By Lou Mastria
Big Idea: Seeking concrete plans for the General Data Protection Regulation (GDPR), companies with business in Europe are looking to their privacy teams, who are identifying practical challenges as well as opportunities.
This blog is Part II of II. Part I discusses what’s known as of June 2017 about GDPR regulation -- scheduled to take effect May 2018. No information imparted in this blog series should be construed as legal counsel. Rather this post is strictly for information purposes only.
Heard at DAA Summit 2017...
Representatives from different areas of the interest-based advertising (IBA) ecosystem met during a DAA Summit 2017 panel to discuss how their companies are preparing for the imminent GDPR -- scheduled to take effect roughly nine months from the date of this post.
Peter Kosmala, then the senior vice president of government relations at 4A’s, introduced and moderated the panel, which offered a more “practical perspective” on the GDPR, complementing the previous day’s workshop discussion about GDPR’s known legal elements.
Photo: Peter Kosmala, then senior vice president of government relations at 4A’s, moderates GDPR in Practice panel at DAA Summit 2017
Before the panel delved into discussion, Darren Abernethy, senior global privacy manager at TrustArc, contextualized the ensuing conversation with GDPR fundamentals: harmonization of 28 member state laws under one regulation, extraterritorial reach, a broader definition of personal data – compared both to current European law and to what we define as personally identifiable information here in the United States – opt-in consent and serious penalties. It will be enforceable upon the first day of its enactment (May 25, 2018).
Abernethy said dealing with the regulation will revolve around data governance and internal practices: “to be able to demonstrate that you strategically and tactically thought these things through and have made best efforts to try to comply with this law.”
Photo: Darren Abernethy, senior global privacy manager at TrustArc, speaking on GDPR in Practice panel. He is joined in this photo by moderator Peter Kosmala and Faiza Javaid, legal counsel, Americas, for Dentsu Aegis Network.
How Businesses are Adapting
Kosmala led the panel in a discussion about the practical changes the represented companies are making (or considering) in the countdown to GDPR.
Jason Koye, senior counsel at Omnicom Media Group, and Faiza Javaid, legal counsel at Dentsu Aegis Network, both stressed that extensive education in data privacy -- for employees as well as clients -- is becoming more important as the regulation approaches. He noted that Omnicom has created a specific internal training program for GDPR readiness.
According to Javaid, Dentsu Aegis had just hired a Data Protection Officer (DPO) a week before the summit -- a role mandated for some companies in Article 37 of the GDPR that supports (but is not limited to) internal education.
Noga Rosenthal, chief privacy officer at Epsilon/Conversant, offered an ad-tech perspective to the panel. Conversant is examining how data transfers out of Europe will be treated under the GDPR. If such data is officially redefined as exchanges of personal data, a concern that is driving Rosenthal and her colleagues to work on model contracts and to consider implementation of the U.S. Department of Commerce’s Privacy Shield program -- which currently enables EU-to-U.S. personal data transfers under current European law, the Data Protection Directive, but was developed with GDPR in mind. Likewise, Conversant will have to clarify in its contracts for its work whether its role is as a data controller and as a data processor -- a fundamental distinction in GDPR which results in these entities being regulated differently. The regulation is “pushing us into a new sphere where we’ve never been before,” Rosenthal said.
Erin Brinza, senior corporate counsel with Ziff Davis, gave insight into the changes her company faces as a publisher. Right now, publishers such as Ziff Davis partner with many third parties, particularly in respect to interest-based advertising. “Anyone with a revenue stream could have a seat at the table,” Brinza said about selecting vendors with which to partner. But under the GDPR, publishers will likely become pickier about with whom they will work -- to help ensure data practices conform across the board.
“The publisher is in this position where we have a much higher potential liability for these third parties running on our sites,” Brinza said. “So I think instead of seeing hundreds of vendors, or many tens of vendors, you’re going to see all the publishers bringing this a lot closer in,” Brinza said, anticipating that publishers will prioritize a smaller handful of ad tech vendors “based on their performance and how they approach privacy.”
Separate European Business or Apply Global Standard?
Later in the discussion, Kosmala asked the panel whether their companies will overhaul global strategies to reach a GDPR standard across the board, or somehow separate their European business so that data practices deployed regarding European-based enterprises are unique.
Most companies have not yet resolved this complex question, including those represented at the Summit. Koye suggested that Omnicom may adopt some hybrid of the two, perhaps by working with sub-processors only in the United States. Brinza answered similarly, saying that Ziff Davis’ U.S. teams may want a different approach specifically on the issue of consent -- where transparency and control for such areas of advertising data follows a notice-and-opt-out approach on non-sensitive data categories.
Still, official implementation guidance for most aspects of the GDPR are not yet available, so many companies are being forced to make their own interpretation of these forthcoming restrictions.
Photo: (back; left to right) Jason Koye, senior counsel, Omnicom Media Group; Peter Kosmala; Darren Abernethy, senior global privacy manager, TrustArc; (front; left to right) Erin Brinza, senior corporate counsel, Ziff Davis LLP; Noga Rosenthal, chief privacy officer, Epsilon/Conversant; Faiza Javaid, legal counsel at Dentsu Aegis Network
All panelists agreed that while the GDPR has placed pressure on companies, especially privacy teams, the regulation offers new opportunities and could benefit business in ways not immediately considered.
Koye explained that the GDPR alarmed him as a privacy professional, but on the other hand it “brought privacy to the boardroom [...] and it allowed for an environment where we can create a formal privacy program where maybe we didn’t have it.”
“If you’re getting ready for GDPR now, you’re probably helping your company out in the future for forthcoming privacy regulations,” Javaid added, suggesting that companies should expect similar regulations down the road, namely the European Union’s forthcoming ePrivacy Regulation. “The GDPR is only the beginning.”
The panelists expressed optimism, offering many ways to make the most of the preparation process: it’s an opportunity to build a comprehensive privacy program, identify privacy champions, raise standards and work more closely with vendors, and learn more about company data collection and therefore which companies to partner (or not partner) with.
“Take the negative and make it a positive,” Abernethy said, “look for opportunities to use this as a competitive differentiator.”
Collaboration will also be crucial, the panel concluded, both internally, between company departments, and also with industry groups such as advertising trade associations and self-regulatory regimes such as the DAA and its international counterparts.
And the countdown clock keeps ticking.
[Editor’s Note: See Epsilon/Conversant’s Noga Rosenthal discuss the significance of the DAA self-regulation program from an agency strategic partner perspective. Thank you to Charlie Tomb for his editorial support toward our Summit Snapshot 2017 blog series.]