We’re proud of our progressive values, and a big part of what makes us a progressive firm is our commitment to your privacy, and the security of all the sensitive information that comes along with being a data-driven advertising firm.

You may be seeing a lot of news about the General Data Protection Regulation, or GDPR. And how the GDPR may — or may not — affect you personally, or your advertising campaigns.

In compliance with and in strong support of GDPR’s changes to EU data protection law, we’ve made a number of upgrades to our processes and security of our technology to make sure that we continue to provide the highest level of protection for our clients and our audiences.

If you’re curious, though, we’ve put together this explainer to give you more information.

What is GDPR?

The GDPR is a new data regulation enacted by the European Union to safeguard the rights of consumers in the EU, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive.

The GDPR applies to any business that

  • Monitors the behavior of individuals in the European Union.
  • Provides services or goods to the EU (including free services), even if based outside the EU. Or …
  • Has an establishment in the EU, regardless of whether processing personal data of EU citizens.
  • The GDPR governs the collection, storage, transfer or use of personal data, where “personal data” is defined very broadly to include any information relating to an identified or identifiable individual.

    The GDPR gives individuals greater rights and control over personal data about them than under the Directive, by regulating how businesses obtain, handle, store and transfer the personal data they collect. The GDPR also greatly increases fines for breaches and imposes a more rigorous enforcement structure.

    Key changes under the GDPR

    Here are some of the key changes brought about by the GDPR, compared to current law under the 1995 Data Protection Directive and other privacy-related laws:

    Expanded rights for individuals: The GDPR provides expanded rights for individuals in the EU by granting them, among other things, the right to be forgotten (“right of erasure”) and the right to request a copy of any personal data stored in their regard (right to “data portability”).

    Privacy impacts assessments and data security: The GDPR requires organizations to conduct privacy impact assessments, implement appropriate data security policies and protocols (“appropriate …to ensure a level of security appropriate to the risk”).

    Recordkeeping and other compliance obligations: The GDPR requires organizations to keep detailed records on data activities and enter into written agreements with vendors that require vendors to commit to the same compliance obligations as the contracting organizations.

    Data breach notification: The GDPR requires organizations to report data breaches to data protection authorities within 72 hours of discovery, and in serious cases to the affected individuals.

    Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member countries.

    Our Compliance with the GDPR

    Our Information Security Team is evaluating our systems and data storage to ensure GDPR readiness. We have designated a dedicated internal team to drive our company to meet GDPR requirements. Whether it comes to our own internal data, data prepared and processed for use by our customers, or data collected by our customers’ customers and other product users, we will ensure that it meets the appropriate privacy standards set by GDPR.

    Here are some our ongoing GDPR compliance initiatives:

    Identifying personal data: We are reviewing our systems, products and services to identify and document the sources, uses, storage and disposal of all internal data, data prepared and processed for use by our customers, and data collected by our customers’ customers and other product users.

    Enhancing data integrity and security: We are implementing updates and modifications to our data security policies and procedures to provide enhanced security consistent with new expectations for industry standard, end-to-end security.

    Consent requirements: Ensuring compliance with consent and other requirements for how to lawfully collect personal data.

    Providing visibility and transparency: As a data processor, we must provide our customers (the data controllers) with access to effectively manage and protect their data. We are exploring product enhancements to provide better transparency, in order to also provide all reasonable assistance to our customers to comply with their own transparency and data rights access obligations.

    Data access rights: We are working on interfaces that will allow our customers to address requests from their customers and other users based on their rights to access, review, correct or delete any personal data that is processed in our systems.

    Data Transfers outside of the EU: While the GDPR does not place any new restrictions on transfers of personal data outside the EU, DSPolitical will continue to comply with applicable requirements under the GDPR and other laws governing data processing involving these types of data transfers.

    Forming a Data Protection Team

    We created a Data Protection Team which is focused on engineering improvements to our systems, processes and our products to comply with the standards required by the GDPR.

    This team is focused on organizational changes for handling data protection issues, including compliance with consent and other requirements for how to lawfully collect personal data; improvements to systems and processes to comply with rights of individuals to access, review, correct or delete any personal data that is processed in our systems; ensure that our own data collection privacy disclosures new data processing agreements, as necessary; and, improving disaster response procedures and notification processes for responding to potential data breaches.

    What Should Our Customers be Doing (as relates to use of our Services)?

    Of course, all organizations processing personal data of EU citizens have their own separate compliance obligations. This is true for our customers as much as it for us, and our customers must look to their own advisers to guide them through these processes. Nonetheless, in relation to our customers’ use of our systems and services, there are several important things our customers should be doing to meet their own GDPR compliance obligations:

    Update terms of service and privacy policies: On your websites or apps, these should be updated to communicate to your own customers and other users how you are using our systems (and any other similar services). These disclosure obligations are more important than ever under the GDPR, including the important obligation to be transparent about the third parties (including us) with whom you are sharing personal data of your users.

    Consent requirements: If you are collecting personal data from your customers or other users, you too must ensure compliance with consent and other requirements for lawful collection of personal data.

    Data “processor” relationship: Our customer contracts contain appropriate provisions for personal data we store, and balance the risks and responsibilities between our customers (the data “controllers”) and us (the data “processor”). If you are in the EU, we ask that you sign or update a contract with us incorporating terms to clearly establish our respective data processing roles, in compliance with the GDPR and other generally acceptable privacy laws. This reflects our role as a data “processor” under the GDPR, processing data on your behalf as the data “controller”.

    Reach out for help

    We consider it a core operational responsibility to ensure our technologies are used responsibly and within legal guidelines and industry best practices set by the GDPR and other privacy frameworks.

    We ask that customers reach out to their account representative if they need the direct help of our Infosec or Data Protection teams.