The General Data Protection Regulation (GDPR) has reignited many a hot debate on data and privacy with some arguing the new rules will negatively impact publishers and ad tech vendors. Leading up to GDPR, it’s thought some advertisers even considered pausing programmatic ad buying to avoid wrongly using audience data.
In addition to effects on adland, consumers have spent months being smashed with website popups forcing them to accept the new rules before proceeding, but will it all be worth it in the end? Can brands, tech giants and those that deal in data really be trusted and are consumers any wiser on what they are accepting?
CEO of data science and AI business Quantium, Adam Driussi, says the extent to which GDPR is a step-change as opposed to a simple step-up, depends on how a business has been managing its data to date. Quantium’s data has been de-identified by design and by default for 15 years, so he sees initiatives like GDPR as an opportunity. He says it made a very deliberate decision not to deal in personal information and all its core data-sets are de-identified by design.
“When someone chooses to share their data, you have to treat it like a special gift and use it for their ultimate benefit, whether to improve the products and services they use or transform the customer experience,” he said.
“When businesses lose sight of the people they exist to serve, that’s when problems arise.”
Australian advertisers have been warned — ignore GDPR risks at your peril.
Although it is unclear how much of an impact the new rules will have — and for many companies it could be minimal — the reality is any business that has a customer base in Europe is exposed.
Businesses that use digital platforms like Facebook and Google will also be required to contend with their new policies on GDPR, which largely places the onus on brands, publishers and agencies to ensure their consumer data practices are GDPR–compliant.
AdNews approached several industry and ad tech leaders to find out how the rules, which took effect on 25 May, would impact advertisers, and whether the market was prepared.
The new rules place a greater emphasis on businesses to make it very clear to customers about consent to use their data. This has led to myriad companies updating their data consent policies in recent months.
The data privacy issue: The Royals create AdNews July 2018 front cover:
Another major impact is the right for consumers to regain their data, which will require companies to implement data management practices that allow consumers to download their data easily and seamlessly.
Australian Association of National Advertisers (AANA) CEO John Broome said privacy and data are front of mind for larger advertisers and CMOs.
“There’s definitely a sense among advertisers, both locally and internationally, that when it comes to these issues brands need to be taking control and are being accountable,” Broome said.
“The way they want to do that is by being very consumer–centric, which you’d expect from advertisers.”
PwC director Sunita Gloster told AdNews a lot of companies are viewing GDPR as more of a compliance issue.
“Based on our experience, many Australian companies aren’t sure if they’re affected, let alone compliant. Australian companies may be caught up in the new rules without even realising it,” she said.
“Some though are using it to get their house in order — a data spring clean and an opportunity to gain a competitive advantage to build trust through data governance and to protect the asset they value most greatly, the customer.”
According to the World Federation of Advertisers, half of multinational brand owners surveyed last month believed their marketers have major knowledge gaps about the implications of GDPR on future marketing campaigns.
One ad tech business closely monitoring the effects is News Corp’s data–driven video marketplace, Unruly. It conducted a study, Navigating the Landscape of Trust, that asked 350 senior media buyers across the world for their views on GDPR and how it would impact the industry.
The results confirmed trust is a major concern for media buyers, as is ensuring that ad tech vendors are "honest, helpful and straightforward" and "consistently provide accurate reporting metrics".
Unruly's global CEO Norm Johnston told AdNews GDPR is a good thing because it encourages companies to carry out a “data detox”.
“Some bad practices and opaque processes have been built–up over the years and I think it’s been a good cleansing process for the industry to clear up who is responsible for what, and to bring some clarity to not only those in the industry, but consumers as well,” he said.
“It’s been an inconvenient benefit to the industry. What consumers are saying around the world is that they want to do business with brands that they can trust."
ADMA's acting CEO and chief operating officer, Steve Sinha, believes that companies who are not taking the trickle–down effects of GDPR on Australia seriously risk being stung.
“The reality is, people operating here can be affected by GDPR. One of the other implications is that it can affect anyone you may talk to who is a customer or recipient residing in the EU,” Sinha said.
He added that Australian–based publishers could be impacted, “even if 90% of their customers are in Australia and only a tiny proportion are in Europe”. Violations of GDPR can lead to significant fines of 4% of total global turnover to a maximum of €20 million.
“A material effect of that could be an SME in that environment versus a larger company, and that could become very tricky,” Sinha said.
“For those reasons people need to have an immediate macro overview and understanding of their own organisation to realise if there is any other part of the business right now that could be affected by this.”
Several industry leaders, including IAB Australia director of regulatory affairs Kamani Krishnan, told AdNews although the risks of failing to comply are clear, what is less apparent is how much the European Union intends to police GDPR.
Krishnan explained the new laws are principles–based, rather than being overly prescriptive or rules–based, which is common in the US. This means that regulators have a degree of flexibility over how they interpret and enforce the rules.
“There's aspects of GDPR that are similar to what we have here and then there are also aspects where the thrust of it and the principles in it are similar,” she said.
“But, then there are also new changes that go quite significantly beyond what we have here in the Australian Privacy Act. This includes the right to be forgotten or erased, and the right to portability."
Both laws foster transparent information handling practices and business accountability to give individuals confidence that their privacy is being protected, Krishnan explained, and they require businesses to comply with a set of privacy principles. And both take a privacy by design approach to compliance.
“In addition, privacy impact assessments — compulsory in certain circumstances under the GDPR — are expected in similar circumstances in Australia," she said."Both laws are technology neutral, which will preserve their relevance and applicability in a context of continually changing and emerging technologies."
This first year of implementation will be important to provide clues on how the EU goes after breaches.
“Until people understand, caution should be the order of the day," Sinha said. "No one wants to be the first person to push that and find out whether action will be taken or not."
Johnston said the challenge facing the industry is to find consistency in the consent frameworks and rules across the world.
“If someone like the IAB can step up and stitch together a baseline consent framework that’s applicable to the vast majority of markets I think that would be generally beneficial,” he said.
Will GDPR come to Australia?
Although it is unclear whether Australia plans to implement GDPR–based rules to clamp down on how companies here use data and protect consumer privacy — experts say that misses the point.
Broome believes it is incumbent on advertisers that use data to “restore trust, respect and confidence” after a litany of high profile scandals, including Cambridge Analytica’s use of Facebook to influence the last US election.
“We’ve all seen the trust metrics, particularly around advertising, in decline. A lot of it is derived from consumers' concern about their data and privacy," Broome said. "An advertiser can clearly see there is a link between trust and brand reputation, so it’s very much in the advertiser's interest to take the right tone of voice and leadership position with this.
“At the end of the day, just hearing from the digital platforms (such as Facebook and Google) is not going to be enough. We need to be hearing from brands because the relationship is between the consumer and those brands.”
Broome believes the GDPR could be the catalyst for change by governments around the world on data privacy and informed consent.
“It would be naïve for any advertiser, large or small, to ignore this," he warned. "Every business, regardless of what category you are in, needs to be compliant and needs the necessary oversight and governance when it comes to this type of thing.”
Broome said the Cambridge Analytica scandal may be the big issue of the day, but it just builds pressure on a long–term problem that has been snowballing for some time.
Johnston believes ultimately this will be positive for publishers because it compels them to have a direct relationship with their consumer base and gives them the “real ability to manage who is a processor and who is a controller of the data”.
“I also think it plays into context because you can’t rely strictly on cookie data or ID–based data, you must revert to context as a proxy,” he said.
“I think we’ve gone through a couple of years of getting a little bit carried away in the audience buying — just buying an individual anonymously regardless of where they were or the context they were in. I think this will rebound that equation a bit more where you will see a greater combination of both the audience and context coming together.”
What should advertisers do?
Experts who spoke to AdNews all agreed on one point — GDPR and how companies use data and protect consumer privacy should be hard–baked into how their business operates and their data management infrastructure, rather than being viewed as a compliance headache.
PwC’s Gloster told AdNews that a successful GDPR strategy must include the marketing department.
“Marketers are often the ones who lead the collection of personal data from customers, and the way the request for consent will be communicated. They are also the ones who will be responsible for communicating with stakeholders after a data breach,” Gloster said.
“GDPR vigilance is absolutely at the doorstep of the marketer. Every time they target through a new media channel, engage a new third–party, use a new analytic tool, or implement a new platform or system, a GDPR framework needs to be considered.”
IAB Australia explained that given the similarities between GDPR and Australian law, businesses may already have some of the measures in place which will be required under the European regulation.
However, if an Australian company is required to become GDPR–compliant (because it has a branch in the EU, or processes EU citizen data) then it will need to take two immediate steps:
- 1. Map your data practices; begin taking steps to evaluate your information handling practices and governance structures to understand what changes you need to enact before commencement of the GDPR.
- 2. Immediately revisit your consent requirements. Under the GDPR, consent requirements are stricter than under the Australian Privacy Act and many other national laws. If you rely on consent to process personal data, you will need to ensure previously obtained consents are still valid. You may have to collect new, replacement consents. You must ensure consent is documented.
Media agencies are looking at this issue carefully and helping clients navigate the new requirements.
MediaCom Australia group digital director, Sam Russell, told AdNews it has only been in the past few months that clients have been thinking about GDPR more seriously.
“For many of our clients, there aren't many direct implications. It's more around just being conscious of how they're managing audience data from European IPs because most of our clients don't directly deal with European markets,” Russell said.
“There will be some slight tweaks immediately. But, I think it will be very much a case of taking the time to understand what's going to happen in those European markets, what changes are going to be made from an ad tech perspective, and then building those learnings out here over the course of the next year or two, with a view that those changes are likely to roll ahead.”
Russell believes some of the major impacts on clients will be greater scrutiny of how they use data on digital platforms like Google and Facebook.
“There's greater accountability now on the client side of how that data has been collected before it can be executed against,” he said.
“There will be far more consultation internally around being sure that the right processes have been put in place. So, it may make the process of using data in this market a bit more cumbersome.
“But, predominantly using the same third–party and second–party data techniques won't really change overnight here.”
Russell doesn’t believe there will be many instances where data hasn’t been used correctly, although the focus now will be sharper on how data is collected in the first place and whether it is done so with a consumer’s privacy in mind.
Dentsu Aegis Network ANZ chief data officer, Phil Zohrab, agreed that not a huge amount should change for most clients and that media agencies have been preparing for the changes for some time.
"We already have in place people, processes and platforms to support clients that may be regulated as data controllers under the GDPR and are reliant on us as their data processor,” Zohrab pointed out.
“The GDPR doesn’t stop or hinder the use of personal data in advertising, but it does place a greater focus on accountability and transparency to consumers around when their personal data is being collected and how (and by whom) it is being used.
"It can actually be viewed as an opportunity for brands to build greater consumer trust and confidence.”
IAB Australia’s advice is that brands (classed as ‘data controllers’ under GDPR) and agencies (‘data processors’) will shoulder responsibility for GDPR compliance and need to implement measures to ensure data is processed securely and protected adequately.
“For example, a key requirement of the GDPR is that a controller must only use processors that provide sufficient guarantees that they will implement appropriate technical and organisational measures that ensure compliance with the GDPR and protect the rights of the data subject,” Krishnan explained.
“In the context of digital advertising, a brand seeking to be GDPR–compliant will now be required by law to partner only with an agency that has provided formal guarantees around data protection and handling processes associated with brand’s data.”
Whether a business sits on the brand (controller) or agency (processor) or publisher side, it is clear that GDPR and its potential implications on Australia should not be ignored, irrespective of the potential punitive risk.
The way companies use consumer data will be changing regardless and smart advertisers will view this as an opportunity to improve their customer relationships, not to appease EU regulators, but to provide a better service.
This article follows Data Management Platform 101. Keep an eye on AdNews for the next part of our data and privacy feature: 'GDPR's impact on ad tech'.
AdNews is proud to deliver strong, independent and credible news 24-hours a day, almost 365 days a year. We know our free, online news helps power your career and knowledge. But, can we ask a small favour? To fund our ongoing commitment to delivering the best industry news, that you show your willingness to support us by taking a digital subscription to AdNews magazine? The cost is less than $50 for the entire year, and $4.94 per issue. Support AdNews. Support journalism.
Have something to say on this? Share your views in the comments section below. Or if you have a news story or tip-off, drop us a line at firstname.lastname@example.org