May 25th is just few months away, actually only a little over 100 days away. The date marks when the new EU’s General Data Protection Regulation, GDPR, takes effect. If you are not familiar with GDPR and don’t know whether this affects you then don’t worry, by the end of this post you will be up to speed on everything GDPR.

Cheat Sheet

Let’s start with a cheat sheet of the 10 things that you should be aware of:

  1. GDPR replaces the Data Protection Directive from 1995. It took over 4 years of negotiations in the European Parliament and Council and was adopted in April 2016. The Council gave marketers a 2 year window to prepare for it.
  2. GDPR gives EU citizens more control over their personal data.
  3. Location data, mobile device ids and IP addresses are considered Personal Identifiable Information (PII) under the new regulation.
  4. Companies that collect, store or process consumer data are more liable.
  5. It is not the ePrivacy or Cookie law. The Cookie law is a different regulation concentrating on how cookies are set, duration and the type of data that they can hold.
  6. Unambiguous consent is essential to comply with GDPR. Companies need to clearly define the data they are collecting from consumers and what they plan to do with it.
  7. GDPR classifies companies either as Data Controller or Data Processor. Controllers are responsible for getting consumers’ consent to collect and process personal data while processors process the data on behalf of the collectors.
  8. There is a hefty fine of up to 20 million euros or 4% of the global annual turnover for the previous year for any company that doesn’t comply with GDPR.
  9. This regulation affects every company that interacts with EU citizen and hence not limited to companies within EU.
  10. As restricted as GDPR sounds, it is a positive move end of the day. It will enforce putting some rules and regulations on how data is collected data and who has access to it. It will be essential in the situation of a data breach.

Consumer Rights

The main goal behind the new regulation is giving the consumers the power to determine what data companies can collect on them, how this data is processed and where it is kept. Personally, I commend this initiative because it puts a lid on how we manage consumer data today. Many companies have hundreds of data vendors that collect some data on consumers, in one form or another, and use it for analysis, retargeting or modelling. This is not the problem; the issue is that many companies are not fully aware of all the tags that are firing on their properties. Some vendors still have their tags active and collecting long after the contract has expired and service was discontinued.

On the other hand, consumers have the right to see what information Data Collectors have on them and could request this data to be handed over or wiped out within 30 days. Prior to GDPR, consumers needed a strong reason to be granted this capability but not anymore. Consumers, under GDPR, have the right to ask to view the data collected on them and request this data to be wiped out. At that point, companies have 30 days to comply with this request.

How to prepare for it

It is understandable that this could be overwhelming especially that we are approaching the launch date but this doesn’t mean that you cannot take actions today to prep for it. Here are few things we recommend you consider:

Vendor and Data Audit

Whether you are a Data Collector or Processor, GDPR applies to you. Collectors are under more pressure but nevertheless, both should have a clear visibility on how the data is being handled. We recommend conducting a full audit of all the technology vendors on your roster and assess whether they are compliant with the GDPR. Here is a list of things to consider:

  • Start with reviewing the tags firing on your websites and mobile applications. Are these tags supposed to be there and if they are, what data are they collecting?
  • Assess whether the vendors are compliant with GDPR. Review their data processing agreement, security measures and breach notifications.
  • Assess whether the vendors can delete a customer profile within 30 days upon request.
  • If the vendors are collecting data on your behalf, confirm that they are collecting data with proper consent.

In addition to auditing the technology vendors, make sure you audit how data is being collected and processed within your own ecosystem such as data lake, data mart or CRM systems. For instance, are you structured to handle the newly defined PII data such as location data, IP address and mobile device ids? It is important that PII data is separated from cookie based or anonymous data. Prior to GDPR, IP addresses and mobile device were still considered anonymous data and could be mixed with cookie based data. Make sure you make the appropriate changes to comply with the new rules.

Consent Form

EU is notoriously known for the banners that pop up notifying you that by browsing the website you have agreed to the cookie policies. Similar to below from O2’s website:

consent form cookie notice

These are no longer considered acceptable as Consent Forms. GDPR defines the new consent requirements as: “ any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Consent forms need to be specific and explicit. They need to promote active opt-in rather than already checked-in boxes; consider consumers opted-out until they choose otherwise. Many brands are considering merging consent forms with preferences which supports a full transparency attitude and ultimately increases consumer confidence in the brand. We recommend clear and concise forms with enough information on how this data will be used and for how long it will be kept.

Documentation and Process

In 90% of the audits we run for our clients, documentation and processes seem to always be lacking. Brands want to follow a governance model but it is challenging to enforce it across an entire organization. Under GDPR, you don’t have a choice and you should adopt a strict documentation, governance and process terminology when it comes to data. In the situation that the EU Council audits you, you will want to make sure your documentation is in place and ready to be handed over to them for review.

In the next posts, we will discuss how GDPR impacts Advertisers and Publishers and the Adtech ecosystem especially when it comes to Data Management Platforms (DMP). In the meantime, if you need help with GDPR, schedule a free 30 min consultation by contacting me at Jhelou@softcrylic.com.

Jerry Helou, Ph.D.

Linkedin Icon

Jerry Helou, Ph.D.

Jerry Helou leads the Digital Experience Architecture practice at Softcrylic. He helps our clients accomplish advanced digital experiences and strategic business goals by implementing and leveraging multi-solution architecture.

Start typing and press Enter to search