On 25 May, 2018, the General Data Protection Regulation (GDPR) will come into force. A subject taken very seriously by the entire advertising industry, but it’s not isolated to this industry, as all private or public companies are concerned. In this three-part series, originally published in French on Ad-exchange.fr, Michel Juvillier (pictured below), CEO of Juvillier Conseil, outlines the key considerations businesses in the digital advertising ecosystem need to address.

It is a regulation and not a European directive. There is a distinct difference: A directive provides objectives for member countries to achieve, with a deadline for implementation. A regulation is mandatory and applies fully and directly to all member countries of the European Union.

Michel Juvillier, CEO, Juvillier Conseil

25 May, 2018 is seen with some anxiety by many players in digital advertising. Others, on the other hand, see it as an opportunity to bring order to a data market where the user has historically been seen as a kind of ‘customisable variable’ in the digital monetisation ecosystem.

In order to get a clearer picture of this new regulation, I had the opportunity to interview a variety of thought leaders in the fields of advertising technology, governance, and law.

The first major lesson of these interviews is that the more we study the topic of the GDPR, the more the ‘grey areas’ (areas of interpretation) of the text are emerging.

As Merav Griguer, partner at Bird & Bird, one of the foremost authorities on the GDPR, pointed out to me, when you look in depth at the GDPR, you have to adopt Socrates' maxim: "I know that I do not know anything."

Addressing the issue of the GDPR requires, first and foremost, humility. For a start, it’s imperative to call out the fact that all players tempted to call themselves 'GDPR-compliant' are, in fact, imposters.

Vincent Pelillo, VP Europe, Captify, is very clear on the subject: "The legal framework is not clear. Since there is no case law [...] And it is precisely the jurisprudence [the theory of the law] that will contribute to the final conditions of the regulation’s framework." He added: "We are going to create a religion; and this jurisprudence will tell us if we’re right."

Without an interpretation of this ‘sacred’ text, we will have to wait and see what advice is given by the powers that be in the advertising and data industries, to help prepare, but also analyse the commercial, marketing, and legal issues for the entire European advertising ecosystem.

If we refer to Deloitte’s white paper ('GDPR, where do I start?') published in January 2017, to succeed with GDPR, it is necessary to set up different methodological, legal, and technical steps.

GDPR: Methodological Stage

According to Deloitte's white paper, methodologically, the approach to GDPR must be ‘permanent and dynamic’. This means conformity of GDPR implementation must go through an inventory of how the data is processed and stored, via a Data Registry. Potential risk areas should also be assessed against the requirements of the GDPR.

With this information, it will be necessary to determine the responsibilities within the organisation: the information systems department (DSI), the marketing department, the sales department, and the Data Protection Officer (DPO, or DPD in France).

This DPO position is a pure creation of the GDPR. The creation of this function is an obligation for all companies (public or private) with more than 250 employees, or for any company whatever the size, if its main activity is based on data processing. Digital advertising of today centres around an ‘operating system’; and all operators using data in the digital advertising ecosystem are liable.

The DPO will have three key objectives:

- Control the regulations and enforce them

- Advise and inform data operators within the organisation, as well as any subcontractors

- Be the main contact with the supervisory authority (the CNIL in France)

The DPO can be a staff member or a person outside the company, but in the latter case, someone with legal duties (a lawyer or legal practitioner). In terms of profile, the players in the advertising market seem to hesitate between different options. For Mathieu Roche, CEO and founder of ID5, a centralised cookie-synchronisation platform, the profile of a data protection officer could take on many forms: chief technology officer (CTO), traffic manager, chief data officer (CDO), or even an external consultant or representative. It may seem strange to hire outside of the organisation for this role, but it turns out it could work out as an interesting transitional solution for some companies, as proven by German outfit, E-Privacy, headed by Christoph Bauer, who is positioning himself as an external GDPR partner, a sort of ‘offshore’ DPO.

This ‘offshore’ DPO option may be an ideal solution where there are management issues. The DPO is responsible for the law, so the DPO can claim full autonomy in terms of decision-making. Thus, Vincent Pelillo wonders: "What would happen if the DPO were opposed to management committee decisions that are contrary to his data-protection beliefs?” Other questions remain: for companies with representative offices in more than one country, do you need a global DPO, or a DPO in each country?

Juvillier’s insight into the legal and technical steps required for the GDPR will be published next week.