Are you ready for the GDPR? A guide for advertising agencies

by Jerelle Gainey and Debra Wang, 15 Mar 2018

The General Data Protection Regulation (GDPR) is one of the most expansive pieces of privacy legislation in history. Ultimately a good thing for users and enterprises, it also comes with a new set of challenges for the marketing industry to educate themselves on and adopt processes, policies and procedures to insure compliance and protection for European Union (EU) consumers.


What is GDPR?

The GDPR is a game-changing digital privacy regulation that will go into effect on May 25, 2018. It standardizes a wide range of different privacy legislation across the EU into one central set of regulations with the goal of protecting users in all member states. Most importantly, because it is legally binding, companies cannot ignore or opt out.


The purpose of the GDPR is to ensure that EU users have greater control over their personal information; including the right to actively consent to every use of personal data, the right to limit that use, the right to be forgotten, the right to have their data portable and the right to seek damages should they suffer from misuse or breach of their data.


If you’re based outside the EU, but your client or company targets users in the EU and collects personal or behavioral data from these users, your company is still subject to compliance with the requirements of the GDPR. It is important to note that the GDPR is an evolution of existing EU data protection policies — not a complete revolution — which means all organizations will need to rethink their data practices, and keep up as it continues to evolve.


Currently, fines are set at up to €20 million or 4% of global revenue, and there are precedents set when companies were caught breaching regulations and fined:

  • Example 1: Flybe – Convicted of breaking the law after emailing people who had clearly opted out.
  • Example 2: Honda – Preemptively tried to ask consumers if and how they would like to continue to receive marketing messages from them, but due to an outdated database, several consumers had already opted out.

The Elements of GDPR

So, what actually makes up GDPR and what consumer data does it protect?

From a corporate standpoint, all companies will now be required to:

  • Include privacy settings into their digital properties, otherwise known as “privacy by design,” forcing companies to be proactive vs. reactive
  • Regularly conduct privacy impact assessments
  • Enable clearly defined methods of seeking user consent to use their data
  • Document how the company is using personal data
  • Adhere to data breach communication protocols
  • Pre-ticked boxes or opt-out (instead of opt-in) for marketing are no longer allowed

What Consumer Data Is Protected?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Mobile phone number
  • Drive/passport number
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Another built-in element is the 72-hour clause. This is the amount of time before companies must notify their supervisors of a breach — and the public, if consumer data has also been exposed. There’s still some grey area in terms of what constitutes an ‘undue delay’, but this makes companies accountable for notifying consumers so that passwords can be changed or credit protection installed.


In short, there are a lot of details and attempts at summarizing the 200-page document of reform around the web, and it’s in every company’s best interest to reach out to legal professionals to ensure that they’re in compliance.

GDPR in Practice

What does this mean for everyone? And how will it impact how companies do business?  

For everyone in the EU, it means more transparency and assurance that companies WILL be more organized and stringent in how their data is being stored, protected and processed. Consumers will no longer be defaulted to opt in to all mass marketing, and similar to security/privacy options, the most stringent security settings will now be the default vs. some of the more open public settings. This should help manage the volume of spam and also avoid the annoying occurrence where they’ve unsubscribed from a newsletter, only to find it pinging in their inbox for another two weeks (the only caveat could be in situations of an unexpected email would be where a user refers a friend.)


For businesses it gets a little more intricate with how they retain and remarket to customers. Third party anonymized data is still allowable, so for most advertising targeting practices, like audience targeting or demand side platforms (DSPs), it should remain relatively the same. But how a company gathers customer emails and utilizes it for other practices, like email marketing or Google’s Customer Match, could need an audit or retooling of the entire process and strategy. Similarly, social media that can attribute specific attributes or behaviors to an exact user profile may also find themselves in GDPR grey zones.

  • Understandably, any concerns surrounding drop off rates are warranted, and marketers may see their customer pools shrink overnight. This can also be interpreted as removing wasted impressions from consumers who have already stopped interacting and/or lost interest with their brand. What’s left is a far more interested and profitable audience that can be cultivated and retained.

For advertising agencies, there is also a sense of responsibility and awareness to help our clients ensure that their data is being held to the new standard. This is especially true if we know their customer base crosses over into the EU.

How to Prepare?


Hubspot performed a survey in Nov. 2017 and found that as many as “36% of marketers had not even heard of the GDPR yet and 15% of companies have done nothing to become compliant.”  If you happen to fall into this category, you’re not alone, and we’ve got a guide to help!


Education. The first and most important step is to seek education. Hopefully this article is great starting point, but there are many resources available including the GDPR website to educate you on the scope, ramifications and requirements of the regulation.


Engage all stakeholders. You should make sure everyone in the business understands the regulation, how it impacts the business and what steps the organization will be taking to maintain compliance.


Assign data protection personnel and/or a trained professional team. You may want to assign team members or hire consultants who are tasked with ensuring GDPR compliance for the organization. Companies like Secureworks or Third party IT reports like the annual Gartner Magic Quadrant, help evaluate the different scopes and strengths of industry network security companies.


Conduct a risk assessment. You should audit the data you’re collecting on EU citizens, determine how they data is being used and create data maps to establish processes for mitigating potential compliance issues or establishing new data capture practices.


Create a data protection plan. If your company doesn’t already have a data security policy, you should begin working to put one in place and confirm that it is in compliance with the GDPR requirements.


Review your privacy policy. Due to the requirements of compliance with the GDPR, your current privacy policy may need to be updated. For example, the opt-in vs. opt-out language in your policy may require an update.


Privacy Shield framework.  Businesses should seek out certification under Privacy Shield standards to ensure their operations are in compliance before the GDPR goes live.


In an age where offline and online interactions increasingly intersect, it’s inspiring to see a collective consensus agree on a “common sense” law. Personal data is a valuable resource to be protected and we will all benefit from this law.


Similarly to how we wonder why the automobile industry didn’t mandate seat belts from the very beginning, we may look back and wonder why we were so trusting and naïve, operating in the digital realm without basic digital consumer data protection.


Unsure if your advertising or marketing plans would be up to snuff?

Contact us!