GDPR: What It Is and What It Means for Advertisers
Published: May 22, 2018
Author: Carl Paradiso
The European Union (EU) General Data Protection Regulation (GDPR) is coming into effect on Friday. The focus of this legislation is giving individuals greater security, transparency, and control of their personal data online, principles we at 3Q enthusiastically support. It also requires that digital marketers, our clients, and the platforms we advertise on make important changes to processes and relationships.
We’ve fielded a lot of questions about GDPR: who it affects, how to adjust to be compliant, where to find resources, etc.. We’ll try to answer those in this post.
Who is subject to GDPR?
The upcoming changes apply to all EU organizations regardless of where they do business and organizations outside the EU that intentionally offer goods or services or monitor activities in the EU. Non-EU organizations that do not offer any goods or services (with or without payment) within the EU are not subject to GDPR requirements. However, since similar legislation may make its way to the USA, proactively aligning with GDPR principles is a strategy that some companies are taking now.
What’s the difference between a data collector and data processor?
Data collectors are responsible for the personal data that they collect from those they serve or hope to serve. They now must clearly and specifically ask for personal information and only collect that information if explicitly granted permission. They must also allow those whose data they hold to be forgotten and delete all data they are holding for that person upon request. Brands (from our perspective, our clients) are data collectors, as are ad platforms like Google AdWords.
Data processors do just that: they process data on behalf of a data collector. 3Q is a data processor, as are platforms like Google Analytics, and we are obliged to protect that data as if it were our own as well as respond to personal requests for deletion passed to us by data collectors.
How are relationships between data controllers and processors changing?
They are becoming more explicit. No longer can companies pass personal data to other companies without a specific agreement. Nor will they want to — the penalties for misuse are severe and must be directed to the responsible party.
What can companies collecting their own data doing to comply with GDPR?
This applies to us; we’ve been collecting data on leads for years. We’re aligning all of our internal processes with GDPR for all persons, regardless of residency.
What do you recommend data processors do to comply with GDPR?
To answer this, I’ll explain what 3Q is doing to comply:
We’re revising our master services agreements (MSA) to reflect our general obligations under GDPR.
We are treating all personal data we process, regardless of origin or whether it’s subject to GDPR, with the same care as that subject to GDPR
If we process personal data on your behalf, we’re adding a data processing addendum to our MSA to clarify what personal data we process on your behalf and the obligations of both parties to protect that data in transit and at rest.
What should agencies do to support their clients in meeting the requirements of GDPR?
Again, we’ll view this through the lens of what we’re doing at 3Q:
We’re advising clients on how to maintain customer audiences and remarketing lists in accordance with GDPR.
We’re working with clients to ensure that we do not place ads or tracking pixels that transfer personal data outside of legitimate and contractual relationships.
We will run marketing campaigns for our clients in accordance with GDPR for those subject to it, and according to local law on behalf of those not subject to it.
Where can I find out more about GDPR?
You can read the actual text of the legislation here. Sometimes it’s helpful to pinpoint the actual wording instead of relying on others to interpret it for you. But be warned: there’s a lot…and luckily, there are also a bunch of resources from trusted online sources to sift through the legalese.
Most of all, don’t panic. This legislation is new, and everyone is learning as they go. Feel free to drop a comment if you’ve run into an issue you can’t figure out.