use the legitimate interest to justify the exact practices that GDPR is trying to give users control over.
What does this really mean directly to our industry?
Media owners will not be allowed to sell audience extension campaigns using user targeting, where you push an audience as ‘your users’ off-site without permission, which they must ask for.
Media owners will need to figure out how to ask for permission without destroying the user journey and still harvest value from them.
Media owners may not incentivise the audience to give consent (it must be freely given)
Unless the personal data is demonstrably needed for the website to deliver the service they are accessing it for, media owners may not compromise such access or other features (that do not require personal data) on the site if the user did not consent for their data to be collected.
With further rulings under discussion about not being able to restrict the media experience of users who refuse to have ads served to them at all, this is going to get complicated, but it is healthy for long-term plans. Publishers will need to repurpose their existence for the consumers' benefit, not just see them as a meal ticket for advertising revenue. Running headlong to rescuing the short-term revenue fall doesn't put the consumer front and centre.
The relationship between all in this industry has festered because of a murky supply chain. Truth's guarantee of transparency within the set up allows publishers to increase revenues and allows brands to achieve more real reach for less investment.
Agencies need to take care to understand GDPR obligations. They are only allowed to collect the data needed. At the outset, they are not responsible for the data that’s passed to them to process (other than obligations on its security, storage, and to fulfil requests around its processing, deletion and accuracy) as long as they only process the data as instructed by the data controller.
If they are passed data they don't immediately need, it must be erased and the Data Controller informed that it shouldn't have been passed.
Agencies must become Joint Data Controllers (with each entity that passed them the data!). Critically, they now do become liable for the use of data that may not have been lawfully acquired.
I would expect GDPR compliance checks to be an essential service to offer clients, and an agency on the front foot here will earn a significant advantage. Terms and Conditions and privacy policies will need updating along with internal data processing documentation
As any kind of data or tech intermediary, you will only be able to use the data for the purpose it was originally given, and it will be incumbent upon you to check that what is passed to you is compliant as best-practice, but ad tech intermediaries will not be responsible for collecting consent
For advertisers, it is not a fundamental right to reach out to your customers in order to sell them something else. You need specific permission to advertise. Broadly though, as long as advertisers do not contribute data to the campaign, either as Controllers or Processors, then they have no liability under GDPR for the data against which their campaigns run.
Advertisers too are responsible for the supply chain you use being compliant and they should carefully consider how it plays out if an informed user does take exception and decides to complain. It’s BRANDX's brand that’s in the firing line, liable or not. Legally they are not culpable, but reputationally? that could be expensive
It will be interesting what this means for retargeting. As long as retargeting is conducted by the data controller using only first-party data, there is a case for legitimate interest (as the prospective benefit to the user may be sufficient on balance). The same argument will not stack up if third party data is harnessed, in which case specific affirmative consent is needed. The outlook is bleak for many in the chain whose service is built on aggregating and profiling third party data sources to deliver targetable audience pools.
We should be looking to appoint DPOs - Data Protection Officers to make sure that not only use, but storage and protection of user and customer data is of paramount importance. These are mandatory roles that are part of the Regulation that firms are legally required to appoint if they process personal data at significant scale.
We need to move now. There are examples of safety checks happening that are resulting in breaches of UK ePrivacy ruling and breaches are happening. Let’s try not have fines on day one.
If you feel that you are already compliant as a UK advertiser under UK Law, you should check as not all measures in place in the UK reach the minimum requirements of the European GDPR ruling, and regardless of your Brexit persuasion, we are still part of the EU.
GDPR does allow for some personal data to be lawfully collected and processed without requiring explicit affirmative consent :
if there is a contractual legal obligation for its use
if it fulfils the public interest
for the performance of a contract
to protect the subjects or another person's vital interests
Data collected with GDPR compliance is not allowed to be kept for eternity (it may only be stored for as long as it is needed for processing or within the terms of a contract and the user has the right to being forgotten and having their data returned to them in a portable format - or indeed transferred to another organisation on request.
You will also have the right of access as an individual to know where and how your data is being stored, what it is being used for, and by who. Organisations must provide the information requested above within 30 days free of charge - anyone can ask for anything at anytime at no cost to themselves. If an organisation holds personal data, then the owner has the right to its access.
We are moving full circle with programmatic media. We have the pipes in place that now allow automatic buying of media in the digital space - these pipes will need to be pointed at data sources that are based on environmental data or confirmed consensual data.
I hope that out of this, we can start returning art to the process of media planning and buying rather than relying too heavily on science. GDPR resurfaces the need for skills that have been lost through the convenience of technology
GDPR will force a wave of change through publishers, agencies, ad-tech, advertisers and consumers which will be time-consuming, complex and in some cases expensive. We are encouraging this regulation in our industry, and so have embraced the arrival.
Please talk to us to see how we can help.
Originally written for LinkedIn September 2017