Doesn’t GDPR only apply to Europeans?

The new GDPR law applies to any company currently handling personal data from individuals living in the EU. Even if you don’t directly advertise to Europeans, any personal data you have on them could result in a significant fine.
Consensual data sharing is all the rage in Europe. Ask for consent.

Alright, and what are the consequences?

Significant. If your company is caught violating the GDPR, you will be fined 4% of your annual global sales or twenty million euros; whichever is the higher amount. Not only that, but you could face substantial consumer backlash and bad media coverage. Europeans care about their online privacy and if you’re caught violating it, that doesn’t look good for the brand.
Image of building burning - Consumers outside angry about stolen data

oh, okay, give me the Gist of this new law then

GDPR is intended to replace out of date laws so that individuals have more control over their personal data. This entails that companies (including those in ad tech and publishing) are required to gain the approval of internet users for the use of their online identifiers (cookies, ad IDs).
Here, it’s important to distinguish between data controllers and data processors. A data controller is the entity that collects data from users whereas a data processor, typically a DMP, takes that collected data and organizes it. The data controller is required to obtain consent from the user and the data processor is required to verify that the controller they are receiving data from is obtaining proper consent as dictated by GDPR. If the data processor has contracted a data subprocessor involved, the data processor must inform the data controller. Some data processors are controllers themselves as they sometimes collect data as well. The line between controller and processor is not completely black and white.
The law essentially demands accountability and transparency in the entire ad supply chain. Here’s six key points.
Comic about giving data back to consumers

Clear, transparent consent practices and privacy policies

Consent policies are required to be easy to understand, avoiding legal language the average person doesn’t easily comprehend. The request for consent from the consumer must be given in a straightforward, easy-to-understand fashion that makes its clear that they are consenting to the processing of their data. Additionally, the consumer must be able to withdraw consent at any time.
Comic about consumers consenting to providing data

The right of consumers to access their personal data

Consumers must be able to see their data that is being collected and for what purpose it is being used for. They also have to be able to access their data electronically and be able to give that data to another company if they desire.
Comic about Consumers right to access their personal data

The right to be “forgotten”

Any consumer that wishes to have their personal data deleted has the right to demand its deletion and the end of its use altogether. Both companies and third parties must delete and cease using the data if it’s in their possession, including businesses outside the EU as mentioned previously. If a consumer withdraws consent, their data must also be deleted and use of it halted.
Comic about consumers right to be forgotten

Companies must structure new systems and approaches with a privacy-first mentality, not with privacy as an ‘add-on feature’

Companies are required to structure new systems for collecting data with a privacy-first mentality. Any data that is collected, stored, and processed must be necessary to a business and their operations. Personal consumer data that is collected but inessential to your business must be better protected as well.
Comic about privacy-first mentality when structuring data strategy

Companies must alert consumers within 72 hours of a breach taking place


If a data breach has occurred that could result in” a risk for the rights and freedoms of individuals”, consumers must be alerted within 72 hours of when the breach took place. This applies to both those companies collecting and processing data.
Comic about 72 data breach alert procedure

Companies must assign a data protection officer

Companies whose core business is to process and collect consumer data must assign a data protection officer. That DPO must be qualified for the position and report to the highest level of management.
Comic about data privacy officer - We think Robocop would be perfect for this

Oh god, what do I have to do?

Have you considered panicking? Better yet, here are some concrete steps to take to calm those nerves and put your company on the right track.

Seek Legal Counsel

When dealing with new legislation a lawyer is always handy. Another option is to seek a compliance consultant to ensure you are moving in the right direction.

Conduct a full data mapping

Time to review those logs of where the personal data is processed, stored and moved. Bring a good magnifying glass.

Evaluate contracts

You still have that magnifying glass? All those partnerships of yours need to be reassessed to make sure all parties are compliant with GDPR. Make sure you feed your contract writers well; they will need the energy.

Update policies

Any data collection policies and procedures must now comply with GDPR requirements. See above.

Honour privacy by design

When designing new programs, marketing, and sales, make sure to include privacy as a fundamental part of the process, not just some addition after development. The people will notice.
Graphic of a full 'to-do' pile

How does the industry feel about it?

There are numerous concerns about GDPR’s implementation this May. For instance, smaller companies are having a harder time making the necessary changes as they struggle with the legal costs that don’t quite impact larger companies in the same way. It is no surprise that the larger businesses are much more prepared for GDPR than the smaller ones.
Comic about larger companies having more resources than smaller companies
The primary concern for marketers is obtaining consent from consumers. Implementing changes is challenging but the potential loss of valuable data will be a hard pill to swallow for companies.
UK Marketer primary GDPR concern chart

How much data could we possibly lose?

I’d hate to be the one to tell you but, “75% of customer data could be rendered obsolete by GDPR” according to data marketing firm W8Data. Admittedly, that’s a large piece of the data pie that will be gone overnight.
Comic about data loss

How many Europeans will opt out of data collection?

According to polls, 6 in 10 internet users in Europe said they would likely opt out of receiving emails, and phone calls from companies, while 59% ask to have their records completely deleted.
Comic about number of Europeans who will opt out of data collection

Is all lost?

Although there will be short-term pains from a loss of data, the purge will leave marketers with higher quality data. The best consumers are ones that are willing to share their data with a brand. Chasing disinterested consumers can be a big waster of budget dollars. This will put a greater emphasis on first-party data which is the most reliable anyway.
Comic about what will happen if most people in Europe opt out

But what about the consumers that don’t want to share their data?

They can’t be targeted via tracking cookies, but they can be reached via contextual targeting. If they’re a sports fan, then you know where they’re likely to be found; a sports website.
Comic about the rise of contextual targeting
The purge of data from consumers opting out may just be a gift in disguise as a burden. That gift being efficacy for marketers.

Steve Patrick Adams is a writer, illustrator, and animator with a glowing love of all things Ad Tech. He's been a digital media producer since 2010 when he got his start working for Bite (Blue Ant Media) and has since worked for a variety of publishers including CBC Comedy, Mashable, and IAB Canada.