May 10, 2018 | by Alexian Chiavegato

GDPR is Upon Us, Ready or Not

The great European experiment to regulate data privacy is about to begin. You’ll either be ready for it or you won’t be. But you can’t say you weren’t warned: the powers that be in the European Union have prepared, debated and publicized the General Data Protection Regulation (GDPR) for four years. It’s nothing if not a colossal attempt to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.”

As for the basics, GDPR protects the data privacy rights of any individual physically based within the geographic boundary of a European Union (EU) country who happen to be accessing the internet or apps via computer, laptop, or smartphone. This applies to EU citizens or non-citizens.

Obviously, this whole thing about GDPR jurisdiction can be very tricky. The official language reads that GDPR will apply to the processing of personal data by businesses established within the EU. It will also apply to businesses outside of the EU if their data processing is part of the offering of goods or services to individuals within the EU (or to the monitoring of those individuals). Even if this law took four years to come into effect, bringing such clear rules to protect the end users, the words of “Processing,” “established” and “monitoring” could keep attorneys in business for a few more years.

As a publisher outside of the EU it would make sense to not ignore GDPR, especially if you would ever want to do any business in the EU. Besides, it could be a good idea to use GDPR compliance as an opportunity to authenticate your digital ecosystem and learn where your data may be exposed. It is always better to be safe than sorry. Knowing what’s happening in your digital environment, from vendors executing to data tracking, should be appealing to publishers as a basic business practice, especially within the EU. Data processors and data owners alike are equally liable. And the fines for violating GDPR will max out at 20 million euro or 4% of the company’s global revenue, whichever is higher.

Despite being a new obstacle in the way publishers conduct business, GDPR’s goal has to be viewed as laudable. People should be provided stronger individual rights and control over their data and privacy. This obviously puts a tremendous pressure on operation teams and their dealings with management. Communication channels will have to be strengthened both ways to ensure data is GDPR compliant yet still leveraged to benefit the overall business.

The question becomes how do publishers execute a path to GDPR compliance that still monetizes EU audiences and supports advertiser demands? They’ll have to figure out how to use cookies for targeting, retargeting, and measurement that doesn’t run afoul of the new rules. Publishers are rightly concerned about how this will all shake out. Measurement efforts could be disrupted throughout the entire industry, with third-party cookies already restricted in some mobile environments. And, on top of it all, there is still a lot of uncertainty about GDPR. This has resulted in publishers taking different approaches to compliance, some being more cautious than others. Uncertainty, however, will not be a free pass to do nothing about it.