Keynote: Are You Ready for GDPR? - Michele Appello

00:00

[Music]

00:09

alright hey everybody my name is

00:13

Michelle a pillow and I wrote this

00:16

working paper it's called the GDP our

00:18

compliance primer and what it does is it

00:21

has some steps for businesses in my

00:23

industry to take to help them better

00:25

prepare for the GDP our and I'm also the

00:28

senior business director for improve

00:30

digital and this is a company that works

00:33

it's an ad tech company that works in

00:34

digital marketing so before I start I

00:36

just want to say there's a lot happening

00:38

in Europe this week I'm not sure if

00:40

you're aware solo came out I don't know

00:43

has anyone seen it I haven't seen it yet

00:45

but I plan to my Halloween costume last

00:48

year was Chewbacca that's me but also

00:53

new to Europe this week was the

00:55

implementation and the enforcement of

00:57

the GDP our that's the general data

00:59

protection regulation and this is

01:02

something you've probably noticed in

01:03

your inboxes as Vincent mentioned with

01:05

all the emails about please let us keep

01:07

writing you and emailing you this is a

01:09

european-wide

01:10

regulation for businesses whether

01:12

they're in Europe or not it's about

01:14

processing the personal data of European

01:17

citizens so I'm going to talk about this

01:19

today I'm gonna talk about my story on

01:21

how I got involved with the GDP our

01:23

we'll go through the background where it

01:26

came from and we're gonna look at some

01:28

key definitions so you can better

01:30

understand this law and we'll go through

01:32

those seven steps as well so we're gonna

01:35

start with this photo this was taken

01:37

from the balcony balcony of my office in

01:40

January of 2017 this is when I started

01:44

my deep dive into the GDP our and for

01:47

reference this is the same place taken

01:52

last month same photo the same spot so a

01:55

building went up during this whole time

01:56

so back in January 2017 I was a bit

02:01

concern I knew this gdpr was coming up

02:03

the regulation actually came out in May

02:05

of 2016 so were eight or eight months

02:08

into that two-year window to be able to

02:11

prepare for the regulation

02:13

so I asked my company my management team

02:15

I said hey what are we gonna do for this

02:17

we're in digital marketing I know we

02:19

need to do something and they said well

02:21

we're just gonna wait and we'll see what

02:23

the industry is going to do and that

02:26

really scared me and that scared me

02:28

because of the industry I work in so

02:30

this is a like kind of screenshot of

02:33

digital marketing in Europe and it can

02:36

look a bit complex you have a lot of

02:38

companies here so let's make it a bit

02:40

easier so in digital marketing you have

02:42

sellers you have companies like

02:44

publishers and website owners and they

02:47

sell ad space so they sell the space

02:49

where the ads run and you have buyers up

02:51

by as on these spaces and you have a lot

02:54

of tech companies that provide tools so

02:56

you have data providers they segment

02:58

audiences based on demographics and

03:01

interests and intent you have tech

03:04

providers that do viewability to show if

03:06

the ad can be seen also brand safety

03:09

providers to see if the ad is safe in a

03:12

brand safe environment and you have

03:15

buy-side platforms which actually do the

03:18

purchasing like in a programmatic

03:20

fashion through machines and sell-side

03:22

platforms and this is where my company

03:23

sits we are a sell side platform so we

03:26

auction off ad space for our publishers

03:29

and broadcasters and site owners we

03:31

actually get a request we send some

03:35

information about the ads to the space

03:37

the website name the cookie ID and the

03:40

IP address those are important points

03:42

for gdpr

03:42

and we send that bid request to the

03:44

buy-side and then they respond with the

03:46

response and then we run an ad so what

03:49

scared me was that in order for this all

03:51

to work we need data we need to use data

03:53

namely cookies and IP address which I

03:56

knew there was some problem with that

03:58

with the gdpr

04:00

so I took a Friday afternoon at my

04:02

office back in January and I read it and

04:05

yeah it was it was a rough read I'm not

04:08

a lawyer

04:08

I don't like legal terms but I read

04:10

through the GE PR and I made a list of

04:12

steps that my company could take to

04:15

better prepare and they made a

04:17

presentation for my company and it had

04:19

information about the GDP are here are

04:21

these steps here the fines

04:25

I gave this presentation and this was

04:27

their reaction for my a management team

04:29

actually my CEO said well this is this

04:35

could be bad if we don't get ready for

04:36

this we might as well close shop and

04:39

start selling bikes or maybe even sell

04:41

weed because you know we're not going to

04:42

be able to survive if we don't prepare

04:44

and she was right businesses really need

04:47

to prepare for this and and take some

04:50

steps to assure they're gonna be

04:51

compliant and avoid the heavy fines so

04:55

before we start talking a bit more on

04:57

GDP our let's look at the background

04:58

like where does this all come from so in

05:02

December of 2000 there is this document

05:06

published by the EU it was the Charter

05:07

for fundamental rights and this was a

05:09

document that listed all of the basic

05:12

rights of a European citizen and in it

05:15

there is an article that really closely

05:17

ties into GDP are and that's article 8

05:20

and it says everyone has the right to

05:23

the protection of personal data

05:24

concerning him or her basic right and it

05:28

also says that such data must be

05:29

processed fairly for specified purposes

05:31

on the basis of consent or some lawful

05:35

legitimate basis laid down by law and

05:38

everyone also has the right to to get

05:42

information about the data that's

05:43

collected on them and the right to

05:45

rectify it and this is really the basis

05:48

of where this all stems from now this

05:50

came out in December of 2000 yesterday

05:53

the law was just enforced this is 2018

05:55

that's 18 years later right so mind you

05:57

it came out in 2016 still 16 years is a

06:00

long time so why why did I take that

06:03

long can I get a show of hands for

06:07

anyone who knows who this is

06:08

okay yeah I figured that so this is

06:11

Edward Snowden he was a CIA official

06:13

employee in the US and in 2013 he leaked

06:17

a classified information about yeah

06:21

these global surveillance programs that

06:23

were being run by the US and the

06:24

European government and this really

06:26

brought dot a privacy front and center

06:29

into the public eye you couldn't escape

06:31

this it was on the Internet it was on

06:32

the news people held him a hero or a

06:35

traitor and it really made people start

06:37

to think we

06:38

what's happening with my Dada I don't

06:40

know what's happening people are

06:41

watching me and they're processing

06:43

things and I never gave consent and as a

06:45

European citizen that's my right I have

06:48

that right I have to give consent and I

06:50

think this is really what got those

06:52

regulators to kind of spring into action

06:54

and put some rules around to protect

06:56

these rights so that's where I think it

06:59

really started to get some action behind

07:01

it so what's the GDP our general data

07:06

protection regulation we know that it's

07:08

a european-wide regulation and it

07:10

focuses on the protection of data of

07:12

European citizens data and the security

07:14

of that data so privacy and like I said

07:18

this is for any business that is either

07:20

inside or outside the EU you could be

07:22

based in the US or another country if

07:24

you're processing the data of European

07:26

citizens you must have a lawful basis

07:28

and if you don't you can face some heavy

07:30

fines and the difference between this

07:34

regulation and other directions that

07:36

have come out in the past is that with

07:38

this one it has some teeth so we had the

07:41

e privacy directive that came out a few

07:42

years back this actually hit the

07:45

Netherlands quite hard but that was more

07:47

of a directive so every member state

07:50

every country can regulate it on their

07:52

own and decide what fines there were

07:53

these fines a european-wide and the

07:56

fines can be up to the greater of 20

07:57

million euro or 4 percent of the

08:00

businesses global turnover this is huge

08:03

this can actually shut down small to

08:05

medium businesses my companies have

08:08

small to medium business so again this

08:10

is a bit scary for me and there is this

08:12

company this global analyst for an opium

08:14

and he did some research with interlinks

08:16

and they found here 52% of global IT

08:18

decision makers thought they would be

08:20

fine due to the GDP are and they also

08:23

found that two-thirds of those companies

08:24

thought they're gonna have to change the

08:26

European strategy because of GDP our so

08:29

this is something not to take lightly

08:30

and you really as a business need to

08:32

understand what your rules and

08:34

responsibilities are and make sure that

08:36

you're compliant so let's look at some

08:39

key terms and definitions with a GDP our

08:41

first one personal data so GDP our

08:45

defines personal data as any information

08:48

related to an identified or identifiable

08:50

subject

08:51

that's a data subject natural person and

08:53

they can be identified directly or

08:56

indirectly through the use of things

08:59

such as a name an identification number

09:01

location data or online identifiers

09:04

online identifier is very big for my

09:06

industry again we use cookie ids and IP

09:09

addresses these are considered personal

09:11

data also things considered personal

09:14

data agent ID device ID Android ID ID FA

09:19

any online identifier is considered

09:21

personal data so now understanding this

09:24

definition of personal data can I get a

09:25

show of hands on you or your business do

09:28

you deal with personal data ok quite a

09:32

lot next definition data processing so

09:37

data processing is defined as any

09:39

operation or set of operations performed

09:41

upon personal data be it automated or

09:44

not so it doesn't have to be manual it

09:46

could be any kind of automated and this

09:48

includes things such as collection

09:50

recording structuring to sense this

09:53

summation by transmission disclosure so

09:55

sending it out elsewhere sharing it

09:57

deleting it anything you do any set of

10:00

operations with personal data is not a

10:02

processing so one more time a show of

10:04

hands or how many of you or your

10:06

businesses are doing data processing ok

10:09

quite good amount so gdpr is going to

10:13

apply to you and your business something

10:16

else to consider about gdpr is what is

10:18

your role in processing data

10:20

so are you controller or are you a

10:22

processor now controllers decide and

10:25

determine how data is going to be

10:27

processed they set the rules they have

10:30

the the Mort the ownership whereas a

10:32

processor only processes data on behalf

10:35

of the controller so this would mean

10:37

that controllers on a depr have to

10:39

provide a set of rules to processors on

10:42

what they can and cannot do with their

10:44

data is an article in GDP our it's

10:47

article I think 32 and it says that both

10:50

controllers and processors must put in

10:52

place the technical and organizational

10:54

measures to ensure that there is proper

10:57

security appropriate to the risk now

10:59

this means is that both controllers and

11:02

processors are liable under the GDP are

11:05

they both must build whatever technical

11:07

things are necessary to be compliant and

11:09

they must have their organizational

11:10

measures these are your contracts

11:12

contracts with vendors contracts with

11:14

your clients maybe even with your

11:15

employees so something also to consider

11:17

it's not just the controller if one

11:20

person gets fine in the chain everybody

11:22

can get fined

11:24

now the GDP argh is a set of lawful

11:27

basis for processing personal data I'm

11:29

not going to go over all through all

11:30

these if you want to take a photo fine

11:31

but it's a lot so the ones that my

11:34

company is looking at my industry the

11:36

the main ones are consent so data

11:39

subjects giving consent for the

11:40

processing of his or her personal data

11:42

for specific purposes very important

11:45

here you need to list what those

11:46

purposes are so you can't say hey can we

11:49

have your consent to process data for

11:51

this reason and then do something else

11:53

with it that's not allowed and another

11:55

reason another lawful basis is about

11:57

legitimate interests so legitimate

12:00

interest is a bit of a gray area we

12:02

don't know how this is going to be

12:03

regulated but what it means is that it's

12:05

a pursuing an injury a business has to

12:08

pursue legitimate interest or the

12:10

controller has to pursue legitimate

12:11

interest for their business and they'll

12:14

be able to do this as a lawful basis if

12:16

that does not override the rights of

12:18

European citizens it's a very gray area

12:20

hmm so some businesses are choosing to

12:23

use this some are not my company is

12:25

looking at consent because for us

12:27

consent is clear this is either have

12:29

consent are you doing and these are the

12:33

steps I wrote and I created for my

12:35

company and what they can do to better

12:38

prepare for GDP are and we're going to

12:40

go through them and I'm going to give

12:41

you some examples where I can on like

12:43

what we've done

12:45

so the first step and very very

12:48

important step review and document all

12:50

your data processing activities and

12:52

security measures

12:53

you can't know if you're compliant or

12:56

ready to deal with the law about data

12:59

and security if you don't know what

13:01

you're processing and what your security

13:03

measures are you need to do a full audit

13:04

and really look deep dive into

13:06

everything you're doing so this is what

13:10

my company did it's you're not going to

13:11

be able to read this but in short after

13:13

that meeting I had with the management

13:15

team i sat with our CTO

13:18

we identified five people at our company

13:20

that combined to list all of the data

13:23

processing activities that we do and I

13:27

made an excel sheet and I sent it out to

13:29

each of them and it had questions in

13:31

there like what is the process why are

13:33

we processing data are we sending the

13:36

data elsewhere or outside of the EU

13:38

there's also laws in gdpr about cross

13:40

border transfer does the data contain

13:43

any personal data do we have a lawful

13:45

basis for processing the data what is

13:48

our role so all of these things we had

13:50

to consider I got information in the

13:52

spreadsheet and I plugged it into a

13:54

master sheet and I color-coded it now

13:56

things you could think about from Adana

13:58

professional data

13:59

yeah that aside if you're doing data

14:01

mining or your company's data mining

14:03

where are your sources do those sources

14:05

have a lawful basis for getting the

14:06

personal data and data warehousing where

14:09

is it being housed is it inside or

14:11

outside the EU do you have all the

14:13

security measures in place that you need

14:15

so these are things you need to think

14:16

about even big data analytics who has

14:18

access to this Dobby have to think about

14:20

accessibility and restricting it to a

14:22

need-to-know basis so after I do this

14:25

first color code what this is is saying

14:27

what's a high risk low risk and medium

14:29

risk so for example the green would be

14:31

low risk maybe there's no personal data

14:33

or it's completely anonymized then we're

14:35

okay

14:35

the yellow or the red that's something

14:38

we need to dig further into either we'd

14:40

have to build something or put some

14:41

contractual things in place to assure

14:44

we're compliant so we did this and also

14:47

these red and yellows we did something

14:48

called a data protection impact

14:50

assessment which I'll get into a bit

14:52

that's really a deep deep dive into this

14:54

process and it lists everything which is

14:56

a very handy tool for regulators next

15:00

step so you've done all your review you

15:03

know all the data that you have great

15:04

now you have to create a roadmap what

15:07

are you going to do what do you need to

15:08

build in order to prepare for this

15:11

regulation and be compliant now I can't

15:13

show you our roadmap but I'm going to

15:15

show you a little bit of logic on

15:16

something I wrote it really was just

15:18

trying to think about how we're going to

15:20

handle this so my business like I said

15:23

we auction off ad space and in doing so

15:26

we don't have first contact with the

15:28

user or data subject we can't get

15:31

consent and ask

15:32

user hey can we process your data

15:33

because we don't speak with them our

15:35

publishers do and our website owners do

15:37

and our broadcasters do so we needed

15:40

them to ask for consent from us and

15:41

somehow send it in some kind of signal

15:43

this is just a basic table to show okay

15:46

what value can a publisher send us if we

15:48

get a 0 that would mean opt out so we

15:51

can't process the dato or no consent and

15:53

then if you get a 1 or a 2 that means a

15:56

lawful basis that means that they have

15:58

opted in we can process the data or

16:00

they've publishers chosen legitimate

16:02

interest then we'll go ahead and process

16:03

let me actually make this a bit easier

16:05

this is a little flow I made you've got

16:07

the user here and so they start off and

16:10

they go to the publisher website and

16:11

they get a little consent manager

16:12

question hey we're gonna do this stuff

16:15

with your data here's our purposes can

16:17

we can we process it and can our vendors

16:19

process the data they make a choice the

16:22

website then sends us a signal where the

16:23

ad monetization platform and based on

16:26

that signal based on the value we

16:27

receive you make our choice if we

16:29

receive that one or two so that's a

16:31

consent or legitimate interest we go

16:33

ahead and we run our ad option which

16:35

requires sending a bid request out to

16:37

the DSPs with some information personal

16:40

data they respond and we run an ad

16:42

because here by sending out this bid

16:44

request were processing data now if we

16:47

were to get a zero no consent or opt out

16:50

then we don't process we do raw a log it

16:52

in our raw logs just to show that we

16:54

haven't got anything further but we're

16:56

not sending it out or doing anything

16:57

else with it and then what if we get an

17:00

empty value what if something went wrong

17:02

then we just get an oh well we have to

17:05

do an extra check we have to see where

17:06

is the user because it's about European

17:08

citizens so if the user is in the EU

17:11

then we don't process the data but if

17:13

they are then I'm sorry if they aren't

17:15

in the EU then we can process the data

17:17

this is a very simple basic logic I'm

17:20

not a not a professional but it's just

17:22

some way to think about how we were

17:24

thinking about this from our point of

17:25

view and what we do in the industry and

17:28

there's also actually some more

17:31

standardized ways to do this that

17:32

actually help the lawful basis be sent

17:35

across the digital marketing ecosystem

17:37

because this is just for us to receive

17:39

from our publisher we'll get to that in

17:41

a bit another step appoint a DPO or

17:46

Protection Officer so a Donna Protection

17:48

Officer or dpo is responsible for

17:51

rolling out the compliance for a

17:53

business on their data privacy

17:55

responsibilities so like the gdpr in the

17:59

regulation states there are three cases

18:01

where a business must hired EPO so one

18:05

is if the local laws require it another

18:09

is if the business is monitoring data

18:11

subjects on a large scale and another is

18:14

if the business is processing large

18:16

amounts of sensitive personal data a

18:18

sensitive personal data is actually even

18:20

more restricted on a gdpr I couldn't get

18:22

into it in this talk because I would be

18:24

going on forever but you could talk to

18:26

me after I can talk to you about that so

18:28

my business we we do the large a large

18:31

amount of monitoring because we do these

18:33

ad requests and we're talking billions

18:34

of ad requests so this is at scale so we

18:37

had to hire a DPO and we hired somebody

18:40

who actually is really great because

18:42

he's not only someone with legal

18:44

background but he used to be an engineer

18:45

so I would request or I would say to you

18:49

if you're looking for dpo try to find

18:51

someone with a good mix of that tech and

18:53

legal it'll be very handy when you're

18:54

looking to build things later now under

18:57

the GPR actually add EPO has special

19:00

protection like a business can't fire a

19:04

DPO for how they perform their job and

19:06

they can't yeah

19:09

put any kind of fines or infringement

19:10

sar them for doing something within

19:12

their role and this is very important

19:14

this means that a DPO can remain neutral

19:17

so imagine a business is really wanting

19:21

to make more revenue and they want to

19:23

get products out fast and they want to

19:24

build and release and build and release

19:25

and they're not really having first in

19:28

mind

19:28

daata responsible you know GDP our

19:31

regulations and responsibilities where

19:33

the DPO they're first and foremost you

19:36

know responsibility is compliance so by

19:38

having that special protection they can

19:39

do their job and not worry about the

19:41

politics that they might face another

19:45

step create data protection impact

19:48

assessments so this is I mentioned this

19:50

earlier when we have the high and medium

19:52

risks things and what this is it's a way

19:56

to document your process even further to

19:59

really

19:59

get everything down what it is it

20:01

assesses any risks that you might be

20:04

facing with this process or new products

20:06

this is also important by the way for

20:09

after you do your review you're going to

20:11

continue to go as a business so you're

20:12

still going to make new products so

20:14

every new product you make you have to

20:15

ensure that it's not going to break the

20:17

law so that's why by doing this document

20:20

you see how you're going to mitigate

20:22

your risks how are you going to deal

20:23

with any risks you set a plan you list

20:25

your business code of conduct and in

20:27

there you even have a conclusion and

20:29

this is a very handy tool to have

20:30

because if regulators come knocking on

20:32

your door and say what are you doing

20:34

with gdpr

20:34

you could say I'm doing a lot look hand

20:37

them a stack of paper and they can see

20:38

everything that you've have ready done

20:40

that was high risk medium risk what

20:42

you're going to build and how you

20:43

thought about gdpr

20:44

and how you're going to assure that

20:46

you're compliant next up review and

20:51

amend all your existing contracts and

20:53

privacy policies this falls under the

20:56

organizational measure so that I

20:57

mentioned earlier so your contracts you

21:01

have contracts probably with vendors

21:02

with your clients even your employee

21:04

contracts you need to review all that

21:06

just to make sure that everything in

21:07

there is still making sure you're

21:09

compliant with the law this is something

21:11

that your legal team or your DPO would

21:13

handle not probably you as a having to

21:15

do it and also your privacy policies

21:17

well your privacy policy is how your

21:19

business internally handles data what

21:22

they do what are your internal rules

21:24

what can you and what can't you do so as

21:26

an employee you can't dig into people's

21:28

personal data and send it out to friends

21:30

yeah basic thing so you might need to

21:32

review your privacy policies and make

21:34

sure that it's you know in line with the

21:37

regulation and there's also privacy

21:38

notices this is your external facing

21:41

privacy policy so what you have on your

21:43

website what are you telling your users

21:45

you might have to review and you'd have

21:47

to probably amend that as well establish

21:52

a one-stop shop with a DPA well what's

21:54

the one-stop shop and what's the DPA

21:56

first the DPA they are the government

21:59

regulators this stands for data

22:00

protection Authority so they're the ones

22:02

that will be coming and knocking on your

22:03

door and either putting fines or asking

22:06

about your compliance and the one-stop

22:08

shop this is a concept that was

22:10

introduced on your gdpr

22:12

and

22:12

this allows for a uniform application of

22:16

your compliance across the EU then I'll

22:18

explain why

22:19

so under GDP are you know they tell you

22:24

what you need to do they did they tell

22:26

you that you have to have a lawful basis

22:27

to process personal data but they don't

22:29

tell you exactly how to do it there's

22:31

some things that are left for

22:33

interpretation so each member state or

22:36

each country can interpret things

22:37

differently so imagine you're a business

22:39

operating across Europe and you're DPO

22:43

would have to go to every single DPA so

22:46

one in every country or member state and

22:48

say here's what we're doing and you may

22:50

have a few that say that's great

22:51

works for us but maybe two or three

22:53

countries say well I want you to change

22:55

this I want you to tweak this this isn't

22:57

really that we don't interpret it as

22:58

being compliant so what does that mean

23:00

as a business you then have to build

23:02

segments and different parts of your

23:04

products to go for each each country or

23:07

member state it's not scalable it

23:08

doesn't make sense

23:09

so gdpr allows for this one-stop shop

23:12

and what it is is your dpo would go to

23:15

the DPA data protection authority in the

23:19

place that you have your headquarters so

23:21

you have to have a headquarters in the

23:22

EU in order to do this so they would go

23:25

and speak to the DPA in the location of

23:27

your headquarters and that DPA then

23:29

becomes the lead DPA and it's up to that

23:32

lead DPA that regulator to roll out your

23:35

compliance across you that gives your DP

23:39

oh one point of contract contact and not

23:41

having to go to many different people so

23:42

it's it's a very handy tool so if you're

23:44

operating in multiple countries and

23:46

Member States and if you have a

23:48

headquarters in the EU you really should

23:50

consider strongly consider establishing

23:52

a one-stop shop now if you're operating

23:57

a multiply member of states but you

23:58

don't have a headquarters in the EU you

24:00

can't set this up so that's a bit tricky

24:02

and you may think well what about brexit

24:04

what about the UK they're leaving well

24:06

right now they haven't left we don't

24:09

know what the rules are about they're

24:10

leaving with the agreements are going to

24:12

be so for now if you have a headquarters

24:13

say in London it should be okay

24:15

after brexit I can't tell you have to

24:18

wait and see what they what they say and

24:20

the last step is to inform stay informed

24:24

and enforce so what this means

24:26

is you need to speak with their clients

24:28

and your external vendors and let them

24:31

know what you're doing and what your

24:32

approach is to the gdpr so what my

24:35

business did is we sent out compliance

24:38

packets for gdpr to our publishers to

24:40

let them know what our approach is and

24:42

what they can do and what signals they

24:44

need to send us and you also need to

24:46

think about enforcement as a business

24:50

what will you do if you're dealing with

24:52

a vendor and you have your contracts in

24:54

place but they break they do a breach

24:55

they do something against your contracts

24:58

or your gdpr

24:58

how are you going to enforce that how is

25:01

a business will you enforce if an

25:03

employee breaks your privacy policy just

25:06

things to consider you should document

25:08

and really be prepared to put in place

25:10

to protect you and to protect your

25:12

business now this is um this URL here

25:17

IAB Europe dot EU this is where you can

25:19

get some resources about the gdpr so

25:22

back when I did this presentation I took

25:25

these steps and I went to IAB Europe IAB

25:28

Europe is a an association that the

25:30

leading European Association on digital

25:32

marketing and I was in their privacy

25:33

taskforce which looked at regulations

25:35

and I said can we put something out for

25:38

the industry something that they can use

25:39

as a tool to help prepare so I gave them

25:41

these steps and we created the GDP our

25:43

compliance primer and put this out it's

25:45

available on the website and then since

25:47

then they also created this thing called

25:49

gig

25:49

it's the gdpr implementation group and

25:51

they produced a lot more working papers

25:53

they have one on consent data subject

25:56

requests personal data controls and

25:59

friend processors so something you might

26:00

want to have a look at if you're

26:01

interested in reading up more on the

26:03

gdpr

26:03

and you know what we're doing and some

26:06

tools for you also this this is the

26:09

transparency and consent framework so IB

26:12

Europe decided to make a standardised

26:14

way to send lawful basis across digital

26:16

marketing so I showed you earlier what

26:19

we were thinking on our logic but that

26:21

was more to deal with how we handle our

26:23

publisher and we were only one step away

26:25

from getting consent yeah it's like you

26:27

know first degree of separation second

26:29

degree but for other people in this

26:32

chain like the buyers they're quite far

26:34

away so it's quite difficult to get

26:35

consent and what this is this is a

26:37

framework it's a JavaScript API

26:40

and it uses JSON files and it sends

26:42

through Daisy bits the signals whether

26:46

you have requires consent or not or what

26:48

your lawful basis is across digital

26:51

advertising through the open RTP

26:52

protocol it's a really handy tool it is

26:55

publisher is the ability to choose which

26:58

vendors they want to access their

27:00

websites and be able to drop cookies for

27:02

example from their users when they use

27:05

these devices it gives them an insight

27:08

these publishers as to what the specific

27:10

terms for processing data is for these

27:12

vendors so then that publisher can

27:15

disclose it to their users when they're

27:17

making their choice of whether they want

27:18

to give consent or not and it also

27:20

provides an audit trail because by

27:22

sending us through on the protocol open

27:24

RTB a buyer can read that they have

27:26

consent and they can log that so later

27:29

if regulators come to them they can have

27:31

some information to show them know where

27:32

we're being compliant we're doing what

27:34

we need to do so these are some

27:37

resources and we looked at a lot of

27:38

things about gdpr and you know some

27:41

steps you can take there's another side

27:42

to this there are some companies in my

27:45

industry that have decided to leave the

27:47

EU rather than have to face this

27:49

regulation so one such company is Verve

27:52

they are a mobile marketing specialist I

27:54

think they had like one EU office and

27:57

what they did is they relied very

27:58

heavily on location data so they need a

28:02

location data they would segment

28:03

audiences based on where the user was

28:05

say interest or demographics and they

28:08

would use this and buyers would be able

28:10

to use this information to make

28:12

purchases to reach their target groups

28:14

but they thought as a business look

28:16

we're really far away from the user we

28:18

have probably one office here we'd

28:21

rather just close shop in the EU close

28:23

our one office and not face this fine

28:25

because it's gonna be very hard to get a

28:27

lawful basis and we rather just focus on

28:29

other markets it happens I think it

28:32

might happen a lot more as time goes on

28:35

drawbridge is another company same thing

28:37

they or across Identity Management so

28:39

they would be able to identify one user

28:41

on their phone to their laptop to

28:43

different devices they had the same

28:45

thought you know we're gonna be we're

28:46

very far away from the user we're likely

28:48

not going to get consent I mean as a

28:49

user would you want to allow a company

28:51

to match you to your devices what does

28:53

that do for you

28:53

you as a user I mean really so they

28:56

thought also you know what we'd rather

28:58

just cut our losses close shop not deal

29:00

with this and focus on other markets and

29:02

they're focusing more in the US now so

29:08

my question to you is I mean after

29:09

hearing all this are you ready for DDP

29:11

are your companies ready for GDP are

29:13

your gonna have a lot of talks in the

29:15

next two days about new innovations and

29:18

methods from fritatta

29:19

data warehousing machine learning

29:21

everything think about how gdpr can

29:24

apply to that and question how you how

29:26

the person presenting is thinking how

29:29

gdpr can be applied that you can be

29:31

compliant when you're your office next

29:33

week be aware of what you're doing are

29:35

you processing data are your colleagues

29:37

processing data has anyone made a new

29:40

product that has personal data and is

29:42

anyone running a data protection impact

29:44

assessment the gdpr is there for a

29:48

reason it's there to protect European

29:50

citizens of their given right protection

29:54

of their data and that's necessary and

29:56

businesses have to comply and they have

29:58

to make some changes but it's also up to

30:00

the employees to be vigilant about this

30:02

and to think about what their

30:03

responsibilities are this isn't just oh

30:06

a business might go under and close

30:08

their doors and be a headline and this

30:10

can affect you this also affects the

30:12

European citizens that work for these

30:13

businesses and they have get a paycheck

30:16

every every month to put food on the

30:18

table for their family so this actually

30:20

has an impact and can have it an impact

30:22

so it's really important that we get

30:24

this right that's my talk for today

30:28

thanks for listening

30:30

[Applause]

30:32

a question so we have plenty of time for

30:38

questions but on behalf of the PI data

30:39

commedia I have to ask one first you all

30:42

were able to sign up for an unfocus and

30:44

for pi data for this event and you were

30:46

able to opt out of receiving an email

30:48

did any of you opt-in right so I hope

30:56

the sponsors are listening and we may

30:58

not be able to send these emails to

30:59

sponsors this year I hope we're okay

31:01

with this people are smiling so that's

31:04

great I am I've got a microphone so if

31:07

anyone asks questions we have about a

31:09

good ten minutes for questions so Thank

31:15

You Michelle I was wondering how do you

31:18

deal with you EU citizens who are abroad

31:22

outside of the yeah that's tricky

31:24

so as we see it we only can do so much

31:28

you know we we only could be able to set

31:31

our compliance based on where the user

31:33

is so if they're in the US there's no

31:36

possible way we can know they're

31:38

European citizens so we kind of see it

31:40

as what are you gonna do you know we

31:42

have our logs to show they were in the

31:43

US what if they're using VPN I mean

31:46

maybe some people maybe you know use VPN

31:49

for some reasons I don't say that I do

31:50

but you know if you do yeah you're

31:52

hiding your IP address but then would

31:53

you actually go and and put a complaint

31:55

in because you're hiding your IP address

31:57

so that's a tricky question and I don't

32:00

see how you can be compliant or be able

32:04

to know somebody's a European citizen

32:05

living in the US I mean I'm an American

32:07

and Dutch citizen so I'm both right so

32:09

if I'm in the US and I'm trying to get

32:13

online here yeah technically I could say

32:15

we time at you citizen but MMI is my as

32:18

a citizen willing to say to whoever in

32:21

every website I'm at hey I'm a European

32:23

citizen watch out for me how much

32:24

information am I willing to give to a

32:26

company to say okay here's information

32:28

about me now you know well I'm already

32:30

than giving up data so it's a bit of a

32:33

you know double-edged sword there all

32:36

right thank you another thing maybe you

32:38

could elaborate on how the US government

32:40

is going to deal with this because I

32:42

believe if US company doesn't have any

32:46

look

32:46

inside Europe there's no regulation that

32:51

can be done at that point well that's

32:54

not the case I mean if there are

32:56

processing data of European citizens

32:58

they have to be compliant with the law

32:59

if they don't have any office they can't

33:02

set up a one-stop shop so they're kind

33:04

of in trouble what you'll probably end

33:06

up seeing I don't know really how the

33:08

regulators are going to start fining

33:10

people what they're gonna look at are

33:11

they gonna go for small companies or big

33:13

companies or European companies or

33:14

American companies I really don't know

33:16

how they're gonna approach this no one

33:18

really knows I mean we saw if you saw

33:20

yesterday already somebody find they

33:23

sued Google and Facebook for billions of

33:26

euros I mean personal Watson yeah okay

33:29

but in terms of regulation yeah they're

33:31

gonna have to comply so they might face

33:33

fines how can they actually they have to

33:36

show some way if they're considering GDP

33:38

our I mean I did get some some emails

33:40

from American companies saying hey can

33:42

we you know can we still send you emails

33:44

but not everybody I saw that today I was

33:47

still getting emails now they never

33:49

asked me anything about GDP our so it'll

33:51

be interesting to see how they approach

33:52

it from a regulatory and fine

33:54

perspective you'd have to wait and see

33:58

thanks for your talk since gdpr applies

34:03

to european citizens well you had your

34:06

location check do you foresee or already

34:10

see changes for people outside of the EU

34:13

for European citizens no for non

34:15

European citizens as an effect you maybe

34:18

simplify your business to apply the

34:21

rules all over the world so you mean for

34:23

like other governments will they put

34:25

rules in place no will people you see

34:28

companies changing their policies

34:32

globally um I think the bigger ones may

34:35

it could be it really depends on what

34:38

they're where where they work what's

34:39

their field so like in digital marketing

34:41

you have to use data right so if you're

34:43

doing it for the EU I know with us we're

34:45

looking if it's not a EU location we're

34:49

gonna go ahead and process the data

34:50

unless they opt out there are still some

34:52

rules about personal data so you if you

34:54

opt out wherever you are you can't you

34:56

know you can't process nada anymore I

34:57

don't know if companies are going to be

35:00

overly trying to do this every elsewhere

35:02

it really depends on what the economic

35:04

impact will be of this you know if

35:06

twenty or thirty percent of people

35:07

decide to not opt-in that's a big cut in

35:10

in revenues and that could impact the

35:12

economy and I'm also curious to think

35:14

about how the regulator's will react to

35:15

that there's another regulation that

35:17

might be coming out that's the privacy

35:20

regulation so it's a bit more than the

35:22

directive that we had it's still in

35:24

draft form but they're actually looking

35:25

at making browsers block all third party

35:28

cookies from defy default and this can

35:30

this can kill our industry if it goes

35:32

like this it's still in draft form so

35:34

it's really independent with the economy

35:36

economic reaction is because as much as

35:38

those regulators were voted in by

35:40

European citizens and sprung into action

35:42

with this if the economy goes down how

35:44

are they going to react because that's

35:45

also gonna affect European citizens

35:47

right so we'll have to see thank you

35:53

I was wondering so this applies to newly

35:57

collected data but yes it's any data as

36:04

of today so whether you collected it

36:05

last month or last year there's like so

36:08

Vincente an ass and they they had this