May 25th is just few months away, actually only a little over 100 days away. The date marks when the new EU’s General Data Protection Regulation, GDPR, takes effect. If you are not familiar with GDPR and don’t know whether this affects you then don’t worry, by the end of this post you will be up to speed on everything GDPR.
Let’s start with a cheat sheet of the 10 things that you should be aware of:
The main goal behind the new regulation is giving the consumers the power to determine what data companies can collect on them, how this data is processed and where it is kept. Personally, I commend this initiative because it puts a lid on how we manage consumer data today. Many companies have hundreds of data vendors that collect some data on consumers, in one form or another, and use it for analysis, retargeting or modelling. This is not the problem; the issue is that many companies are not fully aware of all the tags that are firing on their properties. Some vendors still have their tags active and collecting long after the contract has expired and service was discontinued.
On the other hand, consumers have the right to see what information Data Collectors have on them and could request this data to be handed over or wiped out within 30 days. Prior to GDPR, consumers needed a strong reason to be granted this capability but not anymore. Consumers, under GDPR, have the right to ask to view the data collected on them and request this data to be wiped out. At that point, companies have 30 days to comply with this request.
It is understandable that this could be overwhelming especially that we are approaching the launch date but this doesn’t mean that you cannot take actions today to prep for it. Here are few things we recommend you consider:
Whether you are a Data Collector or Processor, GDPR applies to you. Collectors are under more pressure but nevertheless, both should have a clear visibility on how the data is being handled. We recommend conducting a full audit of all the technology vendors on your roster and assess whether they are compliant with the GDPR. Here is a list of things to consider:
In addition to auditing the technology vendors, make sure you audit how data is being collected and processed within your own ecosystem such as data lake, data mart or CRM systems. For instance, are you structured to handle the newly defined PII data such as location data, IP address and mobile device ids? It is important that PII data is separated from cookie based or anonymous data. Prior to GDPR, IP addresses and mobile device were still considered anonymous data and could be mixed with cookie based data. Make sure you make the appropriate changes to comply with the new rules.
EU is notoriously known for the banners that pop up notifying you that by browsing the website you have agreed to the cookie policies. Similar to below from O2’s website:
These are no longer considered acceptable as Consent Forms. GDPR defines the new consent requirements as: “ any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Consent forms need to be specific and explicit. They need to promote active opt-in rather than already checked-in boxes; consider consumers opted-out until they choose otherwise. Many brands are considering merging consent forms with preferences which supports a full transparency attitude and ultimately increases consumer confidence in the brand. We recommend clear and concise forms with enough information on how this data will be used and for how long it will be kept.
In 90% of the audits we run for our clients, documentation and processes seem to always be lacking. Brands want to follow a governance model but it is challenging to enforce it across an entire organization. Under GDPR, you don’t have a choice and you should adopt a strict documentation, governance and process terminology when it comes to data. In the situation that the EU Council audits you, you will want to make sure your documentation is in place and ready to be handed over to them for review.
In the next posts, we will discuss how GDPR impacts Advertisers and Publishers and the Adtech ecosystem especially when it comes to Data Management Platforms (DMP). In the meantime, if you need help with GDPR, schedule a free 30 min consultation by contacting me at Jhelou@softcrylic.com.