IAB Europe GIG: Working Paper on Data Subject Requests

Traditionally, the digital marketing industry collects and uses Pseudonymous Data for its services. Often, these technology companies also do not have a direct relationship with individuals.  These two factors have led to a number of open questions as to how the digital marketing industry can comply with certain aspects of the General Data Protection Regulation (GDPR).

In particular, data subject rights (Article 15-22 of GDPR) are principally challenging to these companies since they do not use or store directly identifiable personal data.  How do ad tech companies respond to a data subject access requests if they do not have the data subject’s name and address on their system to pull the data from their system? Instead, they store the individual’s cookie and mobile ID. How do they subsequently verify that the cookie ID belongs to an individual without the individual’s name and email address, for example? Most companies would need to take an additional step to get their data subject’s name and address to truly identify the individual.

IAB Europe’s GDPR Implementation Group commenced a working group with the collective minds of data protection officers and technologists from various companies helping to think through these issues. The discussions helped craft this guidance document with options as to how to verify a data subject’s request and respond to data rights requests.

Some issues we covered:

• The first step in this process is determining if you are a controller or processor. Data processors should not reply directly to access requests, unless directed by the controller in a contract or otherwise.
• The inability to verify that data belongs to the requestor begs the initial question: should digital marketing companies that only collect pseudonymous data respond to data subject right requests?
• Once a determination has been made to reply, it is strongly recommended that companies create an internal policy for responding to data subject rights, and also for all interactions with data subject access requests, particularly the reasons for denying any such a request.
• At least one person should be responsible for responding to the data subject requests whether the requests are made via the website, postal mail or email.

The five steps for digital marketing companies to take now:

1. Determine whether you are a controller or processor;
2. Ensure you have appropriate procedures and policies in place to respond to the data subject rights, including when do you have to respond to data subject rights (are you relying on consent versus legitimate interest to collect and/or process the data) and how will you respond;
3. Having a verification process in place to ensure the data subject has a right to the personal data that the data subject rights request is tied to.
4. Make sure your employees in marketing, legal and privacy are properly trained to respond to data subject requests; and
5. Update your data protection notices to reflect your process and response to data subject rights requests.

It is crucial to emphasise that every technology platform in the digital marketing sector is unique, providing various services to its clients. Consequently, each company will implement processes and procedures that are particular to that company, resulting in different responses to data subject rights obligations.

The working paper on Data Subject Requests can be read or downloaded below: