GDPR and Third-Party Services: What Publishers Need to Know

By now, everyone understands the General Data Protection Regulation (GDPR) is here to stay, and businesses must make themselves entirely compliant in order to avoid fines of up to four percent of total global revenue. In the online publishing industry especially, business leaders must be fully aware of the different aspects of their websites that could lead them down a road to non-compliance.

One area that must be carefully monitored is the use of third-party services. With advertising and marketing technology stacks no longer developed in house (simply because it’s too expensive to retain full-time developers) publishers are relying more on third-party software to create optimized online experiences for their audiences.

These outside vendors, or third-party services, give publishers the resources they need at reasonable costs, while making their websites engaging and the reading experience seamless. However, with GDPR in effect, it’s all about data. Publishers are now data controllers and their vendors have become data processors.

As data controllers, publishers hold the ultimate responsibility for the data processed by their vendors. For example, if a publisher uses AppNexus for header bidding, it is the publisher’s responsibility to make sure that AppNexus is collecting and processing what is ultimately their, users’ personal data in compliance with GDPR, if and when applicable.

The resolve of the GDPR is unlike any previous privacy regulation and it is compelling online publishers to take a closer look at every single tag running on their properties to make sure they’re also following the same rules they’ve implemented as a handler of personally identifiable information (PII) per GDPR’s guidelines.

To help publishers remain GDPR compliant with the myriad of third-party services operating on their sites, below are three of the steps you can take to audit third-party service ecosystems to make sure that the data they’re collecting isn’t being processed in a way that isn’t consistent with the consent provided by users initially.

With marketing and ad-tech stacks being implemented by outside vendors, these services are constantly collecting, processing, and (sometimes) storing PII data. Even if a business controls the aspects of data-owner consent and provides users with the right to be forgotten, this sensitive information can easily be leaked if not methodically monitored.

Eyal Katz is the Senior Marketing Manager for Namogoo’s GDPR Insights, which is a software solution that helps digital publishers avoid data breaches through continuous and automated monitoring of their data processors

Publish date: July 9, 2018 © 2020 Adweek, LLC. - All Rights Reserved and NOT FOR REPRINT