“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Maciej Zawadziński, CEO at Clearcode.
Control and security over customer data, especially personally identifiable information (PII), is a hot-button issue among advertising tech and marketing tech companies due to the wide array of regulations and stiff penalties for noncompliance.
Any company that touches customer data is labeled either as a data processor or data controller. On the surface, the distinction seems one of semantics, but in reality, the implications of being one or the other carries serious weight and potential consequences. For ad tech and mar tech companies, one is definitely more desirable than the other.
A data controller is a company that is responsible for adequate treatment of the data. It determines the purposes and processes for which any personal data are to be used or processed. A company that uses a marketing automation or ad retargeting tool, for example, could be considered a data controller.
Typically, marketing cloud vendors and providers of standalone ad tech and mar tech software-as-a-service (SaaS) solutions that store data, including PII, are considered data processors. This is because they don’t use the data for any purpose other than what is mandated by the data controller, their customer. They simply provide software for the data controller to use at its own discretion.
There are some situations where a B2B ad tech or mar tech company could be both a data controller and processor. For example, an email marketing software vendor used by brands to market to consumers is a data processor because it processes end-consumer data for its brand customers. If this email marketing software vendor were to also provide market research services to its brand customers using the same data, it would also be a data controller.
While data can be as valuable as physical currency for marketers and control over this data has many revenue-driving benefits, my take is that it’s more favorable and safe for ad tech and mar tech companies to hold as few data controller roles as possible and vigilantly not use collected data in any way that crosses into data controller territory. This is especially true for companies located in or have customers in the European Union, due to the recent EU data protection overhaul.
This is for a couple of reasons. First, data processors have fewer regulatory requirements than data controllers. These responsibilities concern the necessity to keep personal data secure from unauthorized access, disclosure, destruction or accidental loss.
Second, there are fewer legal liability risks attached to being categorized as a data processor versus a data controller. Under the new EU General Data Protection Regulation, “Data controllers could face more severe regulatory fines than data processors for failing to keep personal data appropriately secure.”
Additionally, “If data processors are at fault for data breaches then it is the data controller who contracted with them who is on the hook for any noncompliance with data protection laws, although the data processor could be liable to the data controller under their contract.”
This isn’t to say that data processors are free of all responsibility. Ad tech and mar tech companies that are considered data processors should have a data processing agreement that they can sign with customers and should also assign a data protection officer to ensure they comply with all data processor obligations, regardless of what the letter of the law requires.
The regulatory framework along with definitions of data, PII, processing and controlling will likely continue to evolve. Most importantly, although there are often competing interests, risks and benefits, data processors and controllers should work together toward the same goal of ensuring all customer data is secure and used properly by all parties at all times.
Follow ClearCode (@clearcodehq) and AdExchanger (@adexchanger) on Twitter.