The clock is ticking! The GDPR becomes enforceable May 25, 2018 and the race is on for publishers with audiences in the EU to figure out how to comply with the new strict regulations. Many companies are still figuring out a strategy and others wonder if they are doing enough. ALL companies need to pay close attention because it’s only a matter of time before we will see a comparable regulation here in the U.S. (and globally).
I spoke with Ian Connett, Esq., President and Founder of QuantumJurist, Inc. who provides legal counsel for Placements.io. He’s been living and breathing GDPR the past several months, so he is a great resource on the topic.
My question for Ian was, what do publishers need to know to successfully navigate the new GDPR landscape?
Ian explained that before engaging with partners in this new market, publishers need to make sure that working with a partner isn’t going to expose them to undue risk. Many companies are quick to go on the legal defensive by implementing after-the-fact protections in the form of contracts.
In this case, if there is a breach, publishers have contractual language that can protect them. However, Ian said, “Publishers need to invest in a compliance strategy that encompasses both legal AND technology solutions.”
Companies should also take offensive measures and use technology to get in front of data privacy issues before they occur. Unless publishers build a tool in-house, this often takes the form of a Consent Management Platform (CMP). These platforms help tackle one of the main regulatory features of the GDPR, which is the opt-in consent. That’s right, you’ll have to tell your site visitors (i.e., “data subjects”) in the EU that you’re not only processing their personal data, but exactly what you’re going to do with it.
What’s the first step to prepare?
“The first thing you need to do is take a data assessment”, Ian shared. “This can be done internally if you have savvy tech people, or you can hire a firm to do it for you. You need to take stock of your data: what you are processing, how much, and where you’re processing it. If you have limited exposure in the EU, it might not be worth wasting your time worrying about it. But if you’re doing a lot of EU data processing, then review your contracts and make sure you have the relevant data protection in place. If not, then you should update those clauses or have them reviewed by an expert council.
Next, you should be looking at some of the technology solutions and going to industry groups to talk with other partners in the space. See what others’ challenges are and their experiences.
The last step is one of the most important ones: work with your marketing and sales teams to find ways to communicate your GDPR compliance. Ian stressed, “Your GDPR compliance plan is only as good as how clearly you explain it to your customer base. Technical people, like engineers, may understand the concept very well, but may not communicate it effectively. There’s going to be consolidation in the market and advertisers will be looking to spend with the compliant partners.”
- Assess your data and take necessary legal action
- Explore and implement technology solutions, such as CMPs
- Clearly explain your compliance with your customer base
For many, the GDPR is a huge headache. However, this is a just a warm-up to for more regulations to come. The silver lining is, the personal data you do have permission to collect in the EU has the potential to be all the more valuable.