The clock is ticking… time to get GDPR ready

The IAB's Head of Policy & Regulatory Affairs, Yves Schwarzbart, writes about the GDPR ahead of its implementation in one year's time.

Yves Schwarzbart

See the IAB's GDPR compliance checklist 

The GDPR is almost here. For an industry that is usually focused on the next quarter, the 25 May 2018 may still sound like lightyears away. Applying this thinking to the GDPR could be a grave mistake though. In compliance terms, the GDPR is just around the corner and about to race towards the finishing line, equipped with fines that can potentially run into the millions. 

It’s not only for this reason that the GDPR has been a top priority for the digital advertising industry ever since it was first proposed back in January 2012. Its aim is admirable and right; to improve trust in digital services and harmonise data protection rules across the EU for the benefit of individuals and businesses. For many, including the IAB, the end product is one that in many places struggles to strike the right balance between these sometimes competing but – more often than not – shared interests. 

However tempting, having a debate over whether the GDPR is apt for the challenges and opportunities of the digital world is a moot point at this moment in time. The GDPR is here to stay and will form the bedrock of data protection law in the EU and the UK for years to come. 

The changes the GDPR brings in carry more potential for disruption than any other legislative development in recent years, easily surpassing the so-called ‘cookie law’. Complying with the new rules is complicated by the fact that ambiguity is the GDPR’s natural bedfellow. Finding practical solutions to making the GDPR work will ultimately decide what impact it has on the industry. Unfortunately, in areas that matter most to digital advertising businesses, grey areas tend to outnumber clear provisions. 

The picture is (finally) getting clearer

Little by little, however, shades of grey are giving way to hues of black and white. In regulatory circles, it’s all hands on deck with data protection authorities – led by the UK’s ICO – busy churning out new or updated pieces of guidance, shedding vital light on some of the most contested issues of the GDPR. This is welcome news insofar as we’re moving closer to the point where a sense of certainty is slowing replacing a long-running undercurrent of trepidation. 

 What to do now and what to look out for 

With 12 months to go, there is, therefore, no time to waste to prepare for the GDPR. A lot that needs to be done to comply with the GDPR, can and should be done now. Implementing solutions to GDPR ‘knowns’ now will leave precious time to tackle what will only become known in the weeks and months to come.  

If it hasn’t happened yet, now is the time to assign responsibility to a member of staff within your organisation. They should bring together key people from different departments, such as Legal / Policy, Ad Ops, Engineering, Sales and Marketing. If you don’t have in-house legal support, look for outside counsel to help in your efforts. Key is to involve as diverse a team as possible. 

Once underway, prepare a compliance roadmap. Compliance journeys will naturally differ, but should consider working on the following immediate next steps:

1. Take stock – document what data you handle using an information audit. The information audit will underpin almost all of your subsequent compliance decisions. 

2. Categorise your data – use the information audit to create three buckets: personal data (e.g. names), pseudonymous data (e.g. IDFAs) and anonymous data. The first two are covered by the GDPR, the third isn’t. 

3. Consider your legal bases – under the GDPR, you need to be able to legitimise your data processing. Match the relevant legal bases with the types of processing you carry out.

4. Review your privacy policy – analyse what needs changing to meet the GDPR’s enhanced transparency requirements

5. Know about individuals’ rights – check your processes to ensure you can meet requests from individuals exercising their rights under the GDPR, such as the right to access

6. Look at vendor contracts – start working on contracts with your partners now and review those that are already in place to ensure they are in line with GDPR requirement

7. Appoint a Data Protection Officer (DPO) where needed – under certain circumstances, you will have to appoint a DPO. Assess if this applies to your company.

8. Decide on your lead supervisory authority – you need to identify a lead regulator for GDPR-purposes. Note that UK-headquartered businesses are unlikely to benefit from the GDPR’s notion of a ‘one-stop-shop’ and would have to deal with multiple Data Protection Authorities across the continent post-Brexit.

Beyond some of these immediate next steps, make sure you consult our recently published GDPR compliance checklist which provides a more detailed overview of the key areas digital advertising businesses need to consider now when preparing for the GDPR. We will continuously update the list as and when more information becomes available, so visit it frequently.

Above all, remember we’re here to help. For a sector as intertwined as the digital advertising industry, the GDPR offers the opportunity and the need to collaborate through bodies such as the IAB. Whilst working in silos may offer short-term fixes to some of the challenges of the GDPR, we believe that in the long-run it will be industry solutions that put user experience and design at their core that will prevail. Help us shape them.

Contact for any further information.

IAB UK logo

Supportive thought leadership on today’s biggest issues, the best of digital advertising and the future of the industry

Our members achieve more as part of our community through network information, education, stewardship and advocacy.