Adtech and GDPR What to consider when choosing your partner 1
Agenda What to avoid and What to do Where is Adform on GDPR Posibilities for advertisers 2
This is about GDPR, not the unknown eprivacy update GDPR GDPR has been passed and is actually in effect. Only enforcement waits to May 2018 Most of GDPR is relatively clear except for how EU courts will interpret certain parts Online marketing is fine under GDPR without consent eprivacy Consent for online marketing can change with the new eprivacy regulation Still undecided and the outcome completely unpredictable Will be looked at by the parliament in late October and negotiated the following months The final result should not be expected before mid 2018 Implementation unlikely before 2019 especially if it has major implications 3
Data processor what it means Data Processing Data Processor Any activities Personal Data is subjected to Any 3 rd party which processes personal data on behalf of the controller Data Controller The entity originally controlling the data Controllers bear primary responsibility for ensuring that processing activities are compliant with EU data protection law. - Ensure compliance, appropriate technical and organisational measures of Processors - By default to process only the minimum amount of personal data necessary The controller must be able to demonstrate, compliance with the Data Protection Principles. Rec.85; Art.5(2) 5
Actions - What to do and not to do 11
Our advice on what to avoid first Having datasets in shapes or ways which look bad if breached Non-compliant Privacy Policies, Consent forms and Opt-out Passing it to anyone in ways that would look bad if breached Not being able to answer requests from clients and consumers Passing safe data (pseudonymous) to partners holding directly identifiable information IT temporarily blocking your Adtech and Martech tools in May 12
Your first actions should include Read and understand summaries of GDPR Document all Personal Data, Processing and Processors Change your data, habits and providers accordingly Limit the use of non-iso certified, non-eu hosted and PII based platforms Safeguard consumers can act on the Right to be Forgotten Create Breach and Consumer Request Processes Check own properties for violation. Update Policies and consent boxes 13
A DMP reduce complexity and risk All data collected and profiled in a single place - Right-to-be-forgotten in a single place - Consumer Rectification right and insight in a single place - Data Portability in a single place - Tracks of where data is passed in a single place Pass only IDs to external platforms instead of raw personal data Audit only a single provider on all of the above Full-stack use of DSP, DMP, Ad-serving, DCO, Attribution, etc. minimize the risk and GDPR burden of sharing personal data - Allows contractual and legal ownership of all systems used 14
Adform s GDPR Readiness 15
Adform is legally equipped to be a Processor of personal data Adform is ready for GDPR Our unique positioning reduce compliance concerns for our clients Adform fulfills the GDPR Processor requirements Adform is ISO 27001 certified thus secure and able to be handle personal data according to regulations for such All EU consumer data is kept within the EU Uniquely, Adform does not store or touch any PII Unlike most competitors, we do not store PII: Combination of tracking activities with PII storage could lead to Opt-in requirements, and thus major impediments in digital advertising Adform is only a processor of pseudonymised personal data leading to limited risks for clients, reduced requirements and a true Privacy-by-Design set-up All EU data subjects served and processed only in EU Our three Danish datacenters serve and store all EU data No data is sent to 3 rd parties or out of the EU
Adform has been operating as a data processor for 5 years Large German Finance and Telco clients has viewed access to IP addresses as PII and enforced strict requirements on Adform Thus we were 95% ready for GDPR but have spent 1½ years understanding and documenting it Our current focus is on in-depth client workshops and guidance Constantly improving our GDPR readiness pack and checklist 17
Adform is GDPR ready Key GDPR requirements Privacy By Design Fully avoiding sensitive data and subjects Encrypt data whenever required Privacy Impact Assessments Designed to be a Data Processor ADVs /DPAs ISO 27001 Certification Overview of all Company PII Breach Notification to Authorities Right To Be Forgotten Data Portability Feature Designated Data Protection Officer Adform readiness 18
Supporting rights to insight, rectification and portability me.adform.com offers data subjects to receive the personal data that they have provided to a controller Data is provided in a structured, commonly used and machine-readable format Purpose is to empower the data subject and give him more control over the personal data concerning him 20
Possibilities for advertisers 21
Benefits and posibilities for businesses in GDPR Allowing European businesses to expand across borders - No need to to notify other national data protection authorities about the data they are processing Cutting costs - Eliminate the need to consult with local lawyers to ensure local compliance the franchised shops A level playing field for European and non-european companies - Any company, regardless of whether it is established in the EU or not, will have to apply EU data protection law should they wish to offer their services in the EU Benefits for individuals, benefits for businesses - Data portability promotes competition and encourages new businesses in the marketplace 22
Full-stack benefits: Forrester Key Findings Benefits of Adform s integrated marketing platform that enables customers to consolidate and internally manage activities for digital advertising: 10% increase in return on ad spending Reduced search advertising -10% Reduced cost vendor governance -10% ROI 126% 23
Jan.Danielsen@Adform.com