What is the GDPR, and why should martech care?

Columnist Todd Ruback discusses the General Data Protection Regulation (GDPR), a new EU regulation meant to protect its citizens' personal data. If you serve customers or have audience members in Europe, read on to learn how this affects you.

Chat with MarTechBot

Eu Stars Ss 1920 Fesprb

Privacy is a complex issue, and opinions on the subject often depend on the perspective it is viewed from. I’m a passionate privacy officer, and among my peers, the conversation tends to focus on privacy regulations. But as the company I work for provides technology to the digital advertising community, I live with one foot in in the marketing world, too.

While martech is booming, the ad hoc growth of the industry — sliced and diced by countless intermediaries from demand-side platforms to ad exchanges, all performing specific technical functions — has created a lack of transparency.

The industry is already subject to suspicion from consumers for using mysterious and magical technologies that enable advertisers to serve them relevant advertising for products they are looking for, at precisely the right time. While the public may be wary of practices they do not understand, they do enjoy the benefit martech creates: the ability to freely roam the internet without continually clashing into digital paywalls.

In addition to public suspicion, the fragmented race to serve relevant ads to the right audience has also caught the attention of data protection authorities. This is reflected in the EU’s massive General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018.

What is the GDPR?

The General Data Protection Regulation (GDPR) is designed to unify data privacy laws across the EU, giving EU citizens better control over their personal data and dictating how organizations may use that data. The regulation applies to any company that processes the personal data of individuals residing in the EU, even if that company is located elsewhere — and US-based international businesses are thought to be somewhat behind their peers in preparing for its arrival.

Violations of the consent or privacy-by-design aspects of the GDPR will be subject to severe penalties of up to €20 million or 4 percent of a company’s global gross revenue, whichever is greater. But it isn’t just the astronomical size of the fines that make the GDPR significant — it’s how the rules and fines can be applied that make the regulation game-changing for digital commerce, and more specifically for martech. Here’s why…

The GDPR has a noble goal. It aims to give control of personal data back to the people through a series of new rights. These include the right for individuals to access and correct any data held about them, as well as the right to erasure, which allows them to request their personal data to be deleted if there is no compelling reason for its continued processing.

The new regulation also provides the right to object to certain data processing practices, such as the use of data for direct marketing, including profiling, which is particularly relevant to martech. Companies collecting personal data have to be accountable and transparent about their data collection and processing practices, and they must notify both the Data Protection Authorities and the individuals affected in the event of a data breach.

So far so good, but here is where it gets tough. The GDPR, while not explicitly prohibiting business practices such as profiling, does take a very prescriptive view of them. Put simply, it’s possible to do it, but you must do it right.

User consent to data processing must be obtained on the website or app where it is collected, and the bar for getting valid consent is being raised much higher. No longer can consent be buried deep in a website’s generic “terms of use” policy, nor can it be requested in complex legal jargon.

Consent must be freely and specifically given, through a clear and easily accessible process, and users must be informed of the purpose for which their data will be processed. Additional consent must be obtained to use the data for any other purpose than that for which the original consent was obtained, and data must be deleted when it is no longer needed for that initial purpose. Consent can be withdrawn at any time, and the process for withdrawing consent must be as easy as the process for giving it.

In relation to profiling — which the GDPR defines as automated processing designed to analyze any aspect of an individual, such as their preferences, behavior and location — the rules are also very strict. The consequences of profiling must be transparent, appropriate mathematical or statistical procedures must be used, measures must be put in place to minimize errors, and data must be safeguarded in a way that is proportionate to the risk to the individual’s interests and rights.

How the GDPR could impact martech

So, why should martech providers be worried? Well, it’s a matter of business survival. I already see publishers renegotiating contracts with martech vendors based on the impending regulation, and it is highly likely publishers will force their partners to warrant that they are GDPR-compliant. A mandatory condition vendors will be asked to agree to is indemnity to the publisher for penalties caused by the martech partner.

Let me be clear on the significance of this. If a publisher is fined 4 percent of its gross revenue because of a data compliance error that a martech provider or one of its downstream partners made, that publisher will want to be compensated by the provider. The amount in question is likely to significantly exceed 4 percent of the martech company’s global gross revenue — and could well be fatal for the business.

In preparation for the GDPR, martech vendors must conduct a thorough review of the various types of personal data they collect, how they collect and store data, what it is used for and whether it is critical to the services they provide. They also need to gain a thorough understanding of which other companies have access to that data and what they do with it.

By building up a full picture of the data supply chain, martech vendors can identify potential weak spots or vulnerabilities and implement privacy controls to protect themselves and their customers against possible breaches. When data practices are entirely understood and fully documented, providers must ensure these are clearly and openly communicated to the publishers and third-party providers they work with.

The time has come to pay attention to data privacy. The GDPR is real, and it’s a game-changer for any business processing EU data. Martech will be the most exposed of all industries, so let’s get it right. There’s no need to panic, but it is time to get a GDPR compliance strategy in place as a matter of urgency.


Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.


About the author

Todd Ruback
Contributor
As Chief Privacy Officer & VP of Legal Affairs at Evidon Inc., Todd Ruback oversees all internal privacy and legal matters. He has developed the company’s privacy training program, privacy by design initiative and also oversees the company’s legal department. He works with many privacy regulatory bodies and thought leaders to ensure the company’s products and services exceed expectations. His privacy certifications include CIPP-US/E, CIPT. Prior to coming to Evidon in 2012 he headed the Privacy & Technology Practice at the law firm of DiFrancesco, Bateman in Warren, NJ and was the President of the New Jersey Bar Association’s Privacy Section.

Get the must-read newsletter for marketers.