After more than four years of tough negotiations, the European Union’s General Data Protection Regulation (GDPR) took effect in May of last year. As of 25th May 2018, this will be a valid law in all 28 EU Member States. As a new law, the protection of personal data on the one hand, and the free flow of data within the European Single Market on the other, has now become a real challenge for the digital sector.
Well Meant, But Made Complicated: GDPR Leaves Many Questions Open
The ePrivacy Directive, however, is just one single directive and its implementation in form of cookie banners did not impose significant challenges for the digital industry – therefore the excitement has been rather limited so far. On the other hand, this is how the new EU General Data Protection Regulation looks: the law will be passed in May next year and we have to deal with it, whether the digital advertising industry welcomes it or not. Anyone who does not adhere to the new regulations will face severe penalties – data protection violations are punished with fines in the millions. The crux of the matter: there is still uncertainty surrounding the actual impact of this new legal situation. Sceptics claim that the new regulations could set back digital marketing by many years as the utilization of personal data has in many ways become the foundation for the entire industry.
European Court of Justice Confirms: IP Addresses Are Personal Data
The definition alone of personal data has not been 100% clear. Those who advertise digitally and count on personalisation cannot do so without cookies. On a purely technical level, cookies are initially an anonymous, non-personal data record. However, an indirect person reference is established when linked to an IP address. Since this new directive leaves this question unanswered, the European Court of Justice recently intervened and declared: IP addresses are personal data. Operators of websites can therefore only process them if they are in agreement with the strict requirements of European data protection. In practice, the consent or disagreement of users to process personal data needs to be recorded and stored by website operators or their service providers who process personal data on behalf of publishers. It has at least been clear since this judgement that the entire digital sector is working with personal data.
This is a new situation insofar as numerous business models around programmatic advertising and dialogue marketing, as well all targeting models, have up till now been regarded as compliant with data protection and must now deal intensively with the law which will be applicable from 2018 onwards. Numerous advertising associations are already complaining that the GDPR goes far beyond the target and puts the entire industry at risk. Complaining and panicking do not solve any problems, however.
As adverserve, we have been working intensively with our customers and ad tech partners for several months in joint discussions and recommend that advertisers and publishers prepare themselves for the new GDPR by using the following checklist:
- Mapping of relevant applications – Create an overview of all applications where personal data can be processed. These can be advertising and tracking tools, DSP and SSP servers, as well as internal applications. This overview should enable you to easily identify where action is required.
- Collection and presentation of responsibilities – Clarify the role of your own company in data processing and storage and draw the line between your own responsibility and the responsibilities of your partners and technology providers.
- Clarification with technology providers – Discuss with your technology partners which data categories and which specific user data are recorded and processed. To what legal basis does your partner refer? What measures will affect your partner with regards to data protection and the GDPR?
- Contractual prerequisites – Conclude data processing contracts with your partners that meet the requirements of the GDPR and implement a procedure list in accordance with Article 30 of the GDPR.
- Technical and organisational measures – Control the handling of data within your company. Topics such as access control and transfer control need to be clarified. The new legislation places higher demands on the obligation to exercise due care of all those dealing with personal data – unauthorized data access must be prevented by all means.
- Appointment of a data protection officer – Regardless of whether you process personal or anonymous data within the meaning of the GDPR, you should by all means appoint a data protection officer and train this employee to be a certified by independent authorities such as TÜV.
The bottom line: The National Data Protection Laws which take effect in May next year based on the EU Data Protection Regulation pose new challenges for almost everyone in the digital industry. In order to avoid violations, advertisers and publishers should familiarise themselves with the new requirements from now on. We would be happy to help you with any questions you may have – so get in touch with our experts.