With GDPR coming into full effect in May 2018, everybody should be aware by now about the far reaching impact this regulation will have on every business that is dealing with EU citizens. For partners who might not be sure yet about how to approach GDPR compliance, this presentation lays out what we did to comply with GDPR. We also included pointers on how to start the process.
Note: If you are not aware about GDPR at all, watch this short introduction with the most important facts: https://youtu.be/F4Ul_cNjeuk
Introduction to GDPR by admetrics (Video)
Hi! I’m Stefan from admetrics. We provide solutions for advertisers, agencies and publishers: ad verification, brand safety, fraud prevention, viewability, and so on. In this video, I’m going to cover how we became GDPR compliant and what steps we took to get there. We’re an adtech company, so I’m going to talk from the perspective of an adtech company. The very first step is, of course, to familiarise yourself with GDPR, and you can watch this video if you want to refresh your memory on the regulation.
When you know what GDPR wants from you, the first question you want to ask is whether you’re subject to GDPR. It might be that you don’t have to be compliant because you’re not collecting or processing personal data. The catch here is that you have to be 100% sure of it. It might be that one of your partners is sending you personal data in one of the fields in the feeds you’re getting. Let’s say it’s a standard feed they’re using for everyone, and it contains mobile device IDs for retargeting. You don’t use this field, but the mere fact that you’re getting it makes you subject to GDPR. As a side note, if this personal data is not covered by a legal agreement with this partner, they’re already violating GDPR by sending it to you.
As another example, I can give you something we saw for our viewability product. The initial assumption was that the product doesn’t work with personal data because it’s not required for the viewability measurement. However, when we looked at every single datum, we noticed that we’re using Geo IP in order to show the user’s country, because even when we measure only viewability, we still provide a lot of additional information to our partners, so they can run detailed analytics and effectively optimize their campaings. One of the pieces of information was the user’s country. We utilize Geo IP in order to check the country, and of course we have to use the user’s IP address for that. According to GDPR, IP addresses are personal data, so we had to tackle this issue just because of Geo IP. Furthermore, we also found out that the servers were keeping IP addresses in the access logs, so we had to reconfigure the servers to drop this data and not to store it.
As you can see, in some cases you might think you’re not subject to GDPR, but actually you are. In order to check it you have to:
- Collect all data that you take in and list all partners that send it to you
- Collect all ingestion points for user data, such as ad tags, tracking pixels, and so on
- Then check the fields and identify personal data
Once again, according to GDPR, personal data means “any information relating to an identified or identifiable natural person.” Keep in mind that IP addresses and device IDs are personal data. Be careful with cookies, because they might contain personal data. While you’re auditing the data, make sure you’re not getting in more than you need or what is not covered by agreements. You might have to stop collecting some of the data, for example, stop storing IP address, or you might have to ask your partners to modify feeds and remove some of the fields. If this data is not essential for your product, it might be that your road to compliance will be over at this step, because you won’t have any personal data to protect.
However, GDPR codifies joint liability, so it’s still extremely important to work closely with your partners. ‘Joint liability’ means no matter how good you did your job with regards to GDPR compliance in your company, you’re still at risk of being held responsible if one of your partners is not compliant. So this means you have to trust your partners, which is something you can’t do blindly. That raises an interesting question: How do you check your partners? It’s unlikely you’re going to audit them, and at the moment there’s no easy way to prove the company is compliant by providing some kind of a certificate. Some private legal companies offer audit services and even issue certificates, but it’s doubtful these certificates have any meaning to the regulators, and it still doesn’t protect you from any changes that might happen in the company after the certification. Let’s say everything was fine, but then the company deployed a new feature and started to collect personal data for it without getting consent first. It’s going to be revealed during the next certification process, but it might be revealed by the regulator first.
So how do you check your partners? There’s no easy way to do it, but here’s what we can recommend.
- First of all, make sure you have proper legal work done, specifically, check that data processing agreement is in place. This is already required by German law, so we at admetrics didn’t have to do anything special here.
- Next, check how your partners send you the data. There are certain red flags that can show you right away that the partner has issues with GDPR compliance and with data protection in general.
For example, check how your partners send you personal data:
- Is it encrypted?
- Do they send it to you via email?
- Do they provide you with FTP access to the data? Unencrypted data or an ability to easily download the data from an FTP server clearly demonstrates an issue with basic understanding of data protection principles, so this should make you highly suspicious toward a partner who’s doing it.
- Check if your partners have a DPO assigned. We already had one simply because it’s required by German law, but other companies might not have DPOs appointed.
- Another interesting thing that can help you in evaluating your partners is the GDPR requirement to be able to demonstrate the compliance at any given time
Ask your partners for:
- Their privacy policies
- How they deal with obtaining and revoking consents
- How they erase personal data, including erasing it from the backups
- Additionally, ask for a list of data they’re sending you, what is considered personal data there, and how they handle it
This might look like a lot of information, but it’s something every GDPR compliant company must already have prepared and ready to provide at any moment. Be very suspicious if your partner can’t provide this information in a timely manner, or has any difficulty in providing it. GDPR compliance is not something that happens once, and then you forget about it. GDPR and privacy by design must always be on the agenda. Every new feature, every product change, must go through a DPO and must be scrutinized. Given that you might be held liable for something your partners do, you want to be sure you can trust them.
Moving on. It’s important to trust your partners, but you still have to take care of the processes in your own company. GDPR recognizes the concept of privacy by design, which imposes certain obligations on companies. Privacy by design means that you have to start thinking about data privacy at the earliest stage of your projects, and keep it in mind throughout the whole lifecycle of the project. In other words, ‘privacy’ is not something you can quickly slap on top when the development is over. You have to consider it from the very beginning, and it all starts with consent. GDPR says you’re not allowed to work with personal data unless you get the user’s consent. There are several exceptions, but not for the most adtech companies.
So, you have to have a process in place that checks for every data entry that:
- First, you have a valid consent
- Second, this consent was not revoked later
There are two possibilities here: either you have the consent, or you don't. If you don’t have consent, you can’t collect and process personal data, so if the data is required, you need to get consent from users. In some cases, you might have to do it yourself, obtaining consent directly from the users. In other cases, you have to make sure your partners have it. For example, they can pass consent on with a pixel integration, or you might create a legal agreement with them that says they can only send you personal data if they have user’s consent. Don’t forget that the user might revoke their consent, and you have to stop collecting and processing personal data if that happens.
But what if you don't have consent? It might mean that some of the solutions that heavily depend on personal data won’t work at all. We can use retargeting of specific users as an example. In order to retarget a user, you have to assign and store an ID, which is information that can identify a person. In other words, it’s personal data. You can’t use this kind of retargeting without consent, and your infrastructure should be prepared for it — no IDs should be generated or stored. However, it doesn’t mean the end of the world. What we did at admetrics is we implemented fallbacks for products whenever possible. For example, if we see that consent is missing, we don’t collect and process the data, making sure that we and our partners are safe, but we provide alternative options and solutions. In case of retargeting, it’s falling back to target based on segment. For other projects, we might just disable some of the metrics. The only reason we can do this easily is because the system was originally developed using the privacy by design approach. GDPR made it a requirement for everybody, but the approach itself was well known in the engineering community before, and we always used it internally. When you can prove that you’re allowed to collect and process personal data, you have to store it, and you have to do it in a secure way.
To keep a long story short:
- It must be encrypted and you should send it to your partners in a secure way.
- It should be possible to erase data on user’s request, including data from the backups.
- You must have implemented proper access policies:
- Who can access the data
- How employees are getting access
- When do you revoke access
- And so on and so forth
- You must be able to handle data breaches properly. For example, GDPR explicitly says all data breaches must be reported to the supervisory authority within 72 hours.
Privacy by design is a good idea, but unfortunately, we do see an issue with it. GDPR mentions the approach, but does not dɪˈfaɪn it in the details. The approach itself, even if it’s well known, is very vague. My definition of privacy by design and what it means to implement it, given my personal and professional experience, might be different from yours, and there’s no way to figure out who’s right by just looking at GDPR. This is an issue because we, as an industry, will have to wait for court decisions to see if the industry and the regulators understand privacy by design in the same way.
On top of GDPR, there’s a new ePrivacy regulation that defines when and how you need to ask for explicit consent to be allowed to set cookies or track users. We’re not covering it here, because only the draft of the regulation is available right now, but it’s another important piece of legislation you have to be aware of. We’re keeping an eye on it and waiting until it’s closer to being finalized, but we already have specific plans for different scenarios: pessimistic and optimistic ones. Feel free to subscribe to us or follow us on twitter and LinkedIn to get the latest updates.