The effective date of the General Data Protection Regulation (GDPR) is late May 2018. As this date draws near, we are committed to compliance. John Stoneman, our GM of Europe, recently attended a Data Protection Congress in Brussels, where every one of the 40-plus sessions across the two days was devoted to a different angle of the GDPR. He wrote this Lift Letter to summarize ongoing considerations and developments.
The basic tenants of the GDPR were covered previously. All industry participants, including non-Europeans, must be familiar with the GDPR - its impact is not limited to European companies or operations in Europe.
The Congress opened with a keynote speech from Věra Jourová the European Commissioner for Justice, Consumers and Gender Equality. Very oversees the GDPR, the Privacy Shield, and the intersection of human rights and the digital economy, making her arguably the central figure in data protection across the world.
One of her opening statements brought home the stark reality of GDPR: “We have 198 days until enforcement begins…” That was nearly two weeks ago. But as we get closer to May 25th, 2018, and as the dialogue between politicians, regulators, trade bodies, customers and stakeholders increases, the picture is becoming clearer as to exactly what the industry will need to do.
In addition, the underlying ethos of how GDPR will be enforced has begun to emerge. Jourová said: “We need balanced rules inside the triangle between private data, the security of people, and the interests of business. Let’s not get hysterical because we can kill innovation.” It seems that GDPR readiness is most aligned with operationalizing the spirit of what the regulators are intending.
So what exactly do we need to do? There are some clear steps, some of which are consistent for every type of businesses, and some which are specific to our own situation in the world of ad-tech.
Create a Data Taskforce
Every company with cross-functional data subject to the GDPR needs should ensure that there is a group of well-placed and knowledgeable people who are shouldering the burden of GDPR compliance. The task force will need inputs from the technology and business teams to ensure compliance. This must be an ongoing functional group as compliance requires ongoing vigilance. Every future project we engage on will need to have “Privacy By Design.” TripleLift's own task force will be announced shortly.
Complete a Data Mapping Project
Companies must have clear understandings of where they use personal data - both currently and in the future. This must be documented and available in different versions for regulators and consumers. The documentation must be in plain English, not technical jargon, and it needs to cover every possible place where companies keep personal data on EU subjects. For TripleLift, this includes not only the TripleLift Exchange, but also marketing and CRM databases - even our HR records. We need to ask questions like why are we holding it? How long do we keep it? Is it stored safely?
Designate a Data Protection Officer
Compliance with the GDPR requires appointing a Data Protection Officer (DPO) who is formally tasked with ensuring awareness of, and compliance with the GDPR's data protection requirements. The DPO may be either an employee or an external consultant. TripleLift is committed to compliance with the GDPR and as this capacity is not currently employed by the company, we will likely hire an external consultant.
A crucial part of GDPR is ensuring that processes are in place to allow people to access the data we store about them. Similarly, there must be processes to provide them with their ability to exercise specific rights, such as the right to be forgotten and the right of correction. Our privacy notices must accurately reflect the data we hold and the processes we follow. If there were to be a data breach, we must have documented procedures to detect, investigate and report the breaches - and we must follow this defined process.
The steps above must be adopted by every company that has a presence in Europe, regardless of their industry. Within the world of ad tech, and with TripleLift acting as an SSP, we have several additional steps that are required before May 25.
TripleLift must work closely with all of the publishers using our platform to understand how they are approaching GDPR compliance. This includes non-European publishers that monetize European IP traffic. TripleLift must understand how they are approaching the legal basis for controlling user data - and if, as it is most likely, this will be accomplished by capturing user consent. TripleLift will need to ensure that it is included within their consent-capturing workflows.
TripleLift will need to make sure it has amendments in place for our publisher MSAs, and the company will need also to have reviewed the language that other entities with whom TripleLift has agreements, such as DSPs and DMPs.
The GDPR will effectively result in two types of inventory after May 25: "Opt-in" or "Opt-out." As long as TripleLift follows the regulations on how to monetize each form of inventory, both will be considered GDPR compliant. Opt-in inventory is that where the user has elected to allow cookies and effectively enable behavioral targeting. This will be a scarce user-base, resulting in high prices, though it may create such scarcity that it becomes less prevalent as a targeting consideration. Opt-out, or lack of opt-in, inventory may still be monetized. However, no persistent identifiers are allowed - meaning the user may not be cookied, though context, device and similar attributes may be considered.
Each company must adapt with the changing regulations. The GDPR will create winners and losers based on various business models. Those that can adapt to the change faster than the competition, while still being compliant, will ultimately succeed.