With the introduction of GDPR in Europe, ad operations professionals face many challenges. One important requirement is the compliance assessment of advertising management software with handling highly sensitive information, especially when conducting activities such as bidding inventory management or customer billing.
Furthermore, Forrester Research explains that, in practice, GDPR impacts digital marketing and advertising in slightly different ways.
“If most marketing activities today (such as email, postal mail, SMS, etc.) already rely on some form of opt-in, digital advertising lives in a grey area where the need for consent is very much dependent on the type of activity/processing the marketing organization wants to carry out.”
But let’s start from the beginning in order to have a deeper understanding.
What is GDPR again?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law to be enacted on May 25, 2017. The European Union will strengthen the protection of personal data and update the somewhat fragmented data protection laws in its member countries.
However, “personal data” is rather broad, isn’t it?
It’s simply any information that relates to an identified individual. For instance, John Smith, head of advertising operations at Acme Media, father of two who is currently paying his mortgage at Acme Bank.
This is different from identifiable individuals or “data subjects.” For example, someone at Acme Media who lives in London and has declared his interests in advertising operations.
In summary, GDPR will:
- Expand data privacy rights for EU individuals.
- Introduce data breach notifications.
- Enhance security requirements for organizations.
- Demand enhanced security safeguards for third-party customer profiling and monitoring requirements.
Salesforce explains that GDPR regulates the “processing” of data for individuals in the EU. This includes the collection, transfer or use of information, and any company that processes the personal data of European Union individuals must abide, whether or not they are physically operating in the continent.
For those outside the European Union, GDPR will have binding rules for companies to legalize transfers of personal data outside the continent and will enforce companies to work with lead supervisory authorities regarding cross-border data protection issues.
The point is: it doesn’t matter if you acquired John Smith’s data while sitting in an office in Manila, with the information stored at a server in Singapore and managed by customer support in New York City. You must abide by it.
What GDPR expects from you
Ian Gotts, Founder & CEO of Elements.cloud is adamant that GDPR applies to all organizations who:
- Hold or process personal data of subjects residing in the EU.
- Offer goods or services to EU residents.
- Monitor behaviors of EU data subjects.
Companies that work with third-party data must:
- Manage people’s information in a fair and transparent manner.
- Collect their personal data only for specific, explicit and legitimate purposes.
- Collect information that is adequate, relevant and limited to what’s necessary for their everyday business.
- Keep up to date and accurate information.
- Keep personal data as long as it’s needed and delete it when the relationship is terminated.
- Use the appropriate technical and cross-organizational security measures to protect data against unauthorized processing.
Gotts adds that the most significant challenge in particular for US companies is that under GDPR customers must now give consent for their data to be used.
How ADvendio is supporting its customers
As a company with German roots, we have a good understanding of data protection. For the past 15 years as we have actively addressed consumer privacy, in compliance with the Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG), which regulates the rights and obligations in connection with data processing with our customers and partners. BDSG is very thorough and has helped us take care of most of the issues GDPR requires.
The business process of our customers involves the use of programmatic and delivery data for ad sales and targeting processes, both in our software and through a network of ad servers and exchanges. Our ad server integration helps us synchronize different levels of information reliably to and from third-party applications.
- Our team has signed an obligation to comply with GDPR requirements, and are obligated to actively ensure that is prohibited from processing personal data without authorization, regardless of the location they are based on.
- We are signing a Data Protection Agreement with our existing customers, which documents in writing the terms and conditions, obligations, and rights of our company and our commitment towards the confidentiality of their information.
- ADvendio is continuously developing its software and applications and managing its information to protect the security of its data and the privacy of its users and customers.
- We work both within our architecture and in line with third-party extensions’ own security measures for GDPR compliance, such as Oath (formerly One by AOL), Doubleclick for Publishers, Adswizz, and AppNexus. The majority of our ad server partners are actively participating in the IAB Tech Lab Technical Working Group.
Ad order management systems, Salesforce, and compliance
Publishers must not only manage first and third-party data that they are handling with their ad tech systems but they need to manage the data of their advertising customers as well.
An integrated, full-process solution in order management can address what Forrester calls “the real burden” of data management, challenging how most organizations record, manage and track the data they collect today, requiring an extensive architecture of data management system and processes.
As a multitenant ad sales order management software built on Salesforce, we can immediately provide our customers with their privacy and security updates upon release.
Today, Salesforce provides partners like us with transparency and control of customer data to accelerate compliance with regulations. The platform:
- Offers a rich set of features to meet obligations, but allows customers to delete individual and corporate, personal data, which is regularly synced.
- Introduces an Individual Object to track privacy preferences across, and records can be identified, exported and deleted just as you receive verified request to restrict processing.
- Salesforce integrates strong privacy commitments with data transfer framework ensuring that customers can transfer personal data outside the EU.
At ADvendio, we are bound by Salesforce’s Binding Corporate Rules, Privacy Shield Certification and the European Commission’s clauses to help customers legalize transfers.
GDPR implementation support with ADvendio and Salesforce
Complying with GDPR requires extensive preparation. That’s why it’s important to take in consideration these suggestions:
- Build a data inventory of all your internal applications for your business, such as CRM, ERPs or SSP you’re working on for your ad sales operations, whether they’re, programmatic applications, CRM, ERPs o or SSPs down to a field level. For ADvendio / Salesforce as an example, there are apps available on the AppExchange that can do this automatically.
- Identify all data fields in the data inventory that hold personal information and mark them down, as suggested by Gotts. For the objects and fields of ADvendio, we have pre-categorized already all fields.
- Ensure that all the data you keep as a reason to be there, whether it’s a contractual agreement, consent forms or other ones. As Gotts points it out, this is an ideal way to start a re-engagement campaign to catch up with your customers and delete data that may be obsolete. Here’s where Salesforce’s leading Lightning Platform comes into play, helping you to store Customers’ Data Privacy Preferences.
- Train your team for GDPR awareness. All of your employees have to understand the principles to be GDPR compliant, so educate them how to deal with it in their daily business. A good starting point would be this Trailhead module provided by Salesforce.
Although this regulation requirement will drastically impact businesses around the world we see this as a great opportunity to change the way everyday business is conducted for the better. For ADvendio, we are committed along with the support of Salesforce to actively work on data security and personal privacy safeguards for future feature and integration releases which we call privacy by design.