The new General Data Protection Regulation, or GDPR, came into effect on May 25th 2018. Business Traveller provides data protection and transparency, which has always been at the forefront of our business approach.
We undertook a thorough examination of how we control and process your data and are confident that we have in place systems and processes that comply with the rules imposed by the GDPR.
We support the IAB’s GDPR Transparency & Consent Framework to help our clients and business partners understand our approach to the GDPR we have set out here our understanding of the new legislation and how it affects our working relationship. However, every organisation is responsible for ensuring its compliance with the GDPR and we encourage our clients and partners to review their own responsibilities in regard to this new regulation.
We have included a short FAQ and some links to relevant documents. Should you have additional questions, please email [email protected]
What GDPR covers
GDPR has a significant impact on programmatic advertising. Any advertising that uses the personal data of people within the EEA falls within the scope of GDPR.
The new definition of “Personal Data”
Personal Data is defined within the GDPR as any information relating to an identified or identifiable natural person (‘data subject’), and the Regulation specifically states that someone who can be identified by means of an “online identifier” is a data subject for these purposes. Even though Business Traveller only uses a pseudonymous ID (sometimes from cookies) which is associated with a browser or device to deliver relevant ads, it is pretty clear that this constitutes an online identifier for the purpose of the new Regulation – and gives rise to Personal Data.
Therefore, under the GDPR, fields commonly used in Relevant Advertising are considered ‘Personal Data’ and will require a legal basis for processing, including:
- Un-truncated IP addresses
- Full Latitude and longitude
- Full Postcode
- Device ID
Campaigns that use “Personal Data”
For campaigns that use Personal Data for the purpose of ‘Relevant Advertising’, it is our understanding that our clients will need to work with us to obtain consent to continue to run this type of advertising in order to comply with the requirements of the ePrivacy Directive (2002/58/EC, as amended), and its proposed replacement, the yet-to-be-finalised ePrivacy Regulation, which complements the GDPR in the field of cookies and similar technologies. Many companies are trying to adopt a different legal means, but it is obvious to us that ‘Personal Data’, the ‘Purpose’ of its use, and the ‘Legal Entity’ that is controlling this data should generally do so based on consent to comply with the combination of the GDPR and ePrivacy Directive (and, in the future, the ePrivacy Regulation).
As well as ensuring our organisation (our main legal entity and all subsidiaries, their processes, and their dataflows) is compliant with GDPR and ePrivacy legislation, Business Traveller has been working on the means for advertising clients to maintain business continuity where campaigns that use Personal Data are run.
How we can work with our clients to support GDPR legislation
Business Traveller aims to ensure that all Personal Data collected by clients, and Personal Data we collect or use for the purposes of Relevant Advertising, supports the new regulation, and satisfies the legal requirements for the continued delivery of high performing campaigns.
We have been working on a few solutions to achieve this:
- For third parties from whom we provide data to improve campaign performance, we aim to ensure that they have the legal means to pass us that data under the new legislation.
- For first party data which we or partners onboard through pixels, we have built a technical solution to support our clients and publishers in obtaining of appropriate consent providing a legal basis for processing.
How will GDPR impact campaign performance?
We operate multiple types of advertising – some that fall within scope of the GDPR, and some that do not. We will ensure that we maintain a mix to prevent any degradation of performance. We are working with or partners (including Ad networks, Programmatic platforms for PMPs, Open Market and PMP Guaranteed deals) and ad exchanges directly and ensuring the level of inventory quality is maintained.
What happens if someone asks to the see their data?
Business Traveller will contact and communicate with our partners, if the specific query we receive is related to campaigns that we run on our client’s behalf, we will provide you with a link to our partners to supply to the person making the query. You will also be responsible for supporting the rights of individuals for any data that you store against them.
Are there not six legal grounds for processing under GDPR?
Yes, but given the combination of the GDPR and the proposed ePrivacy Regulation, the only appropriate one for ‘Relevant Advertising’ purposes is for the data subject to provide consent to the processing of his or her personal data for one or more specific purposes.
What are the Rights of Individuals under the new legislation and how do you support them?
Our solutions will support the rights of individuals to Access their data, Correct, Port, Restrict Processing, Erase, and Object, along with Notification of any breach.
As we only store information against an ID and do not know who that data subject is, but data still falls within the ‘Personal Data’ criteria, we will be supporting data requests through our website vie our contact email [email protected]
What happens with Data transferred outside the EEA?
Perry Publications Limited is registered in the UK and is the Data Controller for all relevant Personal Data within our group. Where we need to do so, we will only transfer Personal Data from our systems to outside the EEA under the conditions specified in the GDPR.
How are pseudonymous IDs collected and stored?
For services offered to data subjects in the EEA, pseudonymous IDs are collected and stored based on the consent of the end-user.
What about delivering ads to EEA citizens outside the EEA?
The GDPR does not apply outside the EEA, so implied consent (with an opt-out) will continue to be accepted by default. Only individuals located in countries within the EEA will be required to give an affirmative action indicating clear and unambiguous consent to use their data for targeted advertising.
Some useful GDPR links