4 Ways GDPR Compliance Could Impact You

Inplace #2

As the European Union prepares to enact the General Data Protection Regulation, digital marketing’s core will start to look different.


In the wake of CEO Mark Zuckerberg’s congressional testimony, Facebook is taking the overhaul seriously. The social platform is leading the charge by allowing users to review and update privacy settings to give everyone a say in how Facebook — and its advertisers — use data.

While high-profile companies can take those measures, smaller enterprises may struggle meeting GDPR’s technical challenges. Additionally, the new EU regulations could start a trend that allows governments worldwide to levy fines to businesses of all sizes for noncompliance.

U.S. companies that haven’t taken action should start soon. Just 21 percent of American businesses have GDPR contingency plans in place, meaning if you’re not already compliant, the law may soon affect you. Here’s how:


  1. Advertisers and Publishers Will Be Held Accountable

The GDPR may force companies to invest more resources toward compliance support like a data protection officer or integrate a consent management platform onto their websites. Notices and consents will increase across all platforms, and new tools will give users more control over the types of data that can be processed related to them.

This has spawned the creation of a host of related offerings. For example, Google’s CookieChoices now provides links to its EU consent policy, examples of consent notices, and consent tools that publishers can use on their own websites.

Data “individualization” is a key to more personalized advertising. From here, companies should analyze their EU data exposure to determine whether they’ll need to bring a DPO into the C-suite. As across-the-board compliance becomes mandatory, it’ll be even more difficult to operate without a department that specializes in advertising and privacy compliance.


  1. Customers Will Need to Stay in the Loop

In a 2017 survey, the tech company Gigya found that 68 percent of consumers distrust brands with their personal information. Even if a company is compliant, customers won’t trust it unless it conveys this information to customers, so be deliberate about how you communicate compliance initiatives.

Articulate how your organization processes and transfers personal data internally, including between partners and vendors. Every effective GDPR compliance plan begins with the data “discovery” process and data-flow mapping.

Overly broad communication may signal that your company doesn’t understand or care enough about how it handles personal data. Customers, clients, and EU regulators want granularity on these compliance topics, so go in-depth. Your business can’t afford to be perceived as failing to take its customers’ data security seriously.


  1. Third-Party Partners Will Be Key

Companies routinely collect data from third-party data providers, and they must get more selective. In the pre-GDPR world, the data management platform procurement process heavily weighed diversity, depth, and scale. The more data a provider had, the more sought-after it was in that bigger-is-better world.

In the post-GDPR world, large-scale data will carry increased financial, legal, and geopolitical risks. Facebook’s privacy scandal involved a third-party vendor in Cambridge Analytica, yet Facebook still ended up in the hot seat over how another company used its data.

Safe data has replaced big data, which means it’s good only if obtained with the proper consent. Properly vet your partners to ensure your company remains compliant and does not get invited to speak before Congress.


  1. Native Advertising Will Play a Bigger Role

With fewer data points to inform ads, native and contextual advertising are each on the rise. It’s a fallback for advertisers to rely on content and context relevance to serve consumers. Retargeting ads may decrease as consumers take back control over their data.

Many advertisers fear a regression to the days of blanketed ads, but that’s not necessarily the case. Well-run data and ad tech companies that are compliant could make huge gains on established competitors if those competitors are slow to adapt.

GDPR starts in Europe, but its impact is far-reaching. Companies operating in the U.S. that have European customers or end users need to ensure compliance to avoid fines. It’s only a matter of time before more regulators follow suit, so invest in compliance now to avoid headaches (or an invitation to Washington).


Ian Connett, Esq. is legal counsel for Visto, a programmatic advertising SaaS platform focused on bringing transparency, interoperability, and accountability to digital advertising.