Programmatic

As GDPR Looms, What Are The Biggest Uncertainties?

by Sarah Sluis, Alison Weissbrot and Ryan Joe

Everyone in the industry claims – at least publicly – to be ready for the General Data Protection Regulation (GDPR), which starts Friday.

But how can that be true? There are too many unknowns to predict what will happen when the industrywide regulation kicks in.

AdExchanger turned to ad industry execs from agencies, publishers and vendors with a simple query: What is the one question about GDPR that you’d still like answered? 

Unsurprisingly, issues of GDPR enforcement were top of mind, but members of the ad industry are also wondering about many nuances of the law, including the difference between the processor and controller roles and whether cooperation with regulators will be a good thing in the long run.

 Where will enforcers focus their efforts?

The one uncertainty of GDPR I’d still like answered is where the data protection authorities will focus their efforts and how many of the gray areas will be sorted out.

Will enforcement be consistent across countries?

Clarity over GDPR has come over time as organizations and individuals have both educated themselves and put in place systemic processes to meet the principles and requirements of the legislation. There have been sensible interpretations of GDPR by businesses and industry bodies over the past 24 months but, ultimately, the strength of these will be tested in the year ahead.

The biggest cause of uncertainty for me is whether there will be an EU (plus UK after Brexit) consistency to enforcement across all countries. A fractured interpretation framework (even in the short term) will increase challenges to global businesses and undermine one of the great benefits of GDPR.

When will enforcement actually start?

No one knows when enforcement will really happen or what it will look like: Is May 25 really the date when they will start enforcement, or will it take three months, six months or 12 months to see enforcement?

How will regulators interpret GDPR?

With GDPR coming into effect this week, there remains not one uncertainty but many. Publishers and advertisers worldwide are faced with different interpretations by regulators and their peers.

What is certain is that we need a unifying industry standard that will enable website owners to provide consumers with true transparency and choice, while allowing online advertising to continue to power business models of publishers we all rely on for quality news and information. The IAB Europe Transparency and Consent Framework is that industry standard and is the path to certainty as the industry tackles GDPR.

The reality is that much of the uncertainty of GDPR will be with us for several years. We will have to see how regulators act on its principles. But we’re certainly not just waiting for that clarity to arrive and are laser-focused on being responsible stewards of consumer data that we’re entrusted with.

How will GDPR effect communication between buy and sell sides?

One of the things we’re curious to see play out is how long it will take to achieve alignment between the buy and sell sides when transacting in a GDPR-compliant environment. There is a gulf, one that SpotX has been actively trying to bridge, between what publishers plan to send and what DSPs expect to receive in bid requests.

If the current paradigm holds, there will be a significant decline in ad spend in the EU after May 25, leading to major declines in publisher revenue, DSPs being unwilling [or unable] to spend and buyers missing their targets. As an industry, how can we accelerate the path to alignment that will work for both sides of the equation?

Will the ad industry’s cooperation with regulators be beneficial?

The uncertainty surrounding the implementation of GDPR is natural for any new law of this scope. We appreciate the effort that EU policymakers have made to provide as much clarity as they have to date.

What would give market actors like us greater comfort now is knowing that working cooperatively with policymakers and regulators as we move into implementation, we can get the additional guidance necessary to ensure that those of us who want very much to give users the control, transparency and accountability for the use of their data are doing so appropriately.

We believe EU policymakers and regulators are trying to use the power of regulation to help evolve the digital economy with the rights of individuals at the forefront of the experience and support that intent. We also believe that the EU is and has been a market of innovators and internet enthusiasts who want to preserve what is good about the data and ideas-driven internet we all enjoy.

We can do these things together, build the next generation of the internet, retain the ability to use responsible advertising to support free and open services and ensure that the fundamental rights of people in the EU to data protection are recognized and protected.

What exactly is the divide between data processor and data controller?

As we work through legal contracts, there are some differences of opinion on who is a processor and who is a controller, and what it means to be a co-controller. What’s the best escalation or resolution process when we encounter those differences?

This post was syndicated from Ad Exchanger.