GDPR: Publishers and martech will rely on each other
The General Data Protection Regulation (GDPR) goes into effect next year, and the impact on the martech industry will be significant. Columnist Todd Ruback explains how it's already changing the dynamic between publishers and martech vendors.
By now, everyone’s calendar should have a big red circle around the date of May 25, 2018, when the General Data Protection Regulation (GDPR) goes into effect. And with 12 months to go, there is still just enough time to complete GDPR readiness projects ahead of the enforcement date.
I’ve posited loud and often that martech writ large will be uniquely impacted by the regulation, and I’m cautiously optimistic that the innovators in this critical sector will set the tone for the rest of the digital industry with their own GDPR compliance efforts.
Martech’s place in the GDPR
Martech underpins the entire digital economy, driving critical advertising revenue vital to many organizations, and it is responsible for millions of jobs in both the EU and the US. All of this is possible when data is collected and used the proper way, but for all of this to continue, the sector must up its game and make sure it can comply with the GDPR.
The regulation applies to any organization processing the data of EU citizens, and as one of the most prescriptive privacy laws in existence, it will become the de facto global standard to which international businesses will need to conform. Martech should embrace the GDPR as a once-in-a-generation opportunity. Those companies that do will thrive. Those that don’t won’t survive. It’s as binary as that.
A shifting publisher-provider dynamic
The market is shifting in preparation for the regulation. A number of large publishers are currently establishing digital governance programs that require all martech companies operating on their sites or serving their ads to comply with the GDPR, and I’m already seeing contractual revisions to this effect. Where these prominent publishers lead, others will soon follow — and this trend will spread across the martech industry, becoming a standard cost of doing business.
If publishers demand their partners — and any downstream intermediaries pulled onto the publisher site — contract that they are in compliance with the GDPR, this translates as a new tax on martech in the form of added internal compliance costs. Companies will need to undertake their own internal privacy impact assessments, perform regular data protection reviews, understand and control all the data they collect and have a designated Data Protection Officer (DPO) to make sure good GDPR hygiene is practiced.
But the situation is likely to make a further jump. As part of the contractual commitment from their martech partners, publishers will soon want to include indemnification for any GDPR penalties the publisher incurs as a result of non-compliance by the martech provider. This is a huge demand, given the fines involved may be in the region of up to €20 million or 4 percent of turnover, a figure likely to vastly exceed what the average martech provider can afford. This type of indemnity will impose weighty new liability and risk on the martech industry as a whole, which will be under intense regulatory scrutiny. Data protection authorities are signaling aggressive enforcement actions for violations of the GDPR — specifically its consent provisions — which means the martech sector effectively has a bull’s-eye on its back.
The situation is not as dire as it sounds, however, as martech does hold a certain amount of leverage. Publishers are dependent on the advertising revenue martech drives for them, and if they insist on pushing GDPR compliance downstream — as they should — then there will also be a reasonable expectation from martech providers of the part the publishers themselves will play in regulatory compliance. Since they are the ones that interact directly with consumers, publishers must take ownership of the GDPR’s transparency and consent obligations. They will need to obtain the specific consents necessary for martech providers to collect and process data and must supply consumers with easy-to-use tools to exercise their rights, such as the right to object to profiling, the right to data portability and the right to have their data deleted or corrected. A fair quid pro quo exists.
Next steps to GDPR compliance
So what should martech providers be doing with just over a year to go?
First, they should look to appoint, hire or contract a DPO. At least 28,000 additional DPOs will be needed to meet GDPR requirements, according to an IAPP study, so it is vital for martech providers to obtain their own officers as soon as possible. They need to be sure the DPO is senior enough to gain buy-in from the rest of the organization and has in-depth knowledge of the industry and operations. Sufficient budget will need to be allocated for this. A DPO will be responsible for documenting data privacy policies and procedures and clearly communicating these to employees, clients and the necessary regulatory authorities.
Next, providers need to make sure their own house is in order. They must undertake an internal GDPR readiness review and make sure they know what data they collect, understand how it is stored and used and be confident the right levels of consent and protection are in place. A review is just the first stage in the process and should be used to gain a complete view of the data that flows through the organization, identifying any potential vulnerabilities that require addressing.
Finally, martech providers must be prepared for massive contractual revisions that will impose a heavy liability upon them for GDPR violations deemed to be their responsibility. This new cost of doing business can be acceptable if there is a mutual upstream obligation to gain the necessary consents, which can only be achieved by the publisher meeting its transparency obligations at the point of contact with the consumer. So the publisher must obtain consent for third-party data processing on the provider’s behalf, and martech providers must commit to collecting only the data they say they are collecting and using it only in the way they are permitted. It is not an unreasonable demand, but it is contingent upon the publisher doing its share of the heavy lifting.
The GDPR will undoubtedly cause seismic shifts in the martech landscape, and it will redraw the lines of the provider-publisher relationship, but there is still just enough time for martech companies to get their house in order and make the necessary changes before the regulation comes into effect in May 2018.
Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.