GDPR Compliance in Digital Advertising (dmexco 2017)
1. GDPR Compliance in Digital Advertising
GDPR Compliance
Stefan Krätschmer
Head of Innovation and Implementation
in Digital Advertising
2. GDPR Compliance in Digital Advertising
General Data Protection Regulation
1. Enforcement date: 25 May 2018
2. Personal data belong to people who reside in the EU
3. Location doesn’t matter
4. Fines: 20 million euros or 4% of the annual worldwide turnover,
whichever is greater
5. GDPR Compliance in Digital Advertising
Is your business subject to GDPR?
— Do you need to comply? Are you subject to GDPR?
— Do you collect or process personal data?
6. GDPR Compliance in Digital Advertising
Are you sure you know the answer?
— Feeds from partners might contain personal data,
e.g. mobile device IDs for retargeting
— GEO IP and blacklists mean you use IP addresses (personal data)
— Server logs might contain IP addresses
7. GDPR Compliance in Digital Advertising
Audit
1. Collect all data that you take in and list all partners that send it to you
2. Collect all ingestion points for user data, such as ad tags,
tracking pixels, and so on
3. Check the fields and identify personal data
8. GDPR Compliance in Digital Advertising
Data minimisation
“Personal data shall be: [...] adequate, relevant and limited to what is
necessary in relation to the purposes for which they are processed”
Art. 5 GDPR
9. GDPR Compliance in Digital Advertising
Joint liability
You’re still at risk of being held responsible if one of your partners is not compliant.
10. GDPR Compliance in Digital Advertising
Check your partners
1. Legal work, e.g. data processing agreement
2. How data is sent?
3. Do they have a DPO appointed?
4. Can they demonstrate compliance?
– Is it encrypted?
– Is it sent via email?
– Is it available via a simple FTP access?
– Privacy policies
– How they deal with consents (get, revoke)
– How they erase personal data, including erasing it from the backups
– Get a list of data they’re sending. What is personal data there? How they handle it?
11. Compliance is not a one-time event
GDPR Compliance in Digital Advertising
12. GDPR Compliance in Digital Advertising
‘Privacy by design’
“[...] the controller shall [...] implement appropriate technical and organisational
measures, such as pseudonymisation, which are designed to implement
data-protection principles [...] in an effective manner and to integrate
the necessary safeguards into the processing in order to meet the requirements
of this Regulation and protect the rights of data subjects.”
Art. 25 GDPR Data protection by design and by default
13. GDPR Compliance in Digital Advertising
Get consent
1. Directly from users
2. Make sure partners have it, e.g. pixel integration or a case in a legal agreement
15. GDPR Compliance in Digital Advertising
No consent
— Fall back
— Turn off features/metrics
Flexibility is insured by the ‘privacy by design’ approach
16. GDPR Compliance in Digital Advertising
‘Privacy by design’
1. Encrypted data that you send in a secure way
2. Possibility to erase data on request, including data from the backups
3. Access policies:
4. Handle data breaches. All data breaches must be reported
to the supervisory authority within 72 hours
– Who can access the data
– How employees are getting access
– When and who revoke access, etc.
19. GDPR Compliance in Digital Advertising
Thank you.
GDPR Compliance in Digital Advertising
Stefan Krätschmer
Head of Innovation and Implementation
https://admetrics.io
contact@admetrics.io
sk@admetrics.io