A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

Transcription

1 A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY

2 PURPOSE OF THIS DOCUMENT 2 This document is to be used as a guide for advertisers on how they should work with their agencies, data providers, publishers and ad tech providers across the industry. GDPR is complex due to the multiple obligations and the various roles of marketers and their partners play in controlling and processing data. The Programmatic Advisory would like to provide you with a checklist on how to work with your advertising partners to navigate these complexities. This document should not be taken as legal advice for complying with GDPR. It does not provide a guide on how to be compliant and should not be used for that purpose. The Programmatic Advisory are a consultancy which specialise in providing nonconflicted programmatic advice.

3 CONTENTS 3 Slides Contents 1-3 Document introduction 4-7 GDPR introduction 8-20 Duties & Obligations for advertisers What it means for industry players and checklist for advertiser s on how to work with 35 Summary

4 WHAT IS GDPR? 4 The General Data Protection Regulation (GDPR) is a new legislation that will come into force on the 25 th of May 2018, replacing the existing Data Protection Act. It is significantly more comprehensive in its definition of what comprises personal data, and people s rights surrounding its collection, processing, storage and use. Companies EU-based or otherwise must build data protection into their system design and infrastructure, or risk severe penalties. It unifies legislation across the EU with the aim of strengthening the privacy rights of European citizens. Unified legislation simplifies the rules for businesses that collect and use consumer data however there is work to do by companies before it takes effect to ensure they are compliant.

5 WHAT ARE THE RISKS OF NON-COMPLIANCE? 5 Supervisory Authorities (SAs) in each EU country are responsible for enforcing the GDPR. In the UK, this is the responsibility of the Information Commissioner s Office (ICO). SAs can give companies a warning, suspend or ban their dataprocessing activities. They can also impose heavy fines, depending on the severity of the breach. 20 million or 4% of the company s global annual turnover of the previous financial year, whichever is higher. SAs will take into account a variety of factors when imposing a fine such as: 1. Duration and size of the infringement 2. Whether it was intentional or not 3. What the company has done/is doing to mitigate the damage 10 million or 2% of the company s global annual turnover of the previous financial year, whichever is higher.

6 WHO DOES IT AFFECT? 6 A data controller determines the purpose of collecting, storing and processing personal data. GDPR affects any organisation that processes data of an EU citizen, even if processing sits outside of the EU. This includes organisations outside the EU that offer goods and services to EU citizens, measure their behaviour or hold their personal information. It also affects both data controllers and data processors. It is important to make the distinction between the two. A data processor processes personal data on behalf of the data controller. An entity can be both or either a data controller and/ or data processor. Their responsibilities and liabilities under GDPR are dependent on which they are.

7 KEY GDPR DUTIES AND OBLIGATIONS FOR ADVERTISERS 7 Legality, Transparency & Fairness Security of personal data Rights of EU data subjects Accountability Data Use and Storage Principles Privacy Policies must be clear and easy to understand. Consent is required to collect and process personal data, and must be as easy to withdraw as it is to give. It is possible to derive consent by several means, including proving legitimate interest A significant data breach must be reported to the SA by the data controller within 72 hours. In high risk scenarios, data subjects must be informed. All data must have technical and procedural measures to ensure an appropriate level of security. GDPR confers citizens with comprehensive rights surrounding use of their personal data. These include rights to access data that s held, as well as its accuracy, erasure and portability. There are also particular rights related to automated processing such as profiling Organizations should expect regulators to potentially exercise their powers to access data and premises, especially if an individual has made a complaint to the ICO. They must be able to demonstrate compliance with the GDPR principles relating to personal data. Only the least data necessary to deliver a service should be collected and processed, and only stored for as long as it s required. Data privacy should be designed by default into all organisational and technology processes from the ground up.. 7

8 LEGALITY, TRANSPARENCY AND FAIRNESS 8

9 LEGALITY, TRANSPARENCY & FAIRNESS Consent must be sought and recorded before collecting, storing and using personal data 9 GDPR defines personal data as any information that could identify a natural person (a data subject) either directly or indirectly. This significantly widens the scope of what s considered personal data to include digital criteria such as location data, IP address, cookies and RFID tags. Organisations must secure the affirmative consent of data subjects for the use of their personal data, and it must be freely given, specific and informed. Affirmative consent means the subject must make a clear action that signifies positive agreement to the use of their data. Most commonly, this means that boxes to signify consent may not be pre-ticked. This will be challenging for the advertising industry as there are concerns that not many people will freely consent to the use of their data for advertising purposes. GDPR does allow for legitimate interest as a case for lawful processing of personal data. Whilst this does not require explicit consent, it must be proven that the organisation s interests are not outweighed by the data subject s rights and freedoms. There are a large amount of organisations in advertising who use consumer data and most of which do not have direct contact with the consumer to request consent. Even at the point of consent, it may be difficult to capture consent for every stakeholder in the advertising supply chain. On the right you can see some of the roles your partners could play when controlling and processing data. It is the data controller s responsibility to ensure they have secured lawful consent. Analytics Supplier Processor Media Buying Tool (DSP) Processor Publisher Controller Agency Joint Controller Data Providers Joint Controller

10 THERE IS A RELIANCE ON PUBLISHERS AND ADVERTISERS TO CAPTURE CONSENT CORRECTLY 10

11 THE INDUSTRY IS COLLABORATING TO CREATE A CONSENT MECHANISM WHICH CAN BE IMPLEMENTED UBIQUITOUSLY 11 advertisingconsent.eu IAB Europe presents industry consent mechanism for meeting challenges under the GDPR and calls for broad industry engagement on further development and roll-out. Key features include; Working on mobile devices and desktops alike Enables dynamic disclosure by first parties of third party advertising partners and the purposes for which they collect and process data. Allows obtaining global or service-specific affirmative consent, as well as updating consent choices and withdrawing consent. Enables the transmission of user consent choices to third party advertising partners. Increases accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail. Can be deployed before the date of application of the GDPR.

12 EXAMPLES OF GDPR CONSENT MANAGEMENT 12 Some effort has been made to unbundle consent by separating T&C from Contact Permission However, T&Cs still refer to registration details, so include personal data processing GDPR is not met because the user is not clearly informed of how their data is used or for what purpose. Imposing mandatory acceptance of terms that include the use of personal data is unlawful. This example shows how a user can manage their consent across multiple permissions. However, the exact organisations that personal data is shared with must be listed. It is not lawful to pre-tick a box to signify consent.

13 SECURITY OF PERSONAL DATA 13

14 SECURITY OF PERSONAL DATA 14 Data breach means breach of security that leads to the accidental or unlawful destruction, loss or alteration of data, its unauthorised disclosure, or the access to personal data that has been transmitted, stored or otherwise processed. A data breach that is likely to result in a risk to individuals rights and freedoms must be reported to the SA within 72 hours of discovery. In high risk scenarios, data subjects must be informed. All data must have technical and procedural measures to ensure an appropriate level of security. It is the data controller that must report a breach to the SA; processors are only required to inform the data controller of any incident. Following a breach, the organisation responsible for the data must provide: The name and contact of the company s data protection officer The anticipated consequences of the breach The measures taken by the company to remedy or mitigate the breach

15 RIGHTS OF EU DATA SUBJECTS 15

16 16 RIGHTS OF EU DATA SUBJECTS GDPR stipulates eight fundamental Rights that all individuals have surrounding the storage and use of their personal data. These include rights of access to their personal data an organisation holds, which must be provided for free and within 30 days of request. Organisations must ensure they can manage requests of this nature and provide evidence that any request has been dealt with. Other rights that must be managed include rights to rectification, erasure, portability, and to be informed. There are also particular rights around automated decision-making and profiling, and the right to restrict processing, that are especially relevant for digital marketing. Controllers should ensure all processors in the supply chain can conform to their obligations on data subject rights.

17 ACCOUNTABILITY 17

18 ACCOUNTABILITY OF COMPLIANCE 18 An organisation must be able to demonstrate that it complies with the Principles. DPO It is a Controller s responsibility to ensure that all consent has been tracked and recorded. They must also prove that they have taken measures to ensure personal data is protected, making the process frictionless when regulators audit them. A Data Protection Officer must be appointed where: The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. This is likely to be the case for many if not all vendors and providers in the ad tech stack, and potentially agencies too.

19 DATA USE AND STORAGE PRINCIPALS 19

20 DATA PROTECTION BY DESIGN AND BY DEFAULT An approach to a project that promotes data protection and compliance from the outset 20 Advertisers must make data protection a key consideration in their marketing efforts. This includes assessing the need for the collection of consumer data in existing marketing campaigns and for any new data led initiative. Auditing existing data sources to understand the data you have on consumers and understanding its use is a good first step to complying. This will help establish a process to that can be applied to any future project that includes consumer data. Below is a very basic example of a website tagging audit that could be delivered that can seek to understand what data is being collected and what providers are collecting it. Remember that analytics providers such as Google Analytics are also bound by GDPR obligations.

21 WHAT DOES IT MEAN FOR INDUSTRY PLAYERS? 21

22 ADVERTISER PARTNERS MUST TAKE RESPONSIBILITY An advertiser is only liable under GDPR if they directly control and/or process data themselves 22 Publishers Publishers have no liability if they only host your ads on their web property. They are in the best position to gain consent for tracking as they can provide a value exchange. Data Providers Ad Tech Providers Agencies Data providers collect data on consumers from many different sources. They will need to ensure they have consent to manage the data they hold through all these sources. Most ad tech providers are data processors only. However, if they decide what data to manage, eg for performance marketing, then they become controllers and need the consent to do so. Agencies provide many services to advertisers including but not limited to, campaign planning, campaign execution and ad tech management. They make decisions on what data to use and how, and so are Joint Controllers

23 PUBLISHERS 23

24 THE RISKS FOR PUBLISHERS 24 Most Publishers rely on selling ads on their websites and use data to make their inventory work as effectively as possible for their buyers. There is a concern that GDPR will render Publishers less competitive (by the need to secure affirmative consent) than other digital media channels such as Social Media and Search that do not have the same obligation. The question for publishers is whether they can argue legitimate interest in the use of personal data for targeted advertising. If they can, then they do not need to secure explicit consent. This is an area of much debate since the law does no more than mention that the controller s legitimate interest which may be commercial must not be outweighed by the data subject s rights and freedoms. Legitimate interest may be viable if the publisher s first party data is used to improve the user s experience or its service to them. If the publisher s only interest is to generate revenue from advertising, then it may be hard to argue that this interest is more important than subject rights. A publisher may not aim for affirmative consent for advertising, but if scale is unsatisfactory then fall back on arguing legitimate interest for their campaigns.

25 WORKING WITH YOUR PUBLISHER PARTNERS 25 Your Publisher Checklist Without consent on publisher sites to track consumers, it may be harder to measure the value of your advertising through ad tech, as services such as Google Analytics require cookie data and thus consent. It will also be harder to reach an addressable audience when consent is needed to collect consumer data, process it and then identify them again in marketing campaigns. Ensure your key publisher partners are capturing consumer consent in a compliant way. Understand how consumer consent is captured, stored and passed to the key advertising technologies on your stack. Understand how much GDPR will affect the scale of any deals you may have in place. Reduce liability and reduce the inventory supply chain by seeking advice on which vendors are working towards compliance.

26 DATA PROVIDERS 26

27 27 THE RISKS FOR DATA PROVIDERS Like other organisations in programmatic advertising, data providers often rely on a vast network of publishers for their data. Most will either drop cookies on internet users or leverage partner data and segment them into groups based on their traits. A data provider may not be able to derive the consent it needs to manipulate data directly from the consumer, so must work with the publishers to ensure the terms of consent passed to them include allowance for the way they will handle data. Working with a large network of publishers gives a data provider the benefit of scale but this comes at a risk, if one or more publishers unlawfully pass data to them that they then control. A third party data provider may find that it needs to stop working with publishers that do not secure the right consent they need to manage the data passed to them. However, this will reduce the scale or accuracy of their audience segments and potentially impact revenue.

28 WORKING WITH YOUR DATA PROVIDERS 28 Seek to understand how a data publisher has vetted their data sources. Negotiate a direct, non-liable relationship with your data providers. Understand how much GDPR will affect the scale of any deals you may have in place. Understand a data providers process to vetting new data providers. Your Data Provider Checklist Liability under GDPR for a data provider s breach cannot be passed on as long has it only been processed. Brands are at reputational risk if they advertise using unlawfully processed data, especially if a complaint is made.

29 AD TECH PROVIDERS 29

30 THE RISKS FOR AD TECH PROVIDERS 30 A media buying tool such as a DSP will process data from multiple parties including but not limited to; inventory exchanges, publishers and your website. If they are only used to buy inventory, then as Processors their liability does not include securing consent as long as the data is only processed according to the controller s instructions. If however they independently decide on how to use data, eg for dynamic retargeting, then explicit consent is needed. GDPR stipulates specific safeguards that must be in place when processing personal data for profiling reasons. Most significantly, the reasoning behind the process must be specified, and a breakdown provided of the possible consequences to guarantee fair and transparent processing. Suitable administrative and technical actions must be implemented that minimise risk and correct error, and individuals must be have access to human intervention, be able to articulate their opinion, receive an explanation of the arrangement and be able to challenge it.

31 WORKING WITH YOUR AD TECH PROVIDERS 31 There is a risk that data providers and other organisations in the supply chain may not get the consent needed. As long as they only process the data, they cannot be held liable for this (but must inform the data controller immediately if they are aware this is the case). A technology provider will be responsible for the security of consumer data, and must ensure it s kept accurate and conform to any Subject Access Requests. If an advertiser neither controls nor processes personal data, they have no liability under GDPR. However, they should consider the reputational risk if data they advertise against is unlawfully acquired or processed, especially if this leads to a Subject complaint. Your Ad-tech Provider Checklist Create and implement processes to ensure you can stay compliant when using their technology. Understand what measures are in place from your technology providers to protect your customer data. Ensure that you understand who is contractually liable for a breach in the ad-tech provider supply chain. Understand how an ad-tech provider can facilitate consent management on your web properties. Work with your at-tech partner to audit the data you are collecting today and review its purpose. Ensure that adtech providers keep thorough and accurate records of their processing activities, especially in relation to how they conform to the instructions of a controller.

32 AGENCIES 32

33 THE RISKS FOR AGENCIES Agencies can be both data controllers and processors. They use ad technology to collect data and also manipulate it on behalf of advertisers. They often do not have direct contact with the consumer so must rely on other partners to assist them. They work with multiple advertisers and technologies that will likely have different approaches to GDPR compliance. An agency has the benefit of using multiple resources to inform their GDPR strategy. However, an approach for one advertiser can not necessarily be applied to another. Agencies represent multiple advertisers and a lot of work will be needed to ensure they are compliant for all of them. Having multiple technologies and sources of data available will also increase their risk of non-compliance. Similarly to other organisations we have mentioned, they may also seek to reduce the number of technology providers and data sources being used. 33

34 WORKING WITH YOUR AGENCIES 34 Your Agency Checklist Document the customer data being collected or used in your agency. Create and implement processes to ensure your agency stays compliant when using your technology or data. Ensure that you understand who is contractually liable for a breach when your agency breaches regulation using your data. Has your agency appointed a Data Protection Officer? Understand where and how your data is being processed and where it is being passed. Your media agency is an extension of your business and will work on your behalf with many stakeholders across the industry. They will likely be collecting and processing your customer data so it is extremely important to understand how this is being done. If an agency was to misuse data on your behalf, you would be liable if it s data you passed to them. It is the controller s responsibility to understand how its data is being stored and used. There is also a risk that an advertiser is simply not aware of the consumer data being collected by an agency. It is important for an advertiser to audit their data sources and understand who is using what. Without this, any one could be processing your consumer data without acknowledging regulation. Your agency should be asked if they have appointed a DPO, which will be a strong indicator of their awareness of and readiness to deal with their obligations under GDPR.

35 35 ACTIONS GDPR has caused a lot of confusion due to its complexity and some areas of vagueness, and much concern due to the potential penalties proposed. You are not alone. Every business is in the same position and every business has a responsibility. Aim to work closer with your partners but be sure to avoid shifting responsibility. A lot of work may need to be done but the common consensus during our research is to ensure you are taking GDPR seriously and have put in measures to ensure your compliance. Some progress is better than no progress. Start today by: 1. Auditing your data sources and how they are used for the process for collection, measurement and insight- this will identify the areas where you and your consumers are at most risk of non-compliance. 2. Build a plan with your partners and begin to makes steps towards compliance. 3. Work with industry bodies and keep updated on all changes being proposed.

36 THANK YOU TO FIND OUT MORE ON HOW YOU CAN GET GDPR-READY, PLEASE CONTACT US AT 36