Four Steps to Embrace GDPR and Transparency

February 13, 2018

By Damian Scragg

You've probably heard the acronym "GDPR" several times already this week, perhaps even today. It has dominated adland recently, and quite frankly, much of the discussion is unenlightening.
Nevertheless, advertisers and their agencies ignore this regulation at their peril. And while it certainly is not the most inspiring of topics, compliance can have a number of long-term benefits if it is approached in the right way.

The first step to ensuring that your organization is in a position to comply with GDPR when it takes effect on 25th May of this year is to determine what your priorities are. Some companies will have to make major organizational changes to get their data practices in shape, while others may only need to make a few tweaks. Ultimately, there are four key principles for businesses that are preparing to become GDPR compliant.

Make consent the lynchpin of data collection and processing

The overarching principle of GDPR is actually a noble one — to give data subjects greater control over their own information. Data is a valuable resource and individuals are, in general, prepared to share it with businesses if it means they will have a better experience as a customer. However, these individuals also want to know that their data is treated with respect, held safely and securely — they may also want to retain their right to not share this data at all. This is why consent needs to be the first priority for all media organizations.

Companies need to prioritise consent processes in order to satisfy the stipulations of GDPR. It won't be difficult for the Information Commissioner' Office (ICO) to check whether businesses are doing this properly, and with hefty fines for non-compliance — up to €20m or 4% of sales, whichever is greater — this is something that should be sorted sooner rather than later.

The best approach when it comes to consent processes is to use plain English, so legal terminology should be avoided. And in addition to being transparent, consent processes must be meaningful. Some users may wish their data to be shared with certain third parties, but not others, or only wish for it to be used for specific purposes. The simple banners that have been used for informing users about cookies aren't enough — this requires a new type of notice which has multiple options for data usage, as well as different levels of detail. This approach is more adequate for meeting the needs of users who wish to access content fast, while balancing them against those who want to delve deeper into a company's data practices.

Appoint a Data Protection Officer

Many media organizations will need to appoint a DPO (Data Protection Officer) in order to ensure ongoing compliance beyond 25th May 2018. Creating the role will be mandatory for commercial organizations that engage in large-scale monitoring of individuals — e.g. tracking — or if they process special categories of data. The role of the DPO is to deal with all data protection queries from data subjects, and to provide a link between the organization's employees and the general public with regard to the processing of personal information.

Article 37(5) of the Regulation says that the DPO should have the professional qualities needed to undertake the role and expert knowledge of GDPR, but it is up to the organization itself if it wants to appoint someone internally or to use an external third party to fill this role. However, it's also important that any potential DPO should have good connections with the ICO. This will help them stay ahead of the regulation's evolution, especially as it becomes clearer as to what enforcement will look like.

The DPO should also be the person within the agency or advertiser who inspires the necessary changes to deal with GDPR. Many global brands and agencies currently have highly fragmented data storage and processing practices, with information about each individual held in different silos within the business. This is potentially challenging — if an individual makes a subject access request, the organization will have to provide all of the relevant data, so it is necessary to overcome this fragmentation and unify data centrally. This is an excellent opportunity to increase its value by bringing segments of information together to identify who customers really are.

And it isn't just how data flows within an organization that matters — advertisers in particular need to look beyond their walls at their digital supply chains. This is especially problematic in the highly complex ad-tech and martech ecosystems — businesses need to know not only which other vendors have access to the data they collect, but be sure that those vendors are compliant.

While marketers know who their immediate partners are where analytics, advertising and tracking are concerned, they will also need to know who these partners are working with further along the supply chain, and therefore who has access to their customers' data. This means contracts need to be updated so the companies they work with share responsibility for compliance, as well as the financial risks involved with infringements.

Deal with subject access requests

Under GDPR companies will have one month to respond to subject access requests — when a customer asks a business to reveal all the information it holds about him or her — or two months, if the request is particularly complex. Ensuring that you have a DPO in place, as well as streamlined and traceable data flows, will be key to responding in a timely and appropriate way to these requests. While in some cases, companies could charge a fee to respond to a request — if, as the regulations put it, the request is "manifestly unfounded or excessive" — this won't do them any favours.

In order to maintain the perception of transparency, marketers and advertisers should be taking the lead and doing everything they can to be seen to be acting in the spirit of GDPR.

While these four steps will take considerable time, resource and investment to implement, marketers and advertisers should be wholeheartedly embracing GDPR. The new regulations should not be seen as a burden — rather, they are an opportunity to become more transparent and build trust with audiences, and to extract greater value from the data businesses hold.

These benefits should be incentive enough for organizations to get their act together well in time to meet the deadline.


"Four Steps to Embrace GDPR and Transparency." MediaPost, 2/13/18.

You must be logged in to submit a comment.