GDPR and Third-Party Services: What Publishers Need to Know
By now, everyone understands the General Data Protection Regulation (GDPR) is here to stay, and businesses must make themselves entirely compliant in order to avoid fines of up to four percent of total global revenue. In the online publishing industry especially, business leaders must be fully aware of the different aspects of their websites that could lead them down a road to non-compliance.
One area that must be carefully monitored is the use of third-party services. With advertising and marketing technology stacks no longer developed in house (simply because it’s too expensive to retain full-time developers) publishers are relying more on third-party software to create optimized online experiences for their audiences.
These outside vendors, or third-party services, give publishers the resources they need at reasonable costs, while making their websites engaging and the reading experience seamless. However, with GDPR in effect, it’s all about data. Publishers are now data controllers and their vendors have become data processors.
As data controllers, publishers hold the ultimate responsibility for the data processed by their vendors. For example, if a publisher uses AppNexus for header bidding, it is the publisher’s responsibility to make sure that AppNexus is collecting and processing what is ultimately their, users’ personal data in compliance with GDPR, if and when applicable.
The resolve of the GDPR is unlike any previous privacy regulation and it is compelling online publishers to take a closer look at every single tag running on their properties to make sure they’re also following the same rules they’ve implemented as a handler of personally identifiable information (PII) per GDPR’s guidelines.
To help publishers remain GDPR compliant with the myriad of third-party services operating on their sites, below are three of the steps you can take to audit third-party service ecosystems to make sure that the data they’re collecting isn’t being processed in a way that isn’t consistent with the consent provided by users initially.
1. Discover and Map Your Data Processors
While this might seem like a simple idea, it’s arguably the most important. Obviously, your vendors are an integral part of your operations and I’m not trying to downplay their importance. On the contrary, while many publishers, like The New York Times, are cutting vendors to comply with GDPR there is a better way. It starts with mapping and auditing your third-party software to see which is processing personal data, what data is being processed, how it’s being processed, and what should be done to mitigate risks of data breaches.
For this reason, it’s pivotal that businesses gain full accountability into third- fourth- and fifth-party services running on their sites. This way, publishers can continue to take advantage of tag vendors, while maintaining a clear picture of the different entities authorized (or not) to handle PII data.
2. Make Sure All Third-Party Vendors are IAB Europe Compatible
The IAB is not a regulator in the sense that publishers must comply with it but its guidelines have become industry standards. The IAB can certainly help publishers filter non-GDPR compliant elements from their ecosystems. After doing so, all they need to do is implement an IAB-approved consent management platform (CMP).
Initially, this form of auditing may mean weeding out certain applications -- leading to a limited choice of outside vendors to utilize within ad-tech stacks -- but the list is expected to increase with time as more vendors recognize the importance of being positioned not only as optimization tools, but GDPR compliant for their customers.
3. Consistently Analyze Who is Controlling PII Data
With marketing and ad-tech stacks being implemented by outside vendors, these services are constantly collecting, processing, and (sometimes) storing PII data. Even if a business controls the aspects of data-owner consent and provides users with the right to be forgotten, this sensitive information can easily be leaked if not methodically monitored.
A thorough GDPR audit of third-party services maps out the outside solutions, as well as their dependencies on others, highlights all services that access PII and can detect sensitive information being stored without encryption protection. Thus, the business consistently has an idea of where the data is and how it’s being handled -- helping make sure that all aspects of their website are compliant under the new regulation.
GDPR Compliant Third-Party Services: A New Kind of Validation
Simply put, as publishers execute GDPR audits within their ecosystems, they have to make sure they’re seeing the full picture. MarTech and AdTech companies are built to increase revenue or reduce spend. They are not built for regulatory compliance.
So with GDPR in effect, it becomes critical that publishers gain complete visibility into not only the third-party services they’ve authorized to control customer data, but the fourth- and fifth-party solutions that they’re dependent on as well. A publisher’s ability to achieve GDPR compliance, and potentially organizational success, could depend on it.
Related story: Exploring the Use Cases for Customer Data Platforms