At Awin, we’ve spent the last nine months establishing the building blocks of our approach (and more recently continued to layer our preparedness) in advance of the biggest changes to European data privacy laws in a generation. The principle of accountability means making responsible policies and approaches to data handling in all aspects of a businesses. Therefore, the GDPR requires Awin to consider multiple areas, from training to technology.
With that in mind, here is a brief update of network developments in the areas we’ve been tackling to help provide some extra clarity for our partners amidst the complexity of the GDPR.
Creating an internal stakeholders group
With the variety of functions Awin performs, we know stakeholders from across the group have to buy into the importance of the GDPR. This is manifested in a stakeholder group that reflects the diversity of teams across the business. Meetings are held every two weeks. In addition, every market has appointed a data protection officer who will have responsibility at a local level to ensure compliance. The DPO will be on hand to answer client inquiries and support training initiatives.
Privacy Impact Assessment (PIA)
Preparations for the GDPR impact businesses in a variety of ways. As part of the assessment process, identifying stakeholders from across the company (including marketing, tech, sales and engineering) is important. Collating how a business uses data across a range of services and functions should be an inherent part of GDPR due diligence.
That’s why we’ve been producing a comprehensive PIA that looks at all areas of our tracking, from basic cookies to cross-device. We are also considering the impact of our plugin technology, transaction queries generated by cashback sites and the specifics of our lead generation arm. In assessing all these aspects, we’re revieiwing the what, why and how of each, as well as considering the length of time we store data.
An extract of our PIA will be available to all our partners in due course.
Legal basis and balancing test
Choosing a legal basis for using data is at the heart of the GDPR. We’ve previously stated Awin is going to choose legitimate interest as a legal basis for data collection. Having implemented a balancing test when assessing our technology, we concluded our basic tracking technologies can be justified under this definition.
When assessing our tracking technologies, the provisions of the national acts implementing the ePrivacy Directive also need to be considered. Whereas the GDPR provides for several legal bases – consent being one of them – under which data processing can be carried out, ePrivacy provides for a stricter standard with respect to cookies and other tracking methods impacting the end user’s device. When read in conjunction with the GDPR, this means in certain jurisdictions a GDPR compliant opt-in will be required from the end user starting in May 2018.
Creating internal policies
Having assessed everything in the PIA, we are renewing our records of processing and internal policies to align with the results of the PIA, as well as the requirements of the GDPR. Organizations will be required to put more processes in place than before around issues like data breach notifications, data access requests and so on.
Clarifying our position with clients
Awin’s relationship with publishers, advertisers, agencies and other third parties means many of them will require clarification on what the company’s position is regarding data processing agreements. We’ve been dealing with inquiries from clients and are collating a set of standardized responses and FAQs. This repository is building and we will be posting it shortly, as we anticipate an increase in interest in our position. This will also include a review of third-party tools and confirming whether processing activities have necessary safeguards in place.
3. Transparency and raising awareness
The final area we’re dealing with concerns communicating with Awin business partners, keeping them informed about the changes we make. Part of this will be an imminent update to our fair processing notice that demonstrates why and how we deal with data.
Apart from all the logistic and legal challenges that need to be addressed, communication and education are key to the GDPR. Raising awareness and keeping an ongoing discussion open about the GDPR, alongside updates and when they happen, is something we are committing to as a business. That’s why we’ve launched a dedicated GDPR portal that includes as much of the information needed as a partner as possible.
As well as communicating externally, the GDPR has a requirement to ensure employees are both aware and trained in the elements of the GDPR. This again helps to ensure companies adopt a privacy by design approach when developing tools and technology, as well as aiding employees in their day-to-day roles. Therefore, the stakeholders group is in the process of building a mandatory training program for Awin staff.
4. Next steps
As detailed above, there are still several ongoing projects we are working on internally to ensure that our business will be compliant by May 2018. Because of this ongoing work, our partners will soon have access to:
- An extract of our PIA
- Guidance material for our publishers detailing the changes to our existing contractual terms, including a data processing agreement template provided by Awin
- A consent solution that can be applied by our publishers. Awin wants to ensure it provides the most relevant and flexible technology to our partners. affilinet previously launched a consent tool and Awin has also developed a plugin for the ePrivacy Directive. These are being assessed to ensure they offer the best solution in light of other consent tools being developed
- A detailed FAQ on our data processing activities to ensure our clients have a good understanding of what Awin is doing with the data it holds
The results will be published on our GDPR portal here.