GDPR - 10 weeks to go

At Awin we’ve spent the last nine months establishing the building blocks of our approach and more recently continued to layer our preparedness in advance of the biggest changes to data privacy laws in a generation. The principle of accountability means making responsible policies and approaches to data handling in all aspects of a businesses. Therefore, GDPR requires us to consider multiple areas of the business from training to technology.

With that in mind we thought a brief update of network developments in the areas we’ve been tackling would help provide some extra clarity for our partners amidst the complexity of GDPR.

1. Assessment

Creating an internal stakeholder group
With the variety of functions the company performs, we know stakeholders from across the group have to buy into the importance of GDPR. This is manifested in a stakeholder group that reflects the diversity of teams across the business. Meetings are held every two weeks. In addition, every market has appointed a data protection officer who will have responsibility at a local level to ensure compliance. The DPO will be on hand to answer client enquiries and support training initiatives.

Privacy Impact Assessment (PIA)
The preparations for GDPR impact businesses in a variety of ways. As part of the assessment process identifying stakeholders from across the company including marketing, tech, sales and engineering is important. Collating how a business uses data across a range of services and functions should be an inherent part of GDPR due diligence.

That’s why we’ve been producing a comprehensive PIA that looks at all areas of our tracking, from basic cookies to cross-device. We also consider the impact of our plugin technology, transaction queries that are generated by cashback sites and the specifics of our lead generation arm. In assessing all these aspects we’re considering the what, why and how of each as well as considering the length of time we store data.

An extract of our PIA will be available to all our partners in due course.

Legal basis and balancing test
Choosing a legal basis for using data is at the heart of GDPR. We’ve previously stated that the company is going to choose legitimate interest as a legal basis for data collection. Having implemented a balancing test when assessing our technology, we concluded that our basic tracking technologies can be justified under this definition.

Additional considerations
When assessing our tracking technologies, the provisions of the national acts implementing the ePrivacy Directive also need to be considered. Whereas the GDPR provides for several legal bases – consent being one of them – under which data processing can be carried out, ePrivacy provides for a stricter standard with respect to cookies and other tracking methods impacting the end user’s device. When read in conjunction with the GDPR, this means that in certain jurisdictions a GDPR compliant opt-in will be required from the end user from May 2018.

2. Documentation

Creating internal policies
Having assessed everything that is in the PIA we have been renewing our records of processing and internal policies in line with the results of the assessment as well as the requirements of the GDPR. Organisations will be required to put more processes in place than before around issues such as data breach notifications and data access requests and so on.

Clarifying our position with clients
Awin’s relationship with publishers, advertisers, agencies and other third parties means many of them will require clarification on what the company’s position is regarding data processing agreements. We’ve been dealing with enquiries from clients and collating a set of standardised responses and FAQs. This repository is building, and we will in turn be posting this as we anticipate an increase in interest in our position. This will also include a review of third party tools and confirming whether processing activities have necessary safeguards in place.

3. Transparency and raising awareness

Privacy Policy
The final area that we’re dealing with concerns communicating with our business partners, keeping them informed about the changes we make. Part of this will be an imminent update to our fair processing notice that demonstrates why and how we deal with data.

General communications
Apart from all the logistic and legal challenges that need to be addressed, communication and education are key to GDPR. Raising awareness and keeping an ongoing discussion open about the GDPR alongside updates as and when they happen is something we are committing to as a business. That’s why we’re launched a dedicated GDPR portal that will include as much of the information you need as a partner as possible.

Employee awareness
As well as communicating externally, GDPR has a requirement to ensure employees are both aware and trained in the elements of GDPR. This again helps to ensure companies adopt a privacy by design approach when developing tools and technology as well as aiding employees in their day-today roles. Therefore, the stakeholder group is in the process of building a mandatory training programme for Awin members of staff.

4. Next steps

As detailed above, there are still several ongoing projects we are working on internally to ensure that our business will be compliant by May 2018. Because of this ongoing work, our partners will soon have access to:

• An extract of our PIA
• Guidance material for our publishers detailing the changes to our existing contractual terms, including a data processing agreement template provided by Awin
• A consent solution which can be applied by our publishers. Awin wants to ensure it provides the most relevant and flexible technology to our partners. affilinet previously launched a consent tool and Awin has also developed a plugin for the ePrivacy Directive. These are being assessed to ensure they offer the best solution in light of other consent tools being developed.
• A detailed FAQ on our data processing activities to ensure our clients have a good understanding of what Awin is doing with the data it holds
• Awin’s GDPR compliant updated privacy policy which advertisers and publishers are free to quote within their own policies

The results will be published on our GDPR portal here.