Ad Ops: The Unlikely GDPR Heroes

This article by Matt O’Neill, General Manager, Europe was originally published in Digital Content Next on February 6, 2018.

art abstract dark business depression background

Read article

10 actionable steps to charting a publisher’s course to digital GDPR compliance

Yes, it is the topic du jour, but somehow many are still adrift when it comes to the European Union’s impending General Data Protection Regulation (GDPR), which goes into effect on 25 May 2018—under 100 working days or five short months away. Countless articles summarise requirements into generalities covering organisation-wide data elements, such as customer, partner and vendor information. More often than not this approach doesn’t mean much to Ad/Revenue Operations (Ad Ops) professionals.

The Ad Ops Challenge

GDPR presents three significant hurdles to Ad Ops:

  1. Identifying known data collection activity;
  2. Confirming it is legitimate under GDPR (i.e. that the rules are being met); and
  3. Detecting and remediating unauthorised data collection, which is potentially considered a data breach.

The highly-dynamic and opaque nature of the digital ecosystem often means that all three of these hurdles are difficult to clear without adversely affecting a media publisher’s strategic revenue channel. So, the key issue to resolve is this: how does a publisher go about managing data in a GDPR-compliant way but without undermining its business model(s) and therefore its commercial viability?

The answer, as usual, is Ad Ops. For this group, GDPR presents an important opportunity. As the frontline of digital operations, Ad Ops professionals are in the unique position to influence, drive, and co-create strategies to protect and optimise revenue in the changing regulatory environment. In fact, they have a powerful legitimate reason to control audience data collection activities on their digital properties and demand compliance from upstream partners.

10 Steps to GDPR Compliance

The daily demands placed on Ad Ops can be overwhelming, with the complexities—and vagaries—of GDPR an unwelcome intrusion. But it’s a critical opportunity. Here’s a 10-step approach (with supporting GDPR references) towards GDPR compliance for media-oriented websites and mobile apps:

1. Participate in an internal GDPR Task Force [GDPR Articles 37-39]

Every business— large and small—should have a GDPR ‘Task Force’ or something similar. This could be organised by a senior data privacy leader, such as a Data Protection Officer (DPO), which is now a requirement for many organisations. The Task Force should be staffed with key personnel across the organisation who interact with any type of personal data, i.e. operations, IT, privacy and risk, security, HR etc, and should include individuals across strategic markets as the GDPR has a global reach (see GDPR Article 3). As part of the Task Force, Ad Ops can explain the role of consumer data in the digital environment to deliver user-specific content and advertisements and how it supports the publication’s mission and contributes to revenue.

It is important to understand that the scope of personal data is broader than under existing EU data protection law. Under Article 4 of the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

To this extent, typical data collection, use and sharing activity generated from everyday access of websites and/or mobile apps for digital advertising purposes (i.e. cookie deployment or device identification) should be treated as personal data. Therefore, the term ‘non-Personally Identifiable Information’ should no longer exist as personal data under the GDPR is broader than PII, which is a significant change for digital advertising.

2.  Evaluate the Privacy Risks [GDPR Articles 25, 35 & 36]

The Task Force will probably be responsible for developing a centralised roadmap for the organisation’s digital data and designing the plans to implement necessary processes and changes (including budgetary considerations) required to comply with the new law. Many organisations will need to conduct a Data Protection Impact Assessment (DPIA–a valuable  exercise for good data hygiene), mapping the kind of data collected and processed. Here’s a good template to follow[i].

The DPIA should enable revenue and Ad Ops teams to get up close and personal with all data collection and processing activities, and knowing with whom data is being shared. There are many companies that can assist with DPIAs to develop a point-in-time data picture, which is a critical start to identifying data in the publisher ecosystem. However, the ever-changing digital environment requires continuous monitoring for compliance in order to provide an audit trail or truly demonstrate ongoing compliance. The bottom line is that the GDPR seeks to introduce a ‘Privacy by Design’ approach: removing or minimising data or ‘pseudonymising’ it (e.g. hashing) to minimise the privacy risks.

3.  Create an Authorised Partner List [GDPR Article 30]

Accountability is a central theme within the GDPR: you are required to record and account for all data processing activities. Ultimately, publishers will need to know and understand what data is being collected and processed, and who it is shared with—a serious challenge for the dynamic digital environment.

This means Ad Ops needs to develop a list of all parties that execute on the website (including contracted second parties and any subsequent parties called during the rendering of the visitor experience), analyse digital behaviour to understand data collection or targeting needs, and block those that exhibit anomalous or unapproved activity.

Conducting a data audit, compiling inventory and documenting authorized partners is a good first step; however, these will have to be continuously evaluated with an eye towards changing partner activity, new digital supply chain partners, international data transfers and consumer understanding of tracking/identification and its value to the digital experience.

4.  Get Legal! [GDPR Article 6]

It may seem strange for Ad Ops teams to concern themselves with too many legalities, but with the GDPR it is imperative that those involved in data collection activities understand the consequences of their actions. The regulation outlines six legal bases to justify the processing of personal data:

  • the user’s consent (which is defined more stringently than under current data protection law)
  • the use of contracts involving the user
  • legal compliance (i.e. with another law)
  • protecting the interests of an individual
  • when it is in the public interest to do so
  • when it is the organisation’s legitimate interests to do so (provided it doesn’t override the rights of the individual)

Digital advertising will require the user’s consent, not least because it is required for the storing of information or gaining access to information already stored on a device—whether personal or not—(i.e. via a cookie) under the existing ePrivacy Directive (See Step 6.) This is where Ad Ops needs to work closely with the compliance teams: an innovative consent mechanism will be required for digital advertising activities. But, keep in mind that some data processing activities (e.g. for network security or when tackling fraud) may warrant different legal bases.

5.  Enforce Digital Partner Compliance [Articles 26-30]

The GDPR introduces obligations (and liability) for all organisations, whether a ‘data controller’ or ‘data processor’. Find out how data partners are preparing for the GDPR and establish a working group with key partners to discuss compliance strategies. This requires first knowing your upstream partners from SSPs and exchanges through to DMP and DSPs. Some data partners are likely to have to conduct a DPIA as well—guide the process for them. In time, revisit, review and adapt contracts or agreements with existing partners to ensure that shared obligations and responsibilities under the GDPR are accounted for and that partners are complying with digital asset policies for your company. If a partner chooses to not comply with your policies reconsider your relationship with them.

6.  Obtain Consent [GDPR Articles 7-9]

Consent is the new king in digital advertising, so review where and how you obtain it. Under the GDPR, consent must be given freely, specifically, and unambiguously, and it requires affirmative user action. Some pre-GDPR consent mechanisms (i.e. so-called ‘implied’ consent) may not be valid when the GDPR applies. And it remains to be seen if existing consent management platforms can properly handle authorized cookies delivered by third-party partners in addition to a publisher’s first-party cookies. It’s important that practical and user-friendly consent mechanisms are adopted. Where appropriate, review existing consent mechanisms and explore evolving market solutions to suit your business. EU regulators have provided some draft guidance on consent[ii].

7.  Be Transparent [GDPR Articles 12-14]

Revisit and restructure your Privacy Notice to ensure that it meets the requirements of GDPR. It is likely it will need to include more information than your existing one (such as all the technologies used to process data, including by third-party solution providers). Ad Ops teams will be directly responsible for any data collection activities. The UK Information Commissioner’s Office (ICO) Code of Practice[iii] provides a good template to follow, including what information to include, how the Privacy Notice should be written, and how to test, review and roll it out. But don’t stop there. Consider enhancing transparency by deploying additional measures including ‘Just-in Time’ mechanisms, video messages or the EU AdChoices programme[iv].

8.  Give your Customers Greater Control over their Information [GDPR Articles 15-22]

The GDPR seeks to give people greater control over their data and therefore includes many rights for individuals, such as the Right to Erasure and the Right to Data Portability. Media publishers will need to put in place processes to achieve these for their customers. Beyond consent, publishers need to provide mechanisms for consumers to solicit information collected and used by the publisher and absolutely honour requests for data removal. The ability to offer this functionality and test its reliability are further proof points to demonstrate compliance. Where appropriate, point to existing controls such as unsubscribe mechanisms and opt-out points, and consider other innovative data control solutions.

9.  Designate a Lead Supervisory Authority [GDPR Article 56, 60-61]

Choose who your ‘Lead Supervisory Authority’ (i.e. regulator) will be when the GDPR becomes effective. This regulator will act as a single point of contact for the enterprise’s data activities throughout the EU. Documenting and opening up communication channels with the Lead Supervisory Authority now is critical to understanding how future enforcement will be carried out. Keep an eye on Brexit: if you are hoping to designate the UK ICO you may have to think again.

10.  Prepare for any Data Breaches [GDPR Articles 33-34]

Implement (and test) procedures to detect, report, investigate and resolve a personal data breach (e.g. data loss or hack). Keep in mind that the reporting of high-risk breaches to the relevant Supervisory Authority (regulator) needs to happen within 72 hours of discovery—a timeline publishers are not positioned to meet. As Data Controllers, Publishers are ultimately responsible for breach notifications and, therefore, they need to be aware of any breach that occurs throughout the digital supply chain including upstream partners.

Sailing Through the GDPR Storm

All experts agree: GDPR will be a watershed moment for digital publishers. The next several months (let alone years) will be tumultuous as stragglers try to catch up and the more-prepared publishers await the success of their compliance programmes.

On a positive note, the winds are favourable for digital publishers to take back control over their audience data. Direct access to the consumer relationship and the control of consumer consent puts publishers at the helm. However, it is up to the unlikely heroes—Ad Ops teams—to ensure smooth sailing when it comes to digital data compliance and risk management.





CPO: US Federal Websites in Urgent Need of Web Security Upgrade

Article originally published in CPO Magazine on December 8, 2017

CPO Mag - US-federal-websites-2017-1208

Read article

The U.S. Federal Government is a behemoth that touches every aspect of American life – and today the touchpoints for services and information that each U.S. citizen requires to comply with federal rules and regulations are increasingly found on the Internet. However, the latest report on the state of federal websites indicates that they fail on some key indicators regarding web security.

The problem with federal – and many enterprise – websites is that no one individual is in charge of the entire website operation.

Continue reading


INFOGRAPHIC: Data Protection and Privacy Regulations

Your customer’s digital experience is powered by a range of third-party services not controlled by enterprise IT–ad blocker, advertising, analytics, content recommendation, data management, payments, social widgets, video players, and so much more. Increasingly, these services are proving to be a source of regulatory violations.

Download: Data Protection Infographic


Ransomware and the small/medium-sized enterprise

When the “cost of doing business” is no longer an option.

hand is coming out of Computer screen front

“It’s the cost of doing business.” Over the long holiday season, I heard this phrase several times while socializing with family, friends and business acquaintances. My usually optimistic social group bemoaned the annoying effect ransomware has had (and continues to have) on their day-to-day business.

The topic isn’t a surprise. Around the country, similar professionals at small/medium-sized enterprises (SMEs) echo their sentiments. What surprised me was their passive reaction to the problem. Even the current President Barack Obama and the President-elect Donald Trump recognize the threat of cybercrime to businesses and the public.

It’s not just you, Mr. SME

Ransomware has undoubtedly been on the rise, with some groups such as the FBI claiming 4,000 attacks a day. These high numbers affirm the fact that ransomware is a financially motivated, equal opportunity malware; it wants to lock down any device that has an owner, whether the owner is a teenager, a global business tycoon or a small business owner.

Unfortunately, ransomware can be debilitating for small/medium-sized businesses (SMEs) whose viability hinges on access to customer lists, financial records, product/service details, legal contracts and much more. Most SMEs don’t have the resources or a sophisticated technology infrastructure to adequately secure their business. In fact, almost a third of SME don’t employ an information security professional. And, considering more than 70% of businesses actually pay up, ransomware is the perfect exploit for SMEs.

Clearly, it’s a big problem that needs a big solution, right?

Backups, backups, backups

From hospitals and medical offices to accounting firms and ecommerce shops, ransomware has proven to be a successful criminal endeavor, with many paying more than $10,000 for each incident to regain access to their business data. And, SMEs seem to have learned to accept it as a cost of doing business.

“It’s not a big deal, Mark. We just do more frequent backups.” Yes, this was an overwhelmingly common approach to the problem. It seems my discussion partners spend several hours a week making backup copies of files. When asked about the costs (storage, time resources, duplicate systems, access to backups, energy usage, etc.) the response was a casual shoulder shrug. Really? Frequent backups is your security strategy? At a time when businesses are getting leaner in every way, spending time and resources on backups isn’t a good use of ever-thinning IT budgets or the scarce security talent.

Beyond backups – seal the entryway

Backups are good, but they are just one piece of a more holistic security strategy against ransomware. The biggest challenge is helping my fellow IT professionals understand that ransomware—and any malware for that matter—can penetrate the best of defenses. The key is knowing how it enters: basic everyday Internet usage at work (think about email, websites, apps, out-of-date software/patches, etc.

“We use anti-virus software, blacklist the typical non-business sites, installed ad blockers, and repeatedly train staff about the perils of email links and attachments. What else is there?”

First, anti-virus (AV) and blacklisting isn’t enough as these defenses assume the bad guy is known; his signature is captured and stopped from executing. With thousands of new malware variants entering the digital ecosystem each day it’s nearly impossible for AVs to keep their protection levels up. Blacklisting is good for general business purposes. (I mean, if coworkers need to access porn, gambling or gaming during the work day you’ve got bigger problems!) But this doesn’t mean that all other websites are good, even the Alexa 1,000. Some of the largest web-based attacks occur on legitimate, premium websites.

Second, enterprise ad blocking isn’t all it seems. You may think that all ads are blocked, but this isn’t true. Large advertising networks pay a fee to whitelist their ads in exchange for agreeing to fit a stilted format. Media website owners (Facebook anyone?) are adopting technology to detect ad blockers and then re-insert their ads or content.

“Well, dammit, what should we do?”, you ask.

All is not lost – A new year has dawned

Now’s the time to take stock of your business’s information security plan. Conducting a full-scale audit can be daunting. To kick-off the process, I recommend the following initial steps:

  1. Identify all data sources (employee, vendors, customer). Increasingly, enterprises are asking their partners about security processes as part of their own security governance.
  2. Document how data is collected, used and stored. This includes mapping data input sources, e.g. website forms, emailed contracts, customer portals, payroll, etc.
  3. Estimate costs to collect and store data.
  4. Assign an owner to each data element, e.g., financial information to Finance, marketing data to Sales/Marketing, legal information to Contracts/Finance, etc.
  5. Score data value. On a scale of 1-100 assess the data’s criticality to business, e.g. if it’s lost what is the impact from financial, brand, relationship perspectives.
  6. Consider a Threat Intelligence Platform (TIP) to streamline data management and terminate threats before they penetrate the business.

Once you have this information you can then start to evaluate weaknesses, reinforce existing security processes and align IT budgets accordingly.

Ransomware isn’t as hard to tackle as many SME information security teams think.


Chasing the Revenue Dragon

While chasing the smoky revenue dragon, publishers miss a different monster: Data Leakage.dragon-fotolia_34730412_s

In October The Guardian’s Chief Revenue Officer revealed[1] that numerous ad tech providers in the ad supply chain were extracting up to 70% of advertisers’ money without quantifying the value to the brand. Yes, this revenue loss situation is eye opening, but it’s not the only activity affecting your bottom line. Protecting your data assets is critical for maintaining and maximizing revenue. Inability to control digital audience data within the supply chain is a catalyst for revenue loss. The looming General Data Protection Regulation (GDPR) regulations, that take effect in May 2018, makes the case for data protection that much stronger.

Data: a Publisher’s lifeblood

Every digital publisher intrinsically knows that one of their most valuable assets is their audience data – it drives a publisher’s stickiness with lucrative advertisers, their inventory value, and ultimately their brand image.

Data leakage is the unauthorised transfer of information from one entity to another. In the digital ad ecosystem, data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorisation. Today, this scenario is much more convoluted due to the volume of players in the digital advertising landscape, causing data loss to steadily permeate the entire digital ad industry.

Publishers lose when they can’t control their valuable consumer data:

1. Depleted market share: With your audience data in their hands, advertisers and ad tech providers can always go to other publications and target the exact audiences, thereby devaluing your brand.

2. Reduced ad pricing:  When advertisers or ad tech providers can purchase your audience at a fraction of the cost it decreases the demand for your ads, thus devaluing your ad prices.

3. Exposure to regulatory penalties & risk mitigation: Collection and use of consumer data is a publisher’s prerogative, but protection of this data is a weighty responsibility. Inability to safeguard data gathered from your website leaves a publisher vulnerable to running afoul of government regulations. Saying the penalties under GDPR are severe is an understatement. The repercussion of noncompliance is losing up to 4% of your total global turnover or €20 million, whichever is greater.

4. Reputation loss: Ultimately, data loss and any news of noncompliance could negatively affect consumer trust and brand reputation.

The hands behind data loss

On average, The Media Trust detects at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and at times more than 100, depending on the size of the campaign, type of ad, and so forth. The contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, DMPs, CDNs and other middlemen who actively participate in the delivery of the ad as it traverses from advertiser to publisher. Any upstream player, including the advertiser or original buyer, has access to a publisher’s proprietary audience data if not monitored for compliance.

The advertising ecosystem isn’t the only offender. The bulk of third-party vendor code that executes on the publisher’s website goes unmonitored, exposing the publisher to excessive and unauthorised data collection. In these cases, a publisher’s own website acts as a sieve leaking audience data into the digital ecosystem.

Ending the chase

Resolving revenue lost from data leakage isn’t an unsolvable conundrum, but one that can be addressed by applying the following:

  1. Data Collection: Get smart about the tools used for assuring clean ads and content. Your solution provider for ad quality should check for ad security, quality, performance and help with data protection. Reducing excessive data collection is the first step in addressing data leakage.
  1. Data Access: With GDPR, EU-US Privacy Shield, and many more such timely regulations and programs, the onus is on the publisher to understand what data activity their upstream partners engage in via advertising. Instead of today’s rampant mistrust, the supply chain must move to accountability for non-compliant behavior.
  1. Governance: Publishers absolutely need to start adopting and enforcing stricter terms and conditions around data collection and data use.

Ultimately, every publisher needs to monitor and govern third-party partners on their website to close loopholes that facilitate data leakage before pointing fingers at others.

The Great Data Leakage Whodunit

Safeguarding valuable, first-party data isn’t as easy as you think

If your job is even remotely connected to the digital advertising ecosystem, you are probably aware that data leakage has plagued publishers for many years. But you are most likely still in the dark about the scope and gravity of this issue. Simply put, data leakage is the unauthorized transfer of information from one entity to another. In the digital ad ecosystem, this data loss traditionally occurred when a brand or marketing agency collected publishers’ audience data and reused it without authorization. Today, this scenario is much more complicated due to the sheer number of players across the digital advertising landscape, which causes data loss to steadily permeate the entire digital ad industry, and leading to a “whodunit” pandemonium.

Surveying the Scene

On average, at The Media Trust we detect at least 10 parties contributing to the execution or delivery of a single digital ad, and this is a conservative figure considering that frequently this number is as high as 30, and in some cases more than 100, depending on the size of the campaign, type of ad, and so forth. The other contributing parties are typically DSPs, SSPs, Ad Exchanges, Trading Desks, CDNs and other middlemen that actively participate in the delivery of the ad as it moves from advertiser to publisher. Just imagine the cacophony of “not me!” that breaks out when unauthorized data collection is detected. To make matters worse: few understand how data leakage impacts their business and ultimately, the consumer. As a result, an unwieldy game of whodunit is afoot.

Sniffing out the culprit(s)

To unravel this data leakage mystery, let’s get down to brass tacks and build a basic story around just four actors: Bill the Luxury Traveler (Consumer), Brooke the Brand Marketer (Brand), Blair the Audience Researcher (Agency), and Ben the Ad Operations Director (Publisher).


Bill the Luxury Traveler

Case File: As a typical consumer, Bill researched vacation package for his favorite Aspen resort on a popular travel website. He found a great bargain but wasn’t ready to make the final booking. As he spent the next few days thinking about his decision, he noticed ads for completely different resorts on almost every website he visited. How did “they” know he wants to travel?

Prime Suspects: Bill blames his favorite resort and the leading travel website for not protecting or, even worse, selling his personal data.

Brooke the Brand Marketer

Case File: Brooke is the marketer for a popular Aspen luxury resort. She invested a sizeable percentage of her marketing budget on an agency that specialized in audience research and paid a premium to advertise on a website frequented by consumers like Bill. To her dismay, she realized that this exact target audience is being served ads for competitive resorts on several other websites. How did her competitors know to target the same audience?

Prime Suspects: Brooke questions her ad agency leaking her valuable audience information to the ad ecosystem and also fears the leading travel website does not adequately safeguard audience data. What Brooke does not suspect is her own brand website, which could by itself be a sieve that filters audience data into the hands of competitors and bad actors alike.

Blair the Audience Researcher

Case File: With a decade of experience serving hospitality clients, Blair’s agency specializes in market research to understand the target audience and recommend digital placements for advertising campaigns. However, one of Blair’s prestigious clients questioned her about the potential use of the brand’s proprietary audience data by competitors. How does she prove the client-specific value of her research and justify the premium spend?

Prime Suspects: Blair is concerned about the backlash from her clients and the impact on the agency’s reputation. She now has to discuss the issue with her trading desk partner to understand what happened, but she is unaware that she is about to go down a rabbit hole that could lead right back to her client or the client’s brand website as the main culprit.

Ben the Director of Ad Operations:

Case File: Ben is the Director of Ad Operations for a premium travel website. As a digital publisher, the sanctity of his visitor/audience data directly translates to revenue. In this scenario, he suffered when his valuable audience data floated around the digital ecosystem without proper compensation Almost every upstream partner had access to his audience data and could collect it without permission. When his data leaked it devalued ad pricing, reduced market share and customer trust, and also raised data privacy concerns. How does he detect data leakage and catch the offending party?

Prime Suspects: Everyone. Publishers like Ben are tired of this whodunit scenario and the resulting finger-pointing. While ad exchanges and networks receive a bulk of the blame for data collection, he is aware that many agencies, brand marketers and their brand websites play a role in this caper, too.

And at the end of the day, consumers, people like Bill whose personal data is stolen, are ultimate the victims of this mysterious game.

Guilty until proven innocent

While the whole data leakage mystery is complex, it can be cracked. The first step is accepting that the entire display industry is riddled with mistrust and every participant is guilty until proven innocent. Several publishers, responsible DSPs, trading desks, exchanges, marketing agencies and brands have already taken it upon themselves to solve this endless whodunit. To bolster their innocence, these participants need to carefully review:

  1. Data Collection: Get smart about the tools used for assuring clean ads and content. Your solution provider should check for ad security, quality, performance and help with data protection. Reducing excessive data collection is the first step in addressing data leakage.
  1. Data Access: With the General Data Protection Regulation (GDPR), EU-US Privacy Shield, and many more such timely regulations, the onus is on every player in the digital ad ecosystem to understand what data their upstream and downstream partners can access and collect via ads. Instead of today’s blame game, the industry should slowly see accountability for non-compliant behavior.
  1. Governance: Every entity across the ad ecosystem should adopt and enforce stricter terms and conditions around data collection and data use. This is especially crucial for publishers and brands – the two endpoints of the digital ad landscape.

Ultimately, every participant in the digital advertising ecosystem first needs to monitor and govern their own website in an attempt to close loopholes that facilitate data leakage before pointing fingers at others.