The GDPR (General Data Protection Regulation) countdown clock keeps ticking more and more loudly the closer we get to May 25, 2018, the day the wide-reaching E.U. regulation takes effect. Publishers here in the U.S. and elsewhere outside of the E.U. are feeling anxious about getting compliant. Part of that anxiety comes from the time frame. Part of it comes from the uncertainty around what “compliance” means: Publishers generally understand GDPR calls for changes in protocol of how they handle user data, but many remain unclear about what those changes should be and how they should prioritize their efforts.
But GDPR isn’t all panic and uncertainty. There are opportunities for publishers and ops teams–and one of those opportunities is to become educated now in order to take the lead in developing a GDPR roadmap in coming months. Public Policy Consultant and former IAB U.K. Director of Regulatory Affairs Nick Stringer is here to talk about how revenue teams’ crucial role in regulatory compliance at AdMonsters’ webinar, “Thriving Through GDPR–Turning Regulatory Obstacles Into Opportunities” (sponsored by The Media Trust). In the interim, we reached out to Nick for his take on some of the GDPR perspectives that have been popping up in the media lately.
To become compliant with GDPR, what solutions might publishers find in their existing tech stack — in data management tools, for example?
The most important first step for a publisher is to evaluate and assess how they and their partners are using and processing personal data. This is a critical step, as it will determine their overall compliance strategy and approach (i.e., you can’t comply with something that you aren’t aware of). Of course, it’s an ongoing “data hygiene” process.
The process of answering legal questions might prove hard to automate. When becoming GDPR-compliant, what can publishers solve through automation, and what will they need to solve through staffing?
In addition to assessing their data flows, publishers need to evaluate the privacy risks of their processing activities, and encourage a similar approach with partners. There will be automated processes, but most likely when initial processes and procedures to meet the requirements of the GDPR are already in place.
However, staffing is really important at this stage. For example: In ensuring the company is “joined up” on its GDPR strategy, training its staff on the GDPR, what it means and what the company is doing to comply, and hiring a Data Protection Officer (DPO) where appropriate. It’s really important that organizations don’t just see this as a “legal thing,” as company-wide changes are likely to be needed.
And there are important organizational steps that will set the company up well for the GDPR environment — bringing all key people together in a GDPR Taskforce that reports directly to the leadership team, responding quickly to issues, etc.
Which challenges in GDPR compliance would you say ops teams are uniquely qualified to meet?
They bring a unique understanding and knowledge of the products and their data processing activities. This is essential in every part of the company’s GDPR strategy, and they should be an integral part of any GDPR Taskforce.
While a lot of publishers see GDPR as a looming storm cloud, others in the industry have commented that the regulation could be a boon for marketers and re-establish trust between consumers and brands. Is that too rosy an outlook, or should we be focusing more attention on the silver linings?
I think this depends on what type of business you operate. Those with a direct user relationship (e.g. publishers) will find compliance easier, and this also creates opportunities to exert greater control over data (and re-establish trust). The further you operate down the supply chain, the greater the challenges will be–such as demonstrating user consent for the processing of personal data). However, I think many people are still scratching their heads as to what the “competitive advantage” opportunities are–creative opportunities do exist if you look at the GDPR through the lens of a user.