Various recently released polls paint contrasting pictures of how prepared the industry is. A World Federation of Advertisers (WFA) survey published last month found that 98 percent of respondents were actively working on GDPR, whereas an Ensighten study earlier this month found that only 26 percent of UK marketers were “very confident” that their data procedures are compliant with regulations.
One company feeling confident in its preparations is OpenX. OpenX began working towards compliance over a year ago says Douglas McPherson, the company’s chief administrative office and general counsel, and announced back in January that it had met its publisher obligations under the regulation.
Nonetheless, McPherson told VAN, the company has had to make judgement calls which could be questioned by regulators, and has at times had work on its hands getting others in the industry to cooperate.
Applying a Broad Regulation to a Specific Industry
McPherson says the first step towards compliance for his company was to try and figure out exactly what was required of it under the new laws.
“One of the challenges with the GDPR is the regulation was written to cover all industries, so there were a number of questions we had to face about how this broad regulation applies to our particular business,” he said.
As such, the company pulled together a cross-functional team internally, and engaged outside privacy counsel in both the US and EU to provide legal advice on what the company’s obligations are. Based on this advice, internal policies involving data were reviewed and revised, and in some cases completely rewritten. This then resulted in OpenX implementing a new data processing agreement into its exchange last October.
Data processing agreements are required under the GDPR where any company processes personal data on behalf of a ‘data controller’ (defined by the GDPR as “the entity that determines the purposes, conditions and means of the processing of personal data”). The GDPR lists specific information these agreements must contain, meaning the likes of OpenX have been required to update any existing agreements to fit these criteria.
Once the data processing agreement for OpenX’s exchange was finalised, the focus switched to sorting out data processing agreements with sub-processors it works with, since OpenX passes on data to a number of other companies.
“We had to look at all of our data flows and create a comprehensive data map, and understand not just how our exchange works, but also all of our internal corporate and employee processes,” said McPherson. “One of the GDPR requirements is that, to the extent we’re engaging companies to help us process our employee data, we have to put agreements in place with all of them.”
With all of this done, McPherson says he is confident that OpenX is as prepared as it can be for May 25th.
Struggles for Cooperation and Clarity
Getting all of this finalised threw up several challenges along the way. One issue was that while OpenX itself was keen to reach compliance safely before the deadline, many other companies have been less enthusiastic, which McPherson said was problematic as GDPR compliance requires a fair amount of cooperation.
“One of the complexities of this is that companies can do everything they can internally, but GDPR compliance requires companies to work together, and in many cases it requires industries to figure out industry wide solutions,” he said. In ad tech, with so many companies passing data back and forth, this cooperation is essential.
For example, McPherson explained that hashing out data processing agreements with sub-processors was a slow process due to the fact that many of these sub-processors for a long time weren’t putting much thought into how GDPR would apply to them, and what they would be asked to do.
This example highlights one of the other issues McPherson outlined – that there has been a lack of clarity around exactly what GDPR means for various sections of the ad industry, which in some cases has led to inaction.
“The regulation is vague, and applying it to any particular industry involves some judgement calls along the way,” said McPherson. “Those can always be second guessed by a regulator down the road, but so far we’re confident in the decisions we’ve made.”
McPherson is not alone in this analysis, as others in the industry have commented on a lack of clarity over how exactly GDPR will apply to them. For example Marcus Runacus, chairman of the Direct Marketers Association (DMA), last year called for “clear and consistent guidance” on how GDPR will be enforced, describing it as “a matter of urgency if we are to meet the 2018 deadline”.
A YouGov survey conducted last year on behalf of law firm Irwin Mitchell suggested that this confusion around GDPR has been widespread, finding that many UK advertising firms held misconceptions around the regulation. For example, 31 percent of those surveyed believed that GDPR would have no impact on their business, and would not be an issue for their sector.
While uncertainty remains around GDPR, McPherson feels the industry has become much more focussed on tackling the problem in recent months, saying that he’s been “really impressed to see the level of engagement across the industry, especially in this last month or two”. And while it’s still impossible to predict exactly how GDPR will be regulated, he believes that the best response to these uncertainties is for companies to be flexible and adaptable once GDPR is in effect.
Flight to Quality, with Collateral Damage
Though there have been challenges with reaching GDPR compliance, McPherson seems to be generally in favour of the new rules, and believes they could have a genuine positive impact on the industry.
“I think it’s pretty clear that GDPR raises the standards of data handling, by laying out these seven very clear principles around privacy by design and data security,” he said, “and not every company is going to have the commitment to meet those standards.”
He says this will therefore accelerate a “flight to quality”, where companies not committed to respecting user privacy and using secure data handling processes will be weeded out, and unable to continue operating in the EU.
He also thinks the regulation is opening consumers’ eyes to the benefits of digital advertising. “I think it certainly heightens everyone’s understand of the importance of internet advertising in its place of maintaining all of this free content that we all use and enjoy every day,” he said.
However, he also fears there will be a significant amount of collateral damage. For some companies struggling to comply, it might not so much be a case of a lack of commitment as a lack of resources. Small companies for example won’t necessarily be able to employ counsel from the US and EU to advise them on what their obligations under GDPR are, in the way that OpenX was able to.
Verve, an ad tech company which announced its withdrawal from Europe earlier this year thanks in part to GDPR, hinted that the issue was not a lack of commitment to user privacy, but the high cost of compliance. Verve’s international general manager Ian James told The Drum that he was confident in his company’s ability to reach compliance, but the cost of doing business in the EU would be too high with GDPR in play.: “You have to make a judgement call as to whether that’s best spent in Europe, or best spent in the core market of the United States, and that’s a call the Verve board has made,” he said.
McPherson described how small publishers might similarly have to pull out of Europe. “I’m sympathetic with smaller web publishers who are working hard to make content available,” he said. “They rely on advertising to support their efforts, and GDPR puts a lot of responsibilities on them that they may not have the resources to meet.”
As VAN reported last week, some publishers may be forced to make their domains unavailable to EU users. “There won’t be as rich and fertile an internet available for EU users,” said McPherson.
GDPR “A Strong Start” to Fixing Privacy Issues
Alongside holding concerns around collateral damage, McPherson remains uncertain whether the regulation really gets to the core of dealing with privacy issues which consumers really care about.
“GDPR is certainly requiring massive changes by the industry,” he said. “Will those turn out to address the real problems, and give users the protection that they want? I think it’s a very strong start. Are there some areas that are missed? Perhaps.”
McPherson says the problem here with making predictions comes down again to ambiguity in how the GDPR will be interpreted and enforced by regulators, and so the exact consequences will only be known once it goes live. Only then, he says, will it be clear whether the gains made for consumer protection outweigh the costs borne by the advertising ecosystem.