Traditionally, the digital marketing industry collects and uses Pseudonymous Data for its services. Often, these technology companies also do not have a direct relationship with individuals. These two factors have led to a number of open questions as to how the digital marketing industry can comply with certain aspects of the General Data Protection Regulation (GDPR).
In particular, data subject rights (Article 15-22 of GDPR) are principally challenging to these companies since they do not use or store directly identifiable personal data. How do ad tech companies respond to a data subject access requests if they do not have the data subject’s name and address on their system to pull the data from their system? Instead, they store the individual’s cookie and mobile ID. How do they subsequently verify that the cookie ID belongs to an individual without the individual’s name and email address, for example? Most companies would need to take an additional step to get their data subject’s name and address to truly identify the individual.
IAB Europe’s GDPR Implementation Group commenced a working group with the collective minds of data protection officers and technologists from various companies helping to think through these issues. The discussions helped craft this guidance document with options as to how to verify a data subject’s request and respond to data rights requests.
Some issues we covered:
The five steps for digital marketing companies to take now:
It is crucial to emphasise that every technology platform in the digital marketing sector is unique, providing various services to its clients. Consequently, each company will implement processes and procedures that are particular to that company, resulting in different responses to data subject rights obligations.
The working paper on Data Subject Requests can be read or downloaded below: