back to all blogs

With the GDPR deadline fast approaching on May 25th, many marketers (understandably) have questions about how it will affect their business. With that in mind, we want to answer a few frequently asked questions about the GDPR and how Impact is responding to the new regulations.

1. What is GDPR?

On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect. The GDPR replaces the existing data protection law in the European Union (EU) called the EU Data Protection Directive. It unifies the laws concerning the protection and use of personal data across all 28 EU member states and provides new rules for how organizations are allowed to collect, use, and store individuals’ personal data. It also provides a new set of rights for individuals in the EU with respect to their personal data.

The GDPR will significantly affect organizations worldwide and dictate how they collect, process, and store the personal data of individuals working, visiting, or residing in the EU. For instance, there are new, clearly specified obligations around notification and accountability, especially in the context of data breaches.

2. Does the GDPR affect non-EU business or individuals?

While it does not specifically apply to non-EU businesses, the GDPR applies to any company which may process or control the personal data of individuals in the EU.

3. How does the GDPR impact the industries that Impact operates in?

Certain types of information, such as names and email addresses, have, prior to the GDPR, always been regulated by various EU laws governing personally-identifiable information. The GDPR extends regulation to include IP addresses, certain types of cookies, member identifiers, and other types of data used in the process of tracking customers and classifies them as protected, personal data. Though these identifiers in isolation may not directly identify an individual, when used in conjunction with other information, they can identify a person accurately, so GDPR requires such personal data to also be regulated.

As a result, companies in the marketing technology space have been devoting considerable time toward becoming compliant with the GDPR guidelines. For Impact, this has involved a good deal of work in the realms of hashing and encrypting personal data, updating our privacy policy, and developing the ability to respond to Data Subjects’ requests to opt out of having their data tracked, without compromising our ability to deliver reliable analytics to our advertising clients. “Data Subjects”, in this context, refers to our clients’ and partners’ audiences.

4. Will Impact be GDPR compliant?

Yes, Impact has always had a focus on data security, and has adopted a “privacy by design” architectural mindset. We expect all Impact products to be fully compliant with the GDPR well ahead of the May 25th deadline.

5. Is Impact a Data Controller or Data Processor?

GDPR requirements vary depending on whether an organization considers itself a Data Controller or a Data Processor. A “Data Controller” refers to an entity which determines the purpose and means of personal data processing, either alone, or in conjunction with other entities, while a “Data Processor” refers to an entity which processes personal data on behalf of the Controller.

With respect to our clients’ audiences, Impact is a Data Processor.

6. Will Impact need to gather consent for tracking?

Impact does not have direct relationships with our clients’ customers. Accordingly, Impact’s basis for processing is either due to our clients’ legitimate interests or having obtained consent from their audiences.

7. What should I do to ensure my business is ready for the GDPR?

Though the Impact platform and all of our products will be GDPR-compliant before the May 25th deadline, we encourage every business to carefully examine the way it may collect, process, and, store personal data across its own processes and tech stack, and analyze its own compliance with the GDPR. The IAB has provided some helpful material for auditing your business and what to take into consideration in its GDPR checklist.

8. How is Impact preparing for the GDPR?

We established a cross-functional committee, with members from our engineering, product, and legal teams, dedicated to fulfilling the requirements of GDPR, including:

  1. what data we collect
  2. how the data flows through our systems
  3. how the data is processed and accessed
  4. where the data is stored, pseudonymized, or anonymized

We have made adjustments to existing processes and procedures in order to make our technology and processes compliant. For instance, we have built out the ability to encrypt all required data points within our data stores, as well as the ability to comply with requests to be forgotten. Impact CTO Roger Kjensrud offered his perspective on how the GDPR forces marketers to rethink data and security in an opinion piece in Dark Reading.

9. Will there be a loss in any product functionality by the rollout of GDPR compliance?

No, we do not expect there to be any loss in functionality with the Impact platform’s implementation of GDPR compliance.

10. So, what’s next?

We understand that GDPR regulation is complex, and we support Data Subjects’ rights to understand and control what happens to their personal data. Marketers may rightfully be concerned about the GDPR’s implications on their day-to-day operations. The Impact team is here to help! If you have unaddressed questions regarding Impact products, GDPR compliance, don’t hesitate to reach out to your CSM or our support team for more information and assistance.

For more information about the GDPR and how to make sure your business is compliant, we recommend reviewing these useful resources:

Reform of EU data protection rules

IAB UK GDPR Checklist

IAB Factsheet: EU ePrivacy Regulation

To review our updated privacy policy, please click here.

back to all blogs