Have you been seeing stories about GDPR—general data protection regulations for the European Union that go into effect May 25, 2018—and wondered, how does this affect me? Is first-party data exempt from GDPR? Does GDPR affect my campaigns if I’m based outside the EU? You’re in luck—here, Sizmek’s Chief Privacy Officer Ari Levenfeld answers these questions and more.

Who exactly is impacted by GDPR? Will GDPR apply only to EU consumers or does it affect EU-based companies and all their customers, no matter where they are located?
Some companies believe they do not have to comply with GDPR simply because they’re not headquartered in Europe. Other companies have said they don’t believe they must comply with GDPR because they do not process personally identifiable information, such as names or email addresses. Neither of these are true.

GDPR relates to the personal data of EU residents. So, any personal data that belongs to EU residents is within the scope of the law. If a company is not based in Europe, but still processes the personal data of EU residents, they must comply with the law. If a company creates products and services that are aimed at EU residents, they must comply with the law.

If cookie IDs are encrypted, do they still qualify as personal data?
GDPR makes allowances and introduces some incentives for pseudonymization and anonymization of data. In the case of anonymization, the bar is very high. GDPR states that personal data that has been anonymized cannot be linked back to its original form or the person it relates to. So, in reality, it may be difficult for companies to achieve anonymization that still results in useful data, even with encryption.

It’s also possible that some forms of encryption, for example, may not meet the standard for anonymizing data. However, it should be noted that there is a still a strong case for encryption for your security regimen. Companies are encouraged to encrypt data that they think could be sensitive.

Does GDPR give first-party data platforms an advantage since they are able to gain and use consent due to user terms and conditions?
GDPR is designed to regulate how personal data is processed, regardless of whether it is a platform or a first party that is doing the processing. Everyone needs to build a compliance regime for the law. That said, some regulators have stated that accepting general terms and conditions for one aspect of a platform may not be specific enough for that platform to process a consumer’s personal data across all of their websites or services. This means it’s possible that first-party platforms may need to ask for consent on a “site by site” or “service by service” basis.

How responsible are agencies for the data they collect and process on behalf of clients?
GDPR includes obligations for data controllers and data processors. The first step an agency should take when evaluating their responsibilities with regard to the data they process on behalf of their clients is to understand which role they will occupy in the transaction and document their obligations in a data processing agreement. Regardless of whether a company occupies the data processor or data controller role in relation to their client, there are obligations and responsibilities that they should meet.

Does GDPR affect the processing of data that is publically available to anyone on the internet, such as the list of users subscribing to a blog or YouTube channel?
GDPR regulates the processing of personal data, which is broadly defined to include any data that can be used to identify a person. If a blogger or website makes their list of subscribers public, and a person, government, or company collects and processes that data, that activity is covered by—and should comply with—GDPR.

Is Sizmek’s algorithms or platform subject to GDPR regulation?
Sizmek believes that the data it processes for its platform is covered within the scope of GDPR, and we have made an effort to construct a GDPR compliance regime.

Are there any services or solutions available for businesses that might not comply with or be able to use customer data following GDPR implementation?
Constructing a GDPR compliance program requires attention to the ways in which your company processes data and the way that the vendors and partners you choose to work with address compliance. It’s possible that some third-party data providers may not be ready in time or they may not be able to provide satisfactory assurances with regard to their GDPR compliance responses. As a result, you may want to consider alternative data targeting strategies that carry with them less risk.

Using contextual data that does not rely on the processing of personal identifiers, such as user IDs associated with cookies or IP addresses, is a potential approach companies should consider. Sophisticated contextual targeting solutions such as Peer39 by Sizmek can semantically evaluate page content and place the pages in categories that allow for effective, targeted ad placements, without relying on personal data. (Find out more about Peer39 and GDPR

How does cookieless tracking relate to GDPR?
Much has been written about the way companies that rely on cookies to serve and measure interest-based advertising must comply with GDPR. However, GDPR is not specific to cookies. All personal data, including identifiers that are not cookies, is within GDPR’s scope. So “cookieless” forms of data processing, including advertising platforms that do not rely on cookies, need to be considered when you are building your compliance plans.

If a DMP is collecting data and pushes that data into a DSP, is it the DMP’s responsibility to remove the cookie data?
GDPR says that processing personal data requires a “legal basis.” According to the law, there are six possible legal bases that a data processor may use. It’s important to document the rationale behind why the specific legal basis that a business is using was selected. Once that decision has been made, it’s useful for that legal basis to be communicated with other companies or subprocessors that may receive the data, including a DMP or DSP. This may happen via data governance technology or through documentation that is memorialized in a data processing agreement.

Does GDPR allow personally identifiable information like an email address to be correlated with pseudonymous data like an IP address?
GDPR considers personally identifiable information, i.e., names and email addresses, and pseudonymous data, such as IP addresses, to be personal data. Both are covered by the law and should be addressed when building a GDPR compliance program.

You need to take care when combining data collected in different contexts. For example, think about CRM or purchase data that has been directly input by a consumer combined with data collected that is associated with a visit to a web site, such as an IP address. There are self-regulatory codes of conduct that specifically address the merging of data collected in different contexts. While these codes are not the same as government regulation, they are often referenced by regulators and serve as useful guidance for what digital companies should consider. We recommend taking a look at the Network Advertising Initiative’s Code of Conduct for more information and guidance.

This article is contributed by MDA’s council member, Sizmek.