ExchangeWire: Controller or Processor: What’s Really at Stake Under the GDPR? Q&A with Romain Job, CPO, Smart
In association with Smart
The GDPR is finally upon us. For many, if not all of us, the date of 25 May 2018 was only the beginning. There’s still a lot of work to be done and still a lot to be understood, across the entire supply chain. For publishers, the process has been, and will continue to be, particularly challenging. But there are opportunities. ExchangeWire speaks exclusively with Romain Job (pictured below), chief product officer, Smart, about what the GDPR means for controllers and processors, and how publishers can use the directive to their advantage.
ExchangeWire: You’ve no doubt been heavily embedded in GDPR preparation – how have the past few months been for you?
Romain Job: It is a telenovela. For the past three months, my life as an ad-tech executive has been revolving around one single topic: GDPR. And not one day goes by without an unforeseen development. The tension is palpable and everyone is gossiping about the next episode.
What are the core concerns that you’re discussing with clients and partners, as well as experiencing yourself at Smart?
The main concerns for everyone over the past weeks have been around explicit user consent collection and transfer. How will we get users, who have implemented ad blockers, to explicitly agree to be tracked and profiled. Another core concern is around the Google policy under the new regulation, as there is still some uncertainty about this. So far, vendors are building consent-management platforms (CMPs), trade journalists are generating clicks, sales people are panicking, and publishers are, unfortunately, late to the game.
It is always difficult to think straight when you’re caught in the middle of it, but it is good to take a step back. As an EU-based vendor, we thought of GDPR as a great opportunity: finally everyone would have to play by the same rules and be transparent about not only how they handle users (their choice and experience), but also publisher and advertiser data. We’ve always been fair with our clients (in our case, publishers) and our T&Cs put clear limits on what we can do with data points collected from publisher tags. Then programmatic took off and we realised how naive we were: 95% of the vendors built aggressive business plans based on aggregating significant amounts of data from publisher or advertiser content, cross referencing this data with third-party data sources, and building proprietary models to attract advertiser spend. Nobody talks about it. Publishers are late. And, needless to say, if you respect the EU’s rule, you cannot be a global leader.
What’s at stake under GDPR? Is Smart a controller or a processor?
It is a very good question. Most of the discussions focus on collecting consent. Under the regulation, you need the user’s explicit and informed consent to collect and process personal data. “OK, I will implement a CMP”, or “OK, I will update my T&Cs” and ask the user to click on a button after they had the opportunity to read what they gave consent for.
For some, legitimate interest may be enough, but clearly not all.
But the second part of your question is actually the most important one. And here the emperor has no clothes. As a vendor, and due to the existing regulation and culture in EU countries, Smart has always positioned itself as a processor, i.e. the data-points solely belong to the publishers that are paying for our services. However, as Smart’s platform is interconnected with other types of platforms (DSPs, SSPs, DMPs, etc.), we have to look into the details of each partnership and every single step of a programmatic transaction. The GDPR directive has at least one virtue: everyone has to be clear about how they position themselves and agree to that contractually.
Are the definitions clear? What’s the benefit of being a processor or a controller? Or even choosing co-controller status?
The processor is defined as ‘the person or entity that processes personal data on behalf of the controller’. As a processor, a clear scope of purpose and means is defined in your relationship with the publisher, and you’re not allowed to use the data for other ‘value-added’ purposes. It is easy and transparent.
What would be the benefit of claiming controller status? To put it simply, you get a certain degree of control over the data-processing activity. Most of all, the directive definition clearly states that you get “the ability to determine the ‘purposes and means’ of the data processing activity”. In the advertising industry, it is a particularly comfortable status, as it gives you the opportunity to build data models relevant to marketers and make advertising campaigns work, without having to share most of the value created, since the data is already yours to play with. In short, you can do whatever you please with the data you collect.
And, if you want to have your cake and eat it, opt for the co-controller status. You get the ability to own the data you’re exposed to, but only share the responsibility for getting the explicit consent from the ‘data subject’.
Where do the publishers fit into these models and how can they turn this into an opportunity?
Under the circumstances I mentioned earlier, publishers are obviously controllers. But the scope they control will never be as broad as the scope controlled by the platforms they work with.
That being said, publishers will finally have the opportunity to decide on what they want to be now and in the future: 1) Whether they are going to give control over their data points and help platforms build walls around their data business? 2) Or, if they are open to becoming platforms themselves, and invest in technology and vendors to protect their most precious asset (first-party data), and build their own private garden?
There is a lot for publishers to consider under GDPR but, as controllers, they still direct how data is collected from data subjects. There is opportunity here to leverage that control over which platforms they work with, how they work with them, and protect the thing they hold most dear: their first-party data.
This article was originally published on ExchangeWire