Keynote: Are You Ready for GDPR? - Michele Appello
Summary
TLDRIn this informative talk, Michelle, a senior business director at Improve Digital, introduces her working paper, the 'GDPR Compliance Primer,' designed to guide businesses in digital marketing through the complexities of the General Data Protection Regulation (GDPR). She discusses her personal journey with GDPR, the necessity for compliance, and the potential impact on businesses, including hefty fines for non-compliance. Michelle outlines key definitions, steps for businesses to prepare, and the importance of understanding data processing and roles within it. She also addresses the broader implications of GDPR on industry practices and the potential for some companies to withdraw from the European market due to the regulation's stringent requirements.
Takeaways
- 📄 Michelle, a senior business director at Improve Digital, authored a working paper called the 'GDPR Compliance Primer' to guide businesses in preparing for the General Data Protection Regulation (GDPR).
- 🌍 The GDPR is a European-wide regulation that affects businesses globally, regardless of their location, if they process the personal data of European citizens.
- 🔒 The regulation emphasizes the protection of personal data and the security of that data, introducing strict rules and heavy fines for non-compliance, including penalties up to 20 million euros or 4% of global turnover.
- 📚 Michelle's deep dive into GDPR involved reading the regulation, understanding its implications, and creating a list of steps for her company to become compliant.
- 🏢 The digital marketing industry, which Michelle represents, relies heavily on data such as cookies and IP addresses, making GDPR particularly relevant and challenging for these businesses.
- 🤔 The GDPR raises questions about the role of businesses in data processing, distinguishing between 'controllers' who decide how data is processed and 'processors' who act on their behalf.
- 🔑 Key definitions under GDPR include 'personal data', which is broadly defined to include any information relating to an identifiable individual, and 'data processing', encompassing any operation on personal data.
- 🛠️ Michelle's company undertook a comprehensive audit of their data processing activities and security measures, categorizing them by risk level and conducting data protection impact assessments.
- 📋 The script highlights the importance of reviewing and amending existing contracts and privacy policies to ensure GDPR compliance and the need for appointing a Data Protection Officer (DPO) in certain cases.
- 🔒 GDPR introduces the concept of a 'one-stop shop', where a business deals with a single Data Protection Authority (DPA) for compliance, simplifying the process for companies operating across the EU.
- 📢 The importance of staying informed and enforcing GDPR compliance within an organization is emphasized, including communicating with clients and vendors about GDPR policies and procedures.
Q & A
What is the purpose of the GDPR Compliance Primer mentioned in the script?
-The GDPR Compliance Primer is a working paper written by Michelle a pillow to provide steps for businesses, particularly in the digital marketing industry, to prepare for and comply with the General Data Protection Regulation (GDPR).
What is the role of Improve Digital in the digital marketing ecosystem?
-Improve Digital is an ad tech company that operates in digital marketing. It functions as a sell-side platform, auctioning off ad space for publishers, broadcasters, and site owners.
What triggered the need for GDPR?
-The need for GDPR was triggered by the Charter for fundamental rights published by the EU in 2000, which included the right to the protection of personal data. The Edward Snowden incident in 2013, where he leaked classified information about global surveillance programs, brought privacy concerns to the forefront, leading to the establishment of GDPR.
What are the potential penalties for non-compliance with GDPR?
-Non-compliance with GDPR can result in heavy fines up to the greater of 20 million euros or 4 percent of a business's global turnover, which can be detrimental to small to medium businesses.
What is the definition of personal data according to GDPR?
-Personal data, according to GDPR, is any information related to an identified or identifiable natural person. This can be identified directly or indirectly through identifiers such as name, identification number, location data, or online identifiers like cookie IDs and IP addresses.
What is the difference between a data controller and a data processor under GDPR?
-A data controller decides how and why personal data will be processed, setting the rules and having a level of ownership over the data. A data processor, on the other hand, only processes data on behalf of the controller and must follow the controller's instructions.
What is the significance of appointing a Data Protection Officer (DPO) under GDPR?
-A DPO is responsible for ensuring that an organization's data privacy responsibilities are met. They are required in cases where local laws mandate it, when the business monitors data subjects on a large scale, or processes large amounts of sensitive personal data. The DPO has special protection under GDPR to maintain neutrality and perform their role without interference.
What is a Data Protection Impact Assessment (DPIA) and why is it important?
-A DPIA is a process of documenting and assessing the potential risks of a data processing activity or new product. It is important for ensuring compliance with GDPR and for identifying how to mitigate any risks associated with data processing.
What is the concept of a 'one-stop shop' in the context of GDPR?
-The 'one-stop shop' is a mechanism introduced by GDPR that allows for a uniform application of compliance across the EU. It simplifies the process for businesses operating in multiple EU countries by having a single point of contact with the lead Data Protection Authority (DPA) in the location of the business's headquarters.
How does GDPR affect businesses that operate outside of the EU?
-GDPR affects businesses outside the EU if they process the personal data of European citizens. They must comply with GDPR regardless of their location, and failure to do so can result in the same penalties as those faced by EU-based businesses.
What is the Transparency and Consent Framework developed by IAB Europe?
-The Transparency and Consent Framework is a standardized way to send lawful basis for processing personal data across the digital marketing ecosystem. It uses a JavaScript API and JSON files to communicate consent and lawful basis signals through the open Real-Time Bidding (RTB) protocol, providing transparency and an audit trail for compliance with GDPR.
Outlines
📊 Introduction to GDPR Compliance Primer
Michelle, the Senior Business Director for Improve Digital, introduces herself and her working paper on GDPR compliance. She mentions her company's role in digital marketing and touches on recent events in Europe, including the release of the movie 'Solo' and the enforcement of GDPR. She explains the scope of GDPR, its significance, and how it affects businesses dealing with European citizens' personal data. She shares a personal anecdote about her journey with GDPR compliance, highlighting her proactive approach in preparing her company for the regulation.
📜 Background and Genesis of GDPR
Michelle discusses the historical context of GDPR, tracing it back to the EU's Charter of Fundamental Rights published in December 2000. She highlights Article 8, which underscores the right to personal data protection. Michelle connects this to Edward Snowden's 2013 revelations about global surveillance, which heightened public awareness and concern over data privacy, ultimately spurring regulatory action. She explains GDPR's focus on data protection and security for European citizens, and outlines the significant fines for non-compliance.
🔍 Key Definitions and GDPR Impact on Digital Marketing
Michelle delves into the specifics of GDPR, defining 'personal data' and 'data processing' within the regulation's framework. She explains the importance of understanding these definitions, especially for businesses involved in digital marketing. Michelle emphasizes the necessity for companies to assess their roles as either 'controllers' or 'processors' of data and the implications of these roles under GDPR. She outlines the legal obligations for both controllers and processors to ensure data security and compliance.
🗂 Steps for GDPR Compliance: Reviewing Data Processing Activities
Michelle details the first step for GDPR compliance: reviewing and documenting all data processing activities and security measures. She shares her company's approach, including conducting a comprehensive audit and creating a detailed spreadsheet to track data processes, purposes, and compliance measures. Michelle stresses the importance of understanding every aspect of data processing within a company to identify potential risks and ensure readiness for GDPR.
🛣 Creating a Compliance Roadmap
Michelle explains the necessity of developing a compliance roadmap after reviewing data processing activities. She describes the logical framework her company used to handle user consent for data processing, particularly in digital marketing. Michelle outlines the process of obtaining and signaling user consent, highlighting the complexities and importance of aligning with GDPR requirements. She also touches on the roles of publishers and ad platforms in this compliance journey.
🛡 Appointing a Data Protection Officer (DPO)
Michelle discusses the role of a Data Protection Officer (DPO) in ensuring GDPR compliance. She outlines the criteria for appointing a DPO and shares her company's experience in hiring a DPO with both legal and technical expertise. Michelle emphasizes the importance of the DPO's neutral position and special protection under GDPR, allowing them to focus on compliance without external pressures. She also highlights the ongoing responsibilities of the DPO in maintaining data privacy standards.
📋 Data Protection Impact Assessments (DPIA)
Michelle explains the purpose and process of conducting Data Protection Impact Assessments (DPIA). She describes how DPIAs help document data processing activities, assess risks, and plan mitigation strategies. Michelle underscores the importance of DPIAs for both existing and new data processing activities, ensuring continuous compliance with GDPR. She provides insights into how her company uses DPIAs to manage high and medium-risk data processes.
📝 Reviewing Contracts and Privacy Policies
Michelle highlights the need to review and amend existing contracts and privacy policies to align with GDPR. She discusses the organizational measures required, including updating contracts with vendors, clients, and employees. Michelle also stresses the importance of internal and external privacy policies, ensuring they reflect GDPR compliance. She advises companies to work closely with their legal teams and DPOs to ensure all documentation is up-to-date and compliant.
🏢 Establishing a One-Stop Shop with a DPA
Michelle introduces the concept of the 'one-stop shop' and the role of Data Protection Authorities (DPA) under GDPR. She explains how having a single DPA as the lead authority simplifies compliance across multiple EU member states. Michelle outlines the benefits of this approach for businesses operating in various countries, ensuring uniform application of GDPR. She also discusses the implications of Brexit on this process and the importance of staying informed about regulatory changes.
📚 Staying Informed and Enforcing Compliance
Michelle concludes by emphasizing the importance of staying informed about GDPR developments and enforcing compliance within the organization. She shares her company's efforts in educating clients and vendors about GDPR through compliance packets and maintaining open communication. Michelle advises businesses to be proactive in monitoring compliance and addressing breaches effectively. She provides resources for further reading and encourages continuous learning and adaptation to GDPR requirements.
Mindmap
Keywords
💡GDPR
💡Data Processing
💡Consent
💡Data Protection Officer (DPO)
💡Personal Data
💡Data Subject
💡Legitimate Interests
💡Data Protection Impact Assessment (DPIA)
💡One-Stop-Shop
💡EU Citizens
💡Digital Marketing
Highlights
Michelle Apilo, Senior Business Director for Improve Digital, discusses steps for GDPR compliance in digital marketing.
Introduction to GDPR (General Data Protection Regulation) and its importance for businesses processing personal data of European citizens.
Explanation of the GDPR's background, stemming from the EU Charter of Fundamental Rights and the influence of the Edward Snowden leaks.
Overview of key GDPR definitions: personal data and data processing.
Importance of reviewing and documenting all data processing activities and security measures for GDPR compliance.
Developing a roadmap for GDPR compliance, including steps and logic for obtaining user consent for data processing.
Necessity of appointing a Data Protection Officer (DPO) and ensuring they have the appropriate technical and legal background.
Creating Data Protection Impact Assessments (DPIAs) for high and medium-risk data processing activities.
Reviewing and amending existing contracts and privacy policies to ensure GDPR compliance.
Establishing a one-stop shop with a Data Protection Authority (DPA) for uniform GDPR compliance across the EU.
Importance of staying informed about GDPR developments and enforcing compliance within the company and with external vendors.
Discussion of the impact of GDPR on small and medium-sized businesses, and examples of companies exiting the EU market due to compliance challenges.
Resources for GDPR compliance, including the GDPR Compliance Primer and the Transparency and Consent Framework from IAB Europe.
Impact of GDPR on digital marketing, emphasizing the need for user consent and the potential economic implications.
Q&A session covering practical challenges and user perspectives on GDPR, including handling data of EU citizens abroad and the potential rise of VPN usage.
Transcripts
[Music]
alright hey everybody my name is
Michelle a pillow and I wrote this
working paper it's called the GDP our
compliance primer and what it does is it
has some steps for businesses in my
industry to take to help them better
prepare for the GDP our and I'm also the
senior business director for improve
digital and this is a company that works
it's an ad tech company that works in
digital marketing so before I start I
just want to say there's a lot happening
in Europe this week I'm not sure if
you're aware solo came out I don't know
has anyone seen it I haven't seen it yet
but I plan to my Halloween costume last
year was Chewbacca that's me but also
new to Europe this week was the
implementation and the enforcement of
the GDP our that's the general data
protection regulation and this is
something you've probably noticed in
your inboxes as Vincent mentioned with
all the emails about please let us keep
writing you and emailing you this is a
european-wide
regulation for businesses whether
they're in Europe or not it's about
processing the personal data of European
citizens so I'm going to talk about this
today I'm gonna talk about my story on
how I got involved with the GDP our
we'll go through the background where it
came from and we're gonna look at some
key definitions so you can better
understand this law and we'll go through
those seven steps as well so we're gonna
start with this photo this was taken
from the balcony balcony of my office in
January of 2017 this is when I started
my deep dive into the GDP our and for
reference this is the same place taken
last month same photo the same spot so a
building went up during this whole time
so back in January 2017 I was a bit
concern I knew this gdpr was coming up
the regulation actually came out in May
of 2016 so were eight or eight months
into that two-year window to be able to
prepare for the regulation
so I asked my company my management team
I said hey what are we gonna do for this
we're in digital marketing I know we
need to do something and they said well
we're just gonna wait and we'll see what
the industry is going to do and that
really scared me and that scared me
because of the industry I work in so
this is a like kind of screenshot of
digital marketing in Europe and it can
look a bit complex you have a lot of
companies here so let's make it a bit
easier so in digital marketing you have
sellers you have companies like
publishers and website owners and they
sell ad space so they sell the space
where the ads run and you have buyers up
by as on these spaces and you have a lot
of tech companies that provide tools so
you have data providers they segment
audiences based on demographics and
interests and intent you have tech
providers that do viewability to show if
the ad can be seen also brand safety
providers to see if the ad is safe in a
brand safe environment and you have
buy-side platforms which actually do the
purchasing like in a programmatic
fashion through machines and sell-side
platforms and this is where my company
sits we are a sell side platform so we
auction off ad space for our publishers
and broadcasters and site owners we
actually get a request we send some
information about the ads to the space
the website name the cookie ID and the
IP address those are important points
for gdpr
and we send that bid request to the
buy-side and then they respond with the
response and then we run an ad so what
scared me was that in order for this all
to work we need data we need to use data
namely cookies and IP address which I
knew there was some problem with that
with the gdpr
so I took a Friday afternoon at my
office back in January and I read it and
yeah it was it was a rough read I'm not
a lawyer
I don't like legal terms but I read
through the GE PR and I made a list of
steps that my company could take to
better prepare and they made a
presentation for my company and it had
information about the GDP are here are
these steps here the fines
I gave this presentation and this was
their reaction for my a management team
actually my CEO said well this is this
could be bad if we don't get ready for
this we might as well close shop and
start selling bikes or maybe even sell
weed because you know we're not going to
be able to survive if we don't prepare
and she was right businesses really need
to prepare for this and and take some
steps to assure they're gonna be
compliant and avoid the heavy fines so
before we start talking a bit more on
GDP our let's look at the background
like where does this all come from so in
December of 2000 there is this document
published by the EU it was the Charter
for fundamental rights and this was a
document that listed all of the basic
rights of a European citizen and in it
there is an article that really closely
ties into GDP are and that's article 8
and it says everyone has the right to
the protection of personal data
concerning him or her basic right and it
also says that such data must be
processed fairly for specified purposes
on the basis of consent or some lawful
legitimate basis laid down by law and
everyone also has the right to to get
information about the data that's
collected on them and the right to
rectify it and this is really the basis
of where this all stems from now this
came out in December of 2000 yesterday
the law was just enforced this is 2018
that's 18 years later right so mind you
it came out in 2016 still 16 years is a
long time so why why did I take that
long can I get a show of hands for
anyone who knows who this is
okay yeah I figured that so this is
Edward Snowden he was a CIA official
employee in the US and in 2013 he leaked
a classified information about yeah
these global surveillance programs that
were being run by the US and the
European government and this really
brought dot a privacy front and center
into the public eye you couldn't escape
this it was on the Internet it was on
the news people held him a hero or a
traitor and it really made people start
to think we
what's happening with my Dada I don't
know what's happening people are
watching me and they're processing
things and I never gave consent and as a
European citizen that's my right I have
that right I have to give consent and I
think this is really what got those
regulators to kind of spring into action
and put some rules around to protect
these rights so that's where I think it
really started to get some action behind
it so what's the GDP our general data
protection regulation we know that it's
a european-wide regulation and it
focuses on the protection of data of
European citizens data and the security
of that data so privacy and like I said
this is for any business that is either
inside or outside the EU you could be
based in the US or another country if
you're processing the data of European
citizens you must have a lawful basis
and if you don't you can face some heavy
fines and the difference between this
regulation and other directions that
have come out in the past is that with
this one it has some teeth so we had the
e privacy directive that came out a few
years back this actually hit the
Netherlands quite hard but that was more
of a directive so every member state
every country can regulate it on their
own and decide what fines there were
these fines a european-wide and the
fines can be up to the greater of 20
million euro or 4 percent of the
businesses global turnover this is huge
this can actually shut down small to
medium businesses my companies have
small to medium business so again this
is a bit scary for me and there is this
company this global analyst for an opium
and he did some research with interlinks
and they found here 52% of global IT
decision makers thought they would be
fine due to the GDP are and they also
found that two-thirds of those companies
thought they're gonna have to change the
European strategy because of GDP our so
this is something not to take lightly
and you really as a business need to
understand what your rules and
responsibilities are and make sure that
you're compliant so let's look at some
key terms and definitions with a GDP our
first one personal data so GDP our
defines personal data as any information
related to an identified or identifiable
subject
that's a data subject natural person and
they can be identified directly or
indirectly through the use of things
such as a name an identification number
location data or online identifiers
online identifier is very big for my
industry again we use cookie ids and IP
addresses these are considered personal
data also things considered personal
data agent ID device ID Android ID ID FA
any online identifier is considered
personal data so now understanding this
definition of personal data can I get a
show of hands on you or your business do
you deal with personal data ok quite a
lot next definition data processing so
data processing is defined as any
operation or set of operations performed
upon personal data be it automated or
not so it doesn't have to be manual it
could be any kind of automated and this
includes things such as collection
recording structuring to sense this
summation by transmission disclosure so
sending it out elsewhere sharing it
deleting it anything you do any set of
operations with personal data is not a
processing so one more time a show of
hands or how many of you or your
businesses are doing data processing ok
quite good amount so gdpr is going to
apply to you and your business something
else to consider about gdpr is what is
your role in processing data
so are you controller or are you a
processor now controllers decide and
determine how data is going to be
processed they set the rules they have
the the Mort the ownership whereas a
processor only processes data on behalf
of the controller so this would mean
that controllers on a depr have to
provide a set of rules to processors on
what they can and cannot do with their
data is an article in GDP our it's
article I think 32 and it says that both
controllers and processors must put in
place the technical and organizational
measures to ensure that there is proper
security appropriate to the risk now
this means is that both controllers and
processors are liable under the GDP are
they both must build whatever technical
things are necessary to be compliant and
they must have their organizational
measures these are your contracts
contracts with vendors contracts with
your clients maybe even with your
employees so something also to consider
it's not just the controller if one
person gets fine in the chain everybody
can get fined
now the GDP argh is a set of lawful
basis for processing personal data I'm
not going to go over all through all
these if you want to take a photo fine
but it's a lot so the ones that my
company is looking at my industry the
the main ones are consent so data
subjects giving consent for the
processing of his or her personal data
for specific purposes very important
here you need to list what those
purposes are so you can't say hey can we
have your consent to process data for
this reason and then do something else
with it that's not allowed and another
reason another lawful basis is about
legitimate interests so legitimate
interest is a bit of a gray area we
don't know how this is going to be
regulated but what it means is that it's
a pursuing an injury a business has to
pursue legitimate interest or the
controller has to pursue legitimate
interest for their business and they'll
be able to do this as a lawful basis if
that does not override the rights of
European citizens it's a very gray area
hmm so some businesses are choosing to
use this some are not my company is
looking at consent because for us
consent is clear this is either have
consent are you doing and these are the
steps I wrote and I created for my
company and what they can do to better
prepare for GDP are and we're going to
go through them and I'm going to give
you some examples where I can on like
what we've done
so the first step and very very
important step review and document all
your data processing activities and
security measures
you can't know if you're compliant or
ready to deal with the law about data
and security if you don't know what
you're processing and what your security
measures are you need to do a full audit
and really look deep dive into
everything you're doing so this is what
my company did it's you're not going to
be able to read this but in short after
that meeting I had with the management
team i sat with our CTO
we identified five people at our company
that combined to list all of the data
processing activities that we do and I
made an excel sheet and I sent it out to
each of them and it had questions in
there like what is the process why are
we processing data are we sending the
data elsewhere or outside of the EU
there's also laws in gdpr about cross
border transfer does the data contain
any personal data do we have a lawful
basis for processing the data what is
our role so all of these things we had
to consider I got information in the
spreadsheet and I plugged it into a
master sheet and I color-coded it now
things you could think about from Adana
professional data
yeah that aside if you're doing data
mining or your company's data mining
where are your sources do those sources
have a lawful basis for getting the
personal data and data warehousing where
is it being housed is it inside or
outside the EU do you have all the
security measures in place that you need
so these are things you need to think
about even big data analytics who has
access to this Dobby have to think about
accessibility and restricting it to a
need-to-know basis so after I do this
first color code what this is is saying
what's a high risk low risk and medium
risk so for example the green would be
low risk maybe there's no personal data
or it's completely anonymized then we're
okay
the yellow or the red that's something
we need to dig further into either we'd
have to build something or put some
contractual things in place to assure
we're compliant so we did this and also
these red and yellows we did something
called a data protection impact
assessment which I'll get into a bit
that's really a deep deep dive into this
process and it lists everything which is
a very handy tool for regulators next
step so you've done all your review you
know all the data that you have great
now you have to create a roadmap what
are you going to do what do you need to
build in order to prepare for this
regulation and be compliant now I can't
show you our roadmap but I'm going to
show you a little bit of logic on
something I wrote it really was just
trying to think about how we're going to
handle this so my business like I said
we auction off ad space and in doing so
we don't have first contact with the
user or data subject we can't get
consent and ask
user hey can we process your data
because we don't speak with them our
publishers do and our website owners do
and our broadcasters do so we needed
them to ask for consent from us and
somehow send it in some kind of signal
this is just a basic table to show okay
what value can a publisher send us if we
get a 0 that would mean opt out so we
can't process the dato or no consent and
then if you get a 1 or a 2 that means a
lawful basis that means that they have
opted in we can process the data or
they've publishers chosen legitimate
interest then we'll go ahead and process
let me actually make this a bit easier
this is a little flow I made you've got
the user here and so they start off and
they go to the publisher website and
they get a little consent manager
question hey we're gonna do this stuff
with your data here's our purposes can
we can we process it and can our vendors
process the data they make a choice the
website then sends us a signal where the
ad monetization platform and based on
that signal based on the value we
receive you make our choice if we
receive that one or two so that's a
consent or legitimate interest we go
ahead and we run our ad option which
requires sending a bid request out to
the DSPs with some information personal
data they respond and we run an ad
because here by sending out this bid
request were processing data now if we
were to get a zero no consent or opt out
then we don't process we do raw a log it
in our raw logs just to show that we
haven't got anything further but we're
not sending it out or doing anything
else with it and then what if we get an
empty value what if something went wrong
then we just get an oh well we have to
do an extra check we have to see where
is the user because it's about European
citizens so if the user is in the EU
then we don't process the data but if
they are then I'm sorry if they aren't
in the EU then we can process the data
this is a very simple basic logic I'm
not a not a professional but it's just
some way to think about how we were
thinking about this from our point of
view and what we do in the industry and
there's also actually some more
standardized ways to do this that
actually help the lawful basis be sent
across the digital marketing ecosystem
because this is just for us to receive
from our publisher we'll get to that in
a bit another step appoint a DPO or
Protection Officer so a Donna Protection
Officer or dpo is responsible for
rolling out the compliance for a
business on their data privacy
responsibilities so like the gdpr in the
regulation states there are three cases
where a business must hired EPO so one
is if the local laws require it another
is if the business is monitoring data
subjects on a large scale and another is
if the business is processing large
amounts of sensitive personal data a
sensitive personal data is actually even
more restricted on a gdpr I couldn't get
into it in this talk because I would be
going on forever but you could talk to
me after I can talk to you about that so
my business we we do the large a large
amount of monitoring because we do these
ad requests and we're talking billions
of ad requests so this is at scale so we
had to hire a DPO and we hired somebody
who actually is really great because
he's not only someone with legal
background but he used to be an engineer
so I would request or I would say to you
if you're looking for dpo try to find
someone with a good mix of that tech and
legal it'll be very handy when you're
looking to build things later now under
the GPR actually add EPO has special
protection like a business can't fire a
DPO for how they perform their job and
they can't yeah
put any kind of fines or infringement
sar them for doing something within
their role and this is very important
this means that a DPO can remain neutral
so imagine a business is really wanting
to make more revenue and they want to
get products out fast and they want to
build and release and build and release
and they're not really having first in
mind
daata responsible you know GDP our
regulations and responsibilities where
the DPO they're first and foremost you
know responsibility is compliance so by
having that special protection they can
do their job and not worry about the
politics that they might face another
step create data protection impact
assessments so this is I mentioned this
earlier when we have the high and medium
risks things and what this is it's a way
to document your process even further to
really
get everything down what it is it
assesses any risks that you might be
facing with this process or new products
this is also important by the way for
after you do your review you're going to
continue to go as a business so you're
still going to make new products so
every new product you make you have to
ensure that it's not going to break the
law so that's why by doing this document
you see how you're going to mitigate
your risks how are you going to deal
with any risks you set a plan you list
your business code of conduct and in
there you even have a conclusion and
this is a very handy tool to have
because if regulators come knocking on
your door and say what are you doing
with gdpr
you could say I'm doing a lot look hand
them a stack of paper and they can see
everything that you've have ready done
that was high risk medium risk what
you're going to build and how you
thought about gdpr
and how you're going to assure that
you're compliant next up review and
amend all your existing contracts and
privacy policies this falls under the
organizational measure so that I
mentioned earlier so your contracts you
have contracts probably with vendors
with your clients even your employee
contracts you need to review all that
just to make sure that everything in
there is still making sure you're
compliant with the law this is something
that your legal team or your DPO would
handle not probably you as a having to
do it and also your privacy policies
well your privacy policy is how your
business internally handles data what
they do what are your internal rules
what can you and what can't you do so as
an employee you can't dig into people's
personal data and send it out to friends
yeah basic thing so you might need to
review your privacy policies and make
sure that it's you know in line with the
regulation and there's also privacy
notices this is your external facing
privacy policy so what you have on your
website what are you telling your users
you might have to review and you'd have
to probably amend that as well establish
a one-stop shop with a DPA well what's
the one-stop shop and what's the DPA
first the DPA they are the government
regulators this stands for data
protection Authority so they're the ones
that will be coming and knocking on your
door and either putting fines or asking
about your compliance and the one-stop
shop this is a concept that was
introduced on your gdpr
and
this allows for a uniform application of
your compliance across the EU then I'll
explain why
so under GDP are you know they tell you
what you need to do they did they tell
you that you have to have a lawful basis
to process personal data but they don't
tell you exactly how to do it there's
some things that are left for
interpretation so each member state or
each country can interpret things
differently so imagine you're a business
operating across Europe and you're DPO
would have to go to every single DPA so
one in every country or member state and
say here's what we're doing and you may
have a few that say that's great
works for us but maybe two or three
countries say well I want you to change
this I want you to tweak this this isn't
really that we don't interpret it as
being compliant so what does that mean
as a business you then have to build
segments and different parts of your
products to go for each each country or
member state it's not scalable it
doesn't make sense
so gdpr allows for this one-stop shop
and what it is is your dpo would go to
the DPA data protection authority in the
place that you have your headquarters so
you have to have a headquarters in the
EU in order to do this so they would go
and speak to the DPA in the location of
your headquarters and that DPA then
becomes the lead DPA and it's up to that
lead DPA that regulator to roll out your
compliance across you that gives your DP
oh one point of contract contact and not
having to go to many different people so
it's it's a very handy tool so if you're
operating in multiple countries and
Member States and if you have a
headquarters in the EU you really should
consider strongly consider establishing
a one-stop shop now if you're operating
a multiply member of states but you
don't have a headquarters in the EU you
can't set this up so that's a bit tricky
and you may think well what about brexit
what about the UK they're leaving well
right now they haven't left we don't
know what the rules are about they're
leaving with the agreements are going to
be so for now if you have a headquarters
say in London it should be okay
after brexit I can't tell you have to
wait and see what they what they say and
the last step is to inform stay informed
and enforce so what this means
is you need to speak with their clients
and your external vendors and let them
know what you're doing and what your
approach is to the gdpr so what my
business did is we sent out compliance
packets for gdpr to our publishers to
let them know what our approach is and
what they can do and what signals they
need to send us and you also need to
think about enforcement as a business
what will you do if you're dealing with
a vendor and you have your contracts in
place but they break they do a breach
they do something against your contracts
or your gdpr
how are you going to enforce that how is
a business will you enforce if an
employee breaks your privacy policy just
things to consider you should document
and really be prepared to put in place
to protect you and to protect your
business now this is um this URL here
IAB Europe dot EU this is where you can
get some resources about the gdpr so
back when I did this presentation I took
these steps and I went to IAB Europe IAB
Europe is a an association that the
leading European Association on digital
marketing and I was in their privacy
taskforce which looked at regulations
and I said can we put something out for
the industry something that they can use
as a tool to help prepare so I gave them
these steps and we created the GDP our
compliance primer and put this out it's
available on the website and then since
then they also created this thing called
gig
it's the gdpr implementation group and
they produced a lot more working papers
they have one on consent data subject
requests personal data controls and
friend processors so something you might
want to have a look at if you're
interested in reading up more on the
gdpr
and you know what we're doing and some
tools for you also this this is the
transparency and consent framework so IB
Europe decided to make a standardised
way to send lawful basis across digital
marketing so I showed you earlier what
we were thinking on our logic but that
was more to deal with how we handle our
publisher and we were only one step away
from getting consent yeah it's like you
know first degree of separation second
degree but for other people in this
chain like the buyers they're quite far
away so it's quite difficult to get
consent and what this is this is a
framework it's a JavaScript API
and it uses JSON files and it sends
through Daisy bits the signals whether
you have requires consent or not or what
your lawful basis is across digital
advertising through the open RTP
protocol it's a really handy tool it is
publisher is the ability to choose which
vendors they want to access their
websites and be able to drop cookies for
example from their users when they use
these devices it gives them an insight
these publishers as to what the specific
terms for processing data is for these
vendors so then that publisher can
disclose it to their users when they're
making their choice of whether they want
to give consent or not and it also
provides an audit trail because by
sending us through on the protocol open
RTB a buyer can read that they have
consent and they can log that so later
if regulators come to them they can have
some information to show them know where
we're being compliant we're doing what
we need to do so these are some
resources and we looked at a lot of
things about gdpr and you know some
steps you can take there's another side
to this there are some companies in my
industry that have decided to leave the
EU rather than have to face this
regulation so one such company is Verve
they are a mobile marketing specialist I
think they had like one EU office and
what they did is they relied very
heavily on location data so they need a
location data they would segment
audiences based on where the user was
say interest or demographics and they
would use this and buyers would be able
to use this information to make
purchases to reach their target groups
but they thought as a business look
we're really far away from the user we
have probably one office here we'd
rather just close shop in the EU close
our one office and not face this fine
because it's gonna be very hard to get a
lawful basis and we rather just focus on
other markets it happens I think it
might happen a lot more as time goes on
drawbridge is another company same thing
they or across Identity Management so
they would be able to identify one user
on their phone to their laptop to
different devices they had the same
thought you know we're gonna be we're
very far away from the user we're likely
not going to get consent I mean as a
user would you want to allow a company
to match you to your devices what does
that do for you
you as a user I mean really so they
thought also you know what we'd rather
just cut our losses close shop not deal
with this and focus on other markets and
they're focusing more in the US now so
my question to you is I mean after
hearing all this are you ready for DDP
are your companies ready for GDP are
your gonna have a lot of talks in the
next two days about new innovations and
methods from fritatta
data warehousing machine learning
everything think about how gdpr can
apply to that and question how you how
the person presenting is thinking how
gdpr can be applied that you can be
compliant when you're your office next
week be aware of what you're doing are
you processing data are your colleagues
processing data has anyone made a new
product that has personal data and is
anyone running a data protection impact
assessment the gdpr is there for a
reason it's there to protect European
citizens of their given right protection
of their data and that's necessary and
businesses have to comply and they have
to make some changes but it's also up to
the employees to be vigilant about this
and to think about what their
responsibilities are this isn't just oh
a business might go under and close
their doors and be a headline and this
can affect you this also affects the
European citizens that work for these
businesses and they have get a paycheck
every every month to put food on the
table for their family so this actually
has an impact and can have it an impact
so it's really important that we get
this right that's my talk for today
thanks for listening
[Applause]
a question so we have plenty of time for
questions but on behalf of the PI data
commedia I have to ask one first you all
were able to sign up for an unfocus and
for pi data for this event and you were
able to opt out of receiving an email
did any of you opt-in right so I hope
the sponsors are listening and we may
not be able to send these emails to
sponsors this year I hope we're okay
with this people are smiling so that's
great I am I've got a microphone so if
anyone asks questions we have about a
good ten minutes for questions so Thank
You Michelle I was wondering how do you
deal with you EU citizens who are abroad
outside of the yeah that's tricky
so as we see it we only can do so much
you know we we only could be able to set
our compliance based on where the user
is so if they're in the US there's no
possible way we can know they're
European citizens so we kind of see it
as what are you gonna do you know we
have our logs to show they were in the
US what if they're using VPN I mean
maybe some people maybe you know use VPN
for some reasons I don't say that I do
but you know if you do yeah you're
hiding your IP address but then would
you actually go and and put a complaint
in because you're hiding your IP address
so that's a tricky question and I don't
see how you can be compliant or be able
to know somebody's a European citizen
living in the US I mean I'm an American
and Dutch citizen so I'm both right so
if I'm in the US and I'm trying to get
online here yeah technically I could say
we time at you citizen but MMI is my as
a citizen willing to say to whoever in
every website I'm at hey I'm a European
citizen watch out for me how much
information am I willing to give to a
company to say okay here's information
about me now you know well I'm already
than giving up data so it's a bit of a
you know double-edged sword there all
right thank you another thing maybe you
could elaborate on how the US government
is going to deal with this because I
believe if US company doesn't have any
look
inside Europe there's no regulation that
can be done at that point well that's
not the case I mean if there are
processing data of European citizens
they have to be compliant with the law
if they don't have any office they can't
set up a one-stop shop so they're kind
of in trouble what you'll probably end
up seeing I don't know really how the
regulators are going to start fining
people what they're gonna look at are
they gonna go for small companies or big
companies or European companies or
American companies I really don't know
how they're gonna approach this no one
really knows I mean we saw if you saw
yesterday already somebody find they
sued Google and Facebook for billions of
euros I mean personal Watson yeah okay
but in terms of regulation yeah they're
gonna have to comply so they might face
fines how can they actually they have to
show some way if they're considering GDP
our I mean I did get some some emails
from American companies saying hey can
we you know can we still send you emails
but not everybody I saw that today I was
still getting emails now they never
asked me anything about GDP our so it'll
be interesting to see how they approach
it from a regulatory and fine
perspective you'd have to wait and see
thanks for your talk since gdpr applies
to european citizens well you had your
location check do you foresee or already
see changes for people outside of the EU
for European citizens no for non
European citizens as an effect you maybe
simplify your business to apply the
rules all over the world so you mean for
like other governments will they put
rules in place no will people you see
companies changing their policies
globally um I think the bigger ones may
it could be it really depends on what
they're where where they work what's
their field so like in digital marketing
you have to use data right so if you're
doing it for the EU I know with us we're
looking if it's not a EU location we're
gonna go ahead and process the data
unless they opt out there are still some
rules about personal data so you if you
opt out wherever you are you can't you
know you can't process nada anymore I
don't know if companies are going to be
overly trying to do this every elsewhere
it really depends on what the economic
impact will be of this you know if
twenty or thirty percent of people
decide to not opt-in that's a big cut in
in revenues and that could impact the
economy and I'm also curious to think
about how the regulator's will react to
that there's another regulation that
might be coming out that's the privacy
regulation so it's a bit more than the
directive that we had it's still in
draft form but they're actually looking
at making browsers block all third party
cookies from defy default and this can
this can kill our industry if it goes
like this it's still in draft form so
it's really independent with the economy
economic reaction is because as much as
those regulators were voted in by
European citizens and sprung into action
with this if the economy goes down how
are they going to react because that's
also gonna affect European citizens
right so we'll have to see thank you
I was wondering so this applies to newly
collected data but yes it's any data as
of today so whether you collected it
last month or last year there's like so
Vincente an ass and they they had this
email Donna they got before gdpr right
so what are you gonna do with that can
you send it out well no I mean it
depends on what your terms I'm fully
aware that I'm not gonna I would talk to
a lawyer I think yeah by sending it out
that would be even if you collected it
two weeks ago two months ago a year ago
well actually also on an EDP are you're
not supposed to hold data for that long
you have to only hold data for as long
as it's really required as long as you
need it for so a lot of companies also
are getting rid of data after like 90
days or 30 days where possible
I'm with us like our cookies get
refreshed every like I think every 30 or
90 days as well but yeah you have to
it's from it's from today so if you
collected it a month ago still applies
again so for being gdpr compliant you
make the split between checking whether
somebody's in the EU or not so that
people a sort of to you you can treat
more laxity right I presume any
companies will do this do it expects a
rise in a market for VPN tunnels into
the EU maybe
maybe but yeah I mean I use VPN a bit so
I don't know I mean how would that would
that be advantageous for a citizen so as
an EU citizen Oh as an EU citizen oh I
don't know I don't know if they really
care so much I mean I think there's a
lot of other issues happening especially
in the states right now I don't know if
they really want to try to find because
they'd have to also show if they're we
check whether you're in or outside the
EU but if they were to use a VPN to say
they're European citizen and then they
decide to not opt-in they'll just won't
have their data process but would they
be on an EU site anyway not being from
you it's a slight they normally go to
and if they went to a site as a you
right with the EU VPN or IP address and
a site wasn't handling it properly if
they're not a citizen they can't
actually sue so they can't actually go
after it so I don't I don't think that's
gonna personally I don't think you know
people in the u.s. they probably be some
I'm sure there's people out there that
are gonna try to milk this for
everything but yeah I don't think it's
gonna be a huge thing but maybe see hi
I'm just really curious what's your
opinion from a user point of view okay
so from a user point of view now mind
you I've been in digital marketing for
18 years I've been doing this since 1998
so I'm very strongly for digital
marketing and when I started in digital
we didn't have we weren't using data
like this I think that our our industry
you know some players were quite bad and
got it wrong and we're collecting data
and throwing malware and doing bad
things but I think from a basic
perspective what I know what happens in
digital marketing a cookie ID IP address
to say that's personal data to me seemed
a little bit you know reach but they had
to find some way to set a regulation I
think it's it's quite strict I know
they're all you need to protect people's
personal data it's your basic right I
get that but I just feel like it could
have been a done or maybe a bit of a
lighter way maybe this will be okay but
let's see what the next regulation is
I'm more worried about that about the e
privacy regulation because if that gets
the layer on top of this there's also
something like conflicting information
in both you know that can really stifle
the industry I don't care if
if I'm getting recently I don't care if
I'm retargeted for it with an ad I know
it can be annoying but all you need to
do is delete your cookies it's pretty
simple like you know just delete it
IP address not that important to me if
someone can read my IP address you know
but if they somehow there are companies
that take all this data and they're able
to map it and they can get a clear
picture of me I'm not sure if I'm okay
with that I'd like to know they have
that clear picture and I'd like to be
able to delete it so like with Google
for example you can go and you can see
what information they're using and you
can say don't use this don't use this
don't use this like I don't have my map
history logged I don't have my map I
don't have my history and Skype on there
I don't want people checking so I just
you know I'm very conscious about what I
allow and what I don't allow and I think
everyone should be as well still time
for a few more questions
oh my name is Alexander and I was
wondering about the following GTR
requires companies to hire a DP oh and I
was wondering is it possible to
outsource DPO to some other company or
yeah you can have a DP that's a
consultant and you can have a DP oh
that's a DP oh for multiple countries
from multiple companies as long as that
DP ou can do their role across all and
without any conflicts you can do that
you can have a consultant as well you
don't need to have them in but depending
on how big your company is and you know
what you need to do for compliance you
might want to consider which which is
best for you you know as a business but
there are many more that are coming out
now a lot of DP o--'s you'll see
probably ads for them and everything
like hey hire us because it's gonna be a
quite a big thing I don't know how many
are out there now I know you have to get
certifications so there's like two sets
of certifications for DP oh I looked at
one of them I haven't taken a test hit I
might because some of the information I
think I'd be okay with but yeah it's not
easy but if you're looking for one and
again I think the ones that'll be most
successful that might be hired by most
businesses if they have that mix of
technical knowledge and legal knowledge
and I think it's gonna be rare to find
that because usually it's just gonna be
legal guys and if they can't understand
what your industry is and your business
yeah it's gonna make it it's going to be
very stuck it's gonna be hard to
communicate
thanks for the wonderful talk so how do
you define completely anonymized so
anonymize Dada means that you have
removed everything that can make it
personal data you know any identifiers
everything and you've taken it out and
you could never bring it back in and
that's the difference between an
atomized and sodomize if u s-- anonymize
the data you can pull out all your
personal data and you can store it
elsewhere then you can always bring it
back with the key yeah so I know GD P R
if your sadhana maizing data that's good
but you still need to be compliant under
GD P R if your anonymizing it well
there's no personal data in there so
you're not doing that data processing so
you're fine but you really need to look
and make sure that you can't bring that
back in ever like it's gone no
identifier of any kind thank you for the
talk you already mentioned they already
gave an example of a company that made
the decision to okay it's not worth the
effort we're closing shop in EU do you
have the feeling that in general this
regulation might push out small
businesses out of the European market
and make larger companies sort of
stronger by this I think it could make
some larger companies stronger yes now
whether this means that smaller
businesses will exit the EU I think it
depends on what those businesses do so
the ones I get the examples I gave of
they they rely on personal data fully
for their business so if there's 20 or
30 percent of people that decide to not
give consent and they have to use
consent for example that's directly
coming out of their bottom line so it's
really gonna depend on what their role
is in processing data and how much they
really need to use personal data but and
also it depends on where the regulator's
are going to do are they going to go
after the smaller businesses or the big
ones
you know it's much better for the
presence they go after the big ones but
the big ones also will have bigger legal
teams and it'll be a much longer battle
I think ones that are in a gray area
that really rely on just like location
data and personal data to function yeah
some might end up leaving if they have
other markets that they're still working
on that they can thrive in like these
yeah they might just cut their losses
and see
do you get a feeling about how much
people will opt out after we are asking
for consent so for the data I'll talk
about the data the standard framework
right so they did some research on that
that's the way where you stand
everything straight through it depends
on how publishers ask for it what they
found is if you show them what you're
doing with their data and you give them
an option to global opt-in so global
opt-ins all the people that I work with
at my publisher as a publisher I work
with like 30 vendors so I'm giving a
global opt-in so those 30 vendors also
get come you know oh say also they could
do it elsewhere
so not just with this website and they
found that most users do click yes it
wasn't that there's a lot of opt outs
and you can do it in layers it's like a
layered notice where you can have first
I accept everything or let me find out
more information and then here are all
the vendors and you can check one by one
who you don't allow or you could say
okay no not everyone or you know it
makes it it has that be easy to opt-out
or to not opt-in it really depends on
the user it's it's hard to say I don't
think there's gonna be a huge amount
there's gonna be a certain group that
something to be like today like no but
maybe they're also using ad blockers at
this point and if they're using ad
blockers they probably don't care they
might even have a block from seeing the
the question because they're blocking
pop-ups you know which is actually
interesting because if you have a pocket
popup blocker and you don't get the
information about the processing of your
data then who is liable there is the
company that that you're the site that
you're on that they're trying to show
you this but they're not able to how
they're gonna approach that if let's say
20 or 30 percent it's not a majority but
people still choose to opt out does it
imply those people don't want to be in
chat or a big group of people than you
want you feature well they basically it
implies is that those people don't
either
like the purposes they're reading
hopefully they've read through what the
information is and what's happening with
their data and they don't just click no
which is imply that they they don't want
to deal with it they won't want
processing now what's gonna happen if
that happens 20 30 percent say in
digital marketing
well websites need
digital marketing need advertising in
order to function to produce their
content the internet is not free so will
you see that maybe publishers losing
revenue and shutting down well maybe
you'll see that users start going to a
less amount of websites so you know how
maybe less clickbait when you go on
Facebook and you click on all these
articles and then you go to a page with
like 30 ads that's a bit ridiculous you
know I necessarily wouldn't give my
consent for those sites so maybe you'll
have more users becoming loyal to
certain I guess their news feeds and
everything yeah that's what I think
there's probably plenty of other
questions that could be asked should be
asked and will be asked but not now
because now it's time for a small break
in switching rooms but before we do that
please give one final round of applause
[Applause]
Browse More Related Video
![](https://i.ytimg.com/vi/a99IE8y_1cU/hq720.jpg)
GDPR Compliance Journey - 06 Data Protection Impact Assessment
![](https://i.ytimg.com/vi/o8-058VyUOI/hq720.jpg)
Data Inventories and Data Maps: The Cornerstone to GDPR Compliance
![](https://i.ytimg.com/vi/FZ0UoRxJz34/hq720.jpg)
GDPR Compliance Journey - 04 Processing Activity Record
![](https://i.ytimg.com/vi/Qk-qmbBJzq4/hq720.jpg)
GDPR Compliance Journey - 15 Contracts & Agreements
![](https://i.ytimg.com/vi/OWnWkwmqw0E/hq720.jpg)
GDPR Compliance Journey - 16 Training
![](https://i.ytimg.com/vi/ReqahB92hjA/hq720.jpg)
How to Build a GDPR Implementation Plan
5.0 / 5 (0 votes)