Publisher Login

GDPR

SpotX’s Data Protection Strategy

On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) will go into effect and fundamentally change how companies are legally able to handle personal data. The regulation applies to all companies, even those outside the EU, that process personal data of people in EU member states.

SpotX is taking a proactive approach to solving for GDPR as we see GDPR compliance as an opportunity to increase our focus on consumers and strengthen our already robust practices for keeping data private and safe. We are embracing the privacy-by-design mentality and taking a forward-looking approach to compliance. As we innovate and bring new products to market that enable media owners and publishers to monetize across all streams and screens, you can rest assured that we’ll rely on our privacy-by-design framework to stay ahead of the compliance curve.

Looking to become GDPR compliant?

Here are the top 7 things you should be thinking about to reach GDPR compliance:

  1. Appoint a Data Protection Officer (DPO). While a DPO is required for certain organizations, such as public authorities, those that systematically monitor individuals on a large scale and those that process special categories of data such as health or criminal records, appointing a DPO is a good idea for any organization that GDPR applies to. This individual can help spearhead the effort, get the company organized, and take responsibility for compliance. If your organization doesn’t need a DPO, it is still worth designating an internal owner to drive the other best practices we note below.
  2. Build awareness within your organization. Once you identify a DPO, they may want to consider building out a cross-functional task force that will help them build awareness throughout the company. You can read about SpotX’s GDPR Taskforce here. Given the broad-reaching impacts of GDPR and that it covers everything from customer to employee data, it’s key that people throughout your organization, particularly those who handle personal data, are trained on the regulation and can push each of their respective departments toward compliance. The more people you have actively thinking about GDPR, the more likely you are to cover all of your bases and be in compliance come May.
  3. Understand data subject rights. Data subjects are granted substantial rights under GDPR that you’ll need to adhere to. As it relates to personal data, among others, GDPR gives data subjects the right to be informed of the data you collect on them and how you use it, access the data, rectify in case of incorrect data erase the data, restrict processing, object to the collection and processing , port data to another platform and not be subject to automated decision-making including profiling.
  4. Conduct privacy impact assessments. GDPR mandates that data controllers perform privacy impact assessments (PIA) in instances where data processing is likely to result in a high level of risk to the data subject’s rights. If you think PIAs currently or will apply to you, be prudent and start prepping early. PIAs can be PIAs; we get it.
  5. Conduct a data audit. Now that you’ve trained your organization and understand the regulation, you’ll need to investigate and document all the customer and employee personal data you hold, including where it came from, how you process it, how you store it, how long you store it, who you share it with, and how you transmit the data. GDPR requires you to maintain complete records of your processing activities and to be able to show how you comply with the data protection principles, so document as you audit.
  6. Conduct a gap analysis and create your compliance roadmap. With complete understanding and documentation of your current policies and procedures for interacting with personal data, you’ll need to identify what changes you’ll need to make to comply with the regulation. Even if you’ve already solicited consent from your customers, you will likely need to get customers to re-consent to comply with GDPR. Some of the key areas you will may need to address include:
    • Determining how you will comply with access requests.
    • Identifying which lawful basis you will use to process personal data.
    • Updating privacy policies and communicating privacy information.
    • Considering how you will handle children.
    • Providing data portability.
    • Implementing a method of handling data breaches.
  7. Identify a lead authority. Now that you have a solid roadmap in place for compliance and are feverishly working towards the May deadline, you may want to identify a lead authority to interact with if your organization operates in more than one EU member state. While this is not required, it may streamline and simplify your interactions with the authorities.

What to expect and how to prepare

What is GDPR? Jessica Berman | SpotX

GDPR Task Force

Thomas Servatius

Thomas Servatius

CTO, European Broadcaster Solutions
Mirjam Berkheij

Mirjam Berkheij

Technical Ops Director
Michael Stack

Michael Stack

General Counsel
Allen Dove

Allen Dove

Chief Technical Officer
Leah Brite

Leah Brite

Product Marketing Director
Jessica Berman

Jessica Berman

Sr. Product Manager
Eric Shiffman

Eric Shiffman

Product Marketing Manager
Frank Sledge

Frank Sledge

Corporate Counsel

Infographic: Are you ready for GDPR?

The EU’s General Data Protection Regulation (GDPR), set to go into effect on May 25th, 2018, will fundamentally change how companies are legally able to handle personal data. Given that much of the value creation of adtech companies is derived from applying data to deliver more relevant advertisements, the implications are massive for our industry.

Menu