With GDPR Just Seven Months Away, It’s Time For Publishers To Look Under The Sofa

The Sell Sider” is a column written by the sell side of the digital media community.

Today’s column is written by Matthew Smith, managing director at IDG Connect International.

Got data? It’s time to pay closer attention to General Data Protection Regulation (GDPR) because it’s almost certainly going to affect your business and how you handle consumer data – starting right now.

Hopefully, you’re at least aware that the EU’s enforcement of GDPR begins in May 2018, but have you started getting ready or made any significant changes? The new consumer data protection regulations will have a massive impact on companies even outside the EU, and no US company that does business in Europe and collects any sort of consumer data is exempt.

Media companies will be particularly hard-hit because of their reliance on data. At this stage, publishers around the world should be sitting up in their seats. There’s no greater challenge to a publisher’s relationship with its readers than the “right to be forgotten,” as the EU’s GDPR legislation fiercely protects.

Any company gathering data from the EU will be required to get explicit consent from their users/customers – with “consent” defined much more rigorously than before – in order to collect and store information about them. The fines will be staggering for breaching the regulations (€20 million or 4% of global turnover, whichever is higher), and the definition of “personal data” has been broadened to include cookies and IP addresses, not just personally identifiable information.

You Probably Aren’t Compliant

Many publishers think they already are compliant. Odds are they’re not.

Or they may think that the regulations don’t apply to their businesses because they’re headquartered in the US, but that is not the case. Here are two key pieces of advice from one US-based, global publisher to another.

First, don’t put this off any longer. It’s time to look under your sofa and make certain you know how GDPR applies to you. If you have readers from Europe, if you generate email lists with European addresses, if you have any partners where data is shared and transferred or if you conduct any lead-gen activities that extend across the pond, GDPR is now your problem.

Second, understand that your current data privacy practices aren’t enough. For example, having a Safe Harbor Agreement is far from sufficient. It was invalidated by the European Court of Justice back in 2015, and the EU has further refined its data protection laws, with GDPR representing a significant progression from past rulings.

Publishers need to gather consent, show exactly where permission was given, be able to provide a history of our interactions with the end user and demonstrate a “legitimate interest” to contact them, such as if you cover technology news and you’re communicating with users who are interested in information and solutions related to IT challenges.

Who Is Most At Risk?

Those most at risk are the publishers set up to capture traded data through an exchange, for example, or data brokers. In those instances, it will be a lot more challenging to handle EU-collected data because customers will need to know how their information is going to be used. It is quite common for a US site to see 30% traffic or more from overseas visitors, and the new rules could significantly limit marketing potential.

Ask yourself: How much traffic do you see from the EU?

Time For A Proper Data Protection Officer

It’s imperative that you have a dedicated data protection officer on board as soon as possible. Media companies need this now more than ever.

You will likely have to implement new technologies to remain compliant with the “explicit consent” parameters, and you will most certainly need an in-house expert who is well acquainted with all the fine print of the EU legislation.

Note that a data protection officer is not a database manager in charge of list hygiene. He or she needs to be a person identified publicly who reports to the highest company authority – the CEO – and can enforce compliance for privacy policy, cookie policy and IT security. He or she will be the person that fields user complaints – a police officer of sorts, who will enforce prompt removal from the database if the user wants to “be forgotten.”

This right to be forgotten covers personally identifiable information including name, email and telephone as well as IP address and behavioral cookies. 

It’s important to add that the impact on cookies is still being reviewed, although it is clear that the click of a button to accept use of cookies will not be sufficient. It is expected that the extent of this will be known in early 2018.

Don’t Despair 

Take heart: The data you need to shed or can no longer collect may be of lower quality anyway. Users who opt in with explicit consent want free access to your content and probably want to be engaged with you in the same way.

For a trusted publisher or data owner with an engaged and committed audience, there could be an uplift in business where communication and offers are of “legitimate interest” and consistent with the consent given. And that is good news for marketers and users alike.

Follow IDG Connect (@idgconnect) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. A very clear call to arms, Matt. How do you think GDPR will play out with the B2B publishers who are currently trading data as ‘web leads’ but were actually generated or ‘consented’ over the phone? Do you think we’re finally going to see more transparency over the date, time and manner in which consent was obtained?

  2. Good question Robin. I think GDPR will mean that all data suppliers, publishers and intermediaries that work between client and data providers will need to be much more explicit on consent and transparency on how leads are delivered – which is a good thing. The challenge is that most demand generation is now focused on a requirement for a defined project and supporting commentary – this is simply not possible by digital means so telemarketing will still – in my view – form a critical part of the sales channel, but something might have to give! The risk with TM is where the service is outsourced to suppliers that do not work within the new privacy framework.
    What are your thoughts?