6 Ways How Ad Tech Companies Can Prepare for GDPR
GDPR has become a buzzword lately, especially in the ad tech industry. It's no surprise, as advertising businesses process data from thousands of third parties. On May, 25, 2018 General Data Protection Regulation will come into effect. In this article we'll try to figure out how this will affect ad tech and how companies can become GDPR-compliant.
6 Key Facts about GDPR You Should Know
- The Law. GDPR is a set of regulations containing 11 chapters and 99 articles. It covers legal aspects of data collection and transfer. You're not likely to find much practical advice on how to comply with it, unless you've studied at a law school or have had experience in working with legal provisions from an IT perspective.
- The scope. One of the big changes is the scope of GDPR. To put it simple, even if your company is not EU-based but you have at least 1 client from the Union — you must comply.
- Consent. GDPR does attempt to make data protection easier to comprehend for average citizens. In this regard, whenever you're about to get any personal data (e.g. during sign-up), you should inform the user about it in a clear and plain language.
- Withdrawal. You should make it easy for your clients to access the information about the data you collect. Additionally, companies should make it easy for their customers to withdraw their consent for data processing (e.g. they can click on a button or a check box and you will no longer collect and process their data).
- Heavy fines. Arguably, the fines are one of the main reasons why there's so much hype around GDPR. No business would want to risk losing up to €20 million or 4% of global turnover for failing to comply.
As stated above, moving to the new policy will be even more complicated for companies, like DSPs, ad networks or ad exchanges who are connected to hundreds of demand and supply sources. As an ad network working with data-providing companies for launching personalized ad campaign Epom Market also made the most of a two-year window to get ready to GDPR. Now that we've discussed the basics, let's take a look at a few ways ad tech companies can prepare themselves for GDPR enforcement.
- Get You Clients' Consent for Data Collection and Processing. Whenever you're about to collect the personal data — be sure to inform your clients about it. Add a checkbox to your registration form so that the user would know that upon registration you'll start storing the data. Make sure you're only processing and storing the data from the users who have given you their agreement for that.
- Make Information User-Friendly. The information about the data you collect and store should not be packed with hundreds of technical details or legal matters. As stated above, it should be written in plain language. GDPR provides the users with 8 basic rights regarding their data, which include but are not limited to a right to be informed, a right to rectification, erasure or blocking of data and a right to access.
- Sign an Insertion Order Before Starting New Partnerships. Whenever you're about to start a new partnership — always sign an insertion order. It should be clear for all parties who's responsible for data processing and protection and who'll be the one to blame if you get a GDPR-related complaint. If it's a SaaS business, it should be clear that the company only provides the software for clients and does not process/collect any personal information from the end-users.
- Check Where DMPs Get the Data. By now you already understand that GDPR enforces some serious obligation on all companies dealing with the data. As for the Data Management Platforms, they're not collecting data per se. If you're using a DMP — it's up to you to make sure that the data you transfer to the system is processes with compliance to GDPR. Make sure you've signed a data processing agreement (DPA) with your DMP.
- Invest in Data Security. One of the most hazardous things with regard do GDPR is data loss. If you've been hacked you're obliged to report the breach to your local data protection regulator in no longer than 72 hours following the attack.
- Don't Panic While GDPR is set to come into effect on May, 25, 2018, there are still quite a few questions which remain unanswered with regard to who will take final responsibility for failing to comply, or how will the fining process actually be held. Officials in the EU have already stated that the penalties will not be that harsh if a business is aware of GDPR and has actually taken steps to comply with it but failed at some point.
Although some experts have stipulated that GDPR will result in huge losses for ad tech businesses, it's unlikely that it will dramatically affect the rapid development of the industry, at least not in the nearest future. If you're still unsure how to comply with GDPR and whether or not to do it, it's probably best to consult a lawyer or an IT security company.