Compliancy with the new regulations on data usage in the EU is not an issue that can be resolved by going it alone. Working together, the various stakeholders in the programmatic supply chain will not only make it easier for themselves to adjust to the GDPR, but ultimately make the programmatic ecosystem more transparent, argues Marc Roos (pictured below), COO, Improve Digital.

“How do I achieve compliancy?” is the current hot topic in digital advertising. The truth: it’s easier for organisations to achieve GDPR compliance internally, but the real crux is how to achieve compliance on auction data. Since the programmatic auction relies on a transfer of data between parties, no party can achieve compliance in its silo. SSPs, DSPs, and content providers all need to work together. Transparency between partners is the key to making this happen and, ultimately, is the foundation stone towards governance and control throughout the entire ad-tech ecosystem.

You can’t just cha-cha-chá to GDPR compliancy

Marc Roos, COO, Improve Digital

When it comes to the programmatic auction, GDPR compliance isn’t something that any party can just try to work around. On the surface, it’s not hard to rewrite a privacy statement; if you dig deeper though, the GDPR has a hundred articles on how to handle data. These are ambiguous, place the interests of the data subject first, and are difficult to apply to programmatic practice. Compliance isn’t just about a writing piece, but a building piece, and a business cultural piece; compliance means making structural changes to business processes throughout the entire organisation.

Compliant on internal data, partner-up on auction data

Creating GDPR compliance on internal data is the easiest step, since it will be in your own sphere of control. However, once you look at data in the programmatic auction, the situation becomes more complicated. In our case, our business of running a programmatic auction relies on transferring data through a bid request to buyers. But the programmatic ecosystem is opaque and complex, with many parties and vendors involved in the exchange of data. In the race to become compliant, there is a tendency for parties to minimise responsibilities. To resolve the issue, each party needs to openly share how, why, and for what purpose it processes data and to take responsibility for its legal role in the data flow process. Organisations should limit the processing of personal data to the purposes that they publicly state.

Mapping out the data flow: Who leads, who follows

To get a clear picture of your roles and responsibilities, it’s useful to visually map out the path data takes in the programmatic ecosystem. That makes clear what parties fall under the role of controller, joint-controller, and processor. Given the nature of the programmatic auction, consent is the safest bet as a legal basis for processing personal data. Since publishers and content providers are the first port of call in the ecosystem, many parties in the ecosystem rely on them to obtain user consent on their behalf. Without consent from a first-point party, an SSP tag cannot be activated to start the auction. On the other hand, an SSP cannot pass data on to a third party like a DSP to complete the auction, unless that third party has informed the publisher of its processing activities. The law is clear on this point: bid requests contain personal data, meaning that appropriate data protection and governance must be applied to them by any and all sell-side vendors who receive or transmit them.

Full compliance: Choreography between SSP, DSP, and content provider

As a result, achieving full compliance means aligning with both content providers and DSPs on the need to gain consent and on contractual obligations. After reviewing our data processing activities, and mapping them onto the new GDPR guidelines, we had to outline in all our agreements what data we process, and for what purpose. Contractual alignment means co-ordinating on partnership agreements, privacy policies, terms and conditions, etc. Content providers need to incorporate the privacy policies of their technology partners in their privacy statements as the first point of consent. DSPs need to provide all their partners with their updated policies so that they can be passed onto publishers, who are obligated to list them in their third-party overviews. To achieve this, each party must be open and transparent with each other on how, and what, data it handles.

Transparency achieves alignment: Why it takes three to tango

There’s an African proverb that states: “When the music changes, so does the dance.” While the GDPR presents big challenges to ad tech, the need for each party to open up could, ultimately, create a more transparent programmatic ecosystem. The way that data needs to harmoniously flow through a compliant ecosystem means that all dancers have to see each other’s steps – publishers, buyers, and sellers. Let’s synchronise our steps.