OpenX announces full GDPR compliance ahead of May deadline

With the deadline for the General Data Protection Regulation (GDPR) fast approaching, companies are finalizing their plans for compliance. Today, advertising exchange OpenX announced that it is in full compliance with the regulation in terms of publisher obligations.

“At OpenX, we believe that GDPR is the single most important regulation in digital advertising ever,” said Doug McPherson, chief administrative officer and general counsel at OpenX. “Contrary to what some companies think, it’s not just about fines and breaches.”

The supply-side ad platform (SSP) has created a “GDPR-ready data processing agreement (DPA) drafted in consultation with leading US and EU privacy counsel,” the company said in a press release. “This ‘open source’ DPA was published today as a resource for publishers to expedite their compliance process with other technology partners that may process the publisher’s EU personal data. OpenX is also making available other GDPR-related resources on its website, including a guide for obtaining certification under the Privacy Shield, which is an important legal mechanism for validating the transfer of EU personal data out of the EU to the US.”

I spoke to McPherson about the company’s announcement. He told me that GDPR will require companies to fully rethink how they collect and use data and be proactive rather than reactive.

“The old model of collecting and then deciding later how to use data will not work anymore,” he said. “Companies will need to change how they collect data at the front end and how they keep it. This will require companies to create policies that they might not have.”

To show its compliance, OpenX worked through a series of steps.

“We put together a comprehensive plan, we pulled together teams across the country, and we spent a lot of time and money putting in place internal and external agreements with publishers,” McPherson said.

“Rather than wait for our publishers, we put data processing agreements in place with all the required elements that GDPR imposes. Internally, we reviewed our privacy policies and made sure that they were compliant. We tightened up our own data security. And we’ve done comprehensive training on confidentiality,” he said.

McPherson said that he sees the adoption of GDPR as leading to big changes: “We believe that GDPR will lead to some fundamental changes in the industry. A lot of smaller companies will have a hard time surviving.”