With the introduction of GDPR in Europe, ad operations professionals face many challenges. One important requirement is the compliance assessment of advertising management software with handling highly sensitive information, especially when conducting activities such as bidding inventory management or customer billing.
Furthermore, Forrester Research explains that, in practice, GDPR impacts digital marketing and advertising in slightly different ways.
“If most marketing activities today (such as email, postal mail, SMS, etc.) already rely on some form of opt-in, digital advertising lives in a grey area where the need for consent is very much dependent on the type of activity/processing the marketing organization wants to carry out.”
But let’s start from the beginning in order to have a deeper understanding.
What is GDPR again?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law to be enacted on May 25, 2017. The European Union will strengthen the protection of personal data and update the somewhat fragmented data protection laws in its member countries.
However, “personal data” is rather broad, isn’t it?
It’s simply any information that relates to an identified individual. For instance, John Smith, head of advertising operations at Acme Media, father of two who is currently paying his mortgage at Acme Bank.
This is different from identifiable individuals or “data subjects.” For example, someone at Acme Media who lives in London and has declared his interests in advertising operations.
In summary, GDPR will:
- Expand data privacy rights for EU individuals.
- Introduce data breach notifications.
- Enhance security requirements for organizations.
- Demand enhanced security safeguards for third-party customer profiling and monitoring requirements.
Salesforce explains that GDPR regulates the “processing” of data for individuals in the EU. This includes the collection, transfer or use of information, and any company that processes the personal data of European Union individuals must abide, whether or not they are physically operating in the continent.
For those outside the European Union, GDPR will have binding rules for companies to legalize transfers of personal data outside the continent and will enforce companies to work with lead supervisory authorities regarding cross-border data protection issues.
The point is: it doesn’t matter if you acquired John Smith’s data while sitting in an office in Manila, with the information stored at a server in Singapore and managed by customer support in New York City. You must abide by it.
What GDPR expects from you
Ian Gotts, Founder & CEO of Elements.cloud is adamant that GDPR applies to all organizations who:
- Hold or process personal data of subjects residing in the EU.
- Offer goods or services to EU residents.
- Monitor behaviors of EU data subjects.
Companies that work with third-party data must:
- Manage people’s information in a fair and transparent manner.
- Collect their personal data only for specific, explicit and legitimate purposes.
- Collect information that is adequate, relevant and limited to what’s necessary for their everyday business.
- Keep up to date and accurate information.
- Keep personal data as long as it’s needed and delete it when the relationship is terminated.
- Use the appropriate technical and cross-organizational security measures to protect data against unauthorized processing.
Gotts adds that the most significant challenge in particular for US companies is that under GDPR customers must now give consent for their data to be used.