5 Things to Know About GDPR

It’s now less than a year until new data protection rules will be introduced in Europe. Known as the GDPR, the effects of the wide-reaching privacy protection regulation still seem to be shrouded in mist for the members of the ad tech and martech industry on both sides of the Atlantic. In this piece, Julia Shullman (pictured below), senior director, deputy general counsel of commercial and privacy, AppNexus, summarises five steps to be taken by companies to get ready for GDPR.

The General Data Protection Regulation will come into effect on 25 May, 2018. The purpose behind passing the regulation was to harmonise data protection rules across Europe, protect and empower EU citizens, and reshape the way companies approach the privacy and protection of personal data. Companies that fail to comply face the potential of astronomical fines and damages.

Julia Shullman, Senior Director, Deputy General Counsel of Commercial and Privacy, AppNexus

Yet many in the advertising and marketing community still do not understand how the GDPR will affect their business. Almost a third (24%) of companies have yet to even start a GDPR plan according to a recent survey from the Direct Marketing Association (DMA).

The digital and advertising industries will be massively affected by the new regulation, as they rely heavily on both pseudonymous online identifiers (e.g. cookie and advertising IDs) and customer data for targeted marketing campaigns that fund publisher content and provide users with more relevant advertisements and a better user experience. While every company that’s part of the digital and online advertising ecosystem will be affected differently, here are five things every company needs to do.


Within the highly fragmented online advertising ecosystem, companies should (and will be required) to have an in-depth understanding of the personal data being collected about their users, either directly by them or by a third party on their behalf (or on behalf of others). They must be able to verify why this information is collected, how it is collected, and for what purposes it is used. It is also essential to understand how it is stored and secured and who it is being passed onto and how those parties are using the data. As such, companies will need to work with those third parties to understand whether they’re acting as a controller or a processor – two important terms under the GDPR that dictate, among other things, the type of contract that must be put in place between parties. Companies are responsible for the partners they work with and the parties that have access to their users’ personal data, and they and could suffer huge damages or fines if a party in the fragmented ecosystem is not in compliance.


A recent poll from data analytics company SAS, showed that over a third of the 2,000 participants would ask retailers to stop using their data for marketing purposes under the new legislation. Companies need to increase their understanding of their end users’ data protection rights, and undertake to educate them in a user-friendly manner about how, and for what purposes, their data is being used. These rights must be clearly communicated, with a breakdown of how and why personal data is being collected and used. Gone are the days of the ‘tick-box method’ and accompanying lists of terms and conditions and confusing information buried in privacy policies.

Ensuring best practices around use and security of data

Companies must take into account the nature of the personal data being collected and used, and ensure best practices around data minimisation, security, and data integrity. A working environment of this kind should be front-of-mind for companies.

Choosing the right partners

It is essential to choose the right partners and vendors, particularly in order to build or use tools that meet the GDPR’s enhanced transparency, access, and choice requirements. By working with the right partners, companies of all sizes will find the transition simpler.

Ensuring the right records and processes are in place

Companies will need a system in place to meet record retention and privacy by design requirements under the GDPR.